[Webkit-unassigned] [Bug 189580] New: Intelligent Tracking Prevention 2 for Single sign-on

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=189580

            Bug ID: 189580
           Summary: Intelligent Tracking Prevention 2 for Single sign-on
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Macintosh
                OS: macOS 10.13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: me at andrepolischuk.com

I work on identity provider that gives single sign-on to some products/services. We provide for our users:
- api that products/services use
- sign in and some other forms that are embedding in iframe or working by redirect
- js library to request current user data from our api

Some products/services use our forms, others create own forms that interact with our api by cross-origin requests with credentials. In any cases our tld is different than products/services domains, and our domain keeps session cookies.

Now each user sign in with our iframe form or with own product/services form once. After this, products/services use our js library to get user info on their domains (library makes cors requests to api without opening any iframe).

ITP doesn't allow cross-origin requests to api with session cookie and brakes our single sign-on. We can introduce requesting the storage access api in iframe forms, but this doesn't allow to products/services make cross-origin requests to our api with credentials.

Do I correctly understand that my case is impossible with ITP? And what can we do with it?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180913/02305186/attachment.html>