Philippe De Ryck

Hi, I'm Philippe, and I help developers protect companies through better web security. As the founder of Pragmatic Web Security, I travel the world to teach practitioners the ins and outs of building secure software.

Want to learn more about OAuth 2.0 and OpenID Connect?

Save yourself days of digging through dozens of specs with this online course

More information

Running iframe-based flows in the OAuth 2.0 Flow Simulator

Traditionally, OAuth 2.0 applications rely on iframes to silently obtain tokens in the background while the application remains running in the foreground. With the ongoing efforts to block third-party cookies, these flows become increasingly unreliable. Use the new version of the Flow Simulator to visualize the effects of third-party cookie blocking in Brave and Safari.

24 November 2020 OAuth 2.0 & OpenID Connect OAuth 2.0, OIDC, Online Courses, Flow Simulator

The new version of the Flow Simulator supports demo scenarios and assignments for the Mastering OAuth 2.0 and OpenID Connect course. This article gives a short walkthrough on how to use the Flow Simulator to see the effects of third-party cookie blocking in the Brave browser.

Setting the scene

The effect of third-party cookie blocking only becomes visible when the browser already has an existing session with the Security Token Service (STS). To ensure that this is indeed the case, first run a full Authorization Code flow, where the Flow Simulator exchanges an authorization code for the requested tokens. If that works as expected, we are ready to inspect an iframe-based flow.

Running a top-level flow ensures that the browser has a session with the STS
Running a top-level flow ensures that the browser has a session with the STS

Running an iframe-based flow

Version 0.3.0 of the Flow Simulator supports running a flow in an iframe and listening for the result with the Web Messaging API. Setup a new flow, and make sure you enable the toggle to run the flow in a frame. For now, make sure you leave the user interaction parameter (prompt) unset..

Enable running the flow in a frame, but do not configure the user interaction parameter
Enable running the flow in a frame, but do not configure the user interaction parameter

With that configuration, initialize the flow and move to the second step. As you can see, the second step is stuck waiting for a response. If you click the button to display the frame, you will probably see an error page from the STS. That’s because we did not instruct to avoid any user interaction on this flow.

The STS displays an error page stating that there is no active session
The STS displays an error page stating that there is no active session

Running a silent flow in an iframe

Let’s do it right this time. Start a new flow with the same settings and configure the user interaction parameter with the value none. This instructs the STS to return a result or error message without displaying any pages.

Enable running of a silent flow in a frame
Enable running of a silent flow in a frame

As you can see below, the second step of the flow returns an error message, stating that there was no active session. That’s because this example is from the Brave browser, which blocks third-party cookies. To verify that, you can run a new top-level flow without using an iframe, which will carry cookies and reuse your existing session.

Brave blocks third-party cookies, which results in an error
Brave blocks third-party cookies, which results in an error

For comparison, the screenshot below illustrates the result of the same scenario executed in Google Chrome. As you can see here, the silent flow in the iframe works as intended because Chrome does not block third-party cookies (yet).

Chrome allows third-party cookies, which results in an authorization code being received
Chrome allows third-party cookies, which results in an authorization code being received

Summary

The new version of the Flow Simulator now supports running flows in an iframe. This tool is perfect for demonstrating the consequences of third-party cookie blocking on silent Oauth 2.0 flows.

To learn more about OAuth 2.0 and OpenID Connect, check out the Mastering OAuth 2.0 and OpenID Connect course.



About Dr. Philippe De Ryck

Hi, I'm Philippe, and I help developers protect companies through better web security. Learn more about my security training program, advisory services, or check out my recorded conference talks.

Want to learn more about OAuth 2.0 and OpenID Connect?

Save yourself days of digging through dozens of specs with this online course

More information
Philippe De Ryck

Dr. Philippe De Ryck

Hi, I'm Philippe, and I help developers protect companies through better web security. As the founder of Pragmatic Web Security, I travel the world to teach practitioners the ins and outs of building secure software.


Talks and workshops

You will often find me speaking and teaching at public and private events around the world. My talks always encourage developers to step up and get security right.


Articles

Security is often about small nuances. In my articles, I dive deeper into various security topics, providing concrete guidelines and advice. My articles also answer questions I often get while speaking or teaching.


Security resources

Getting security right is all about knowledge. I strongly believe in sharing that knowledge to move forward as a community. Among my resources, you can find developer cheat sheets, recorded talks, and extensive slide decks.


Mailing list

Subscribe to the Pragmatic Web Security mailing list to stay up to date on the latest activities and resources.

Subscribe

\