This https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
Really means that “modern” SPAs based on a combination of OIDC and OAuth will not work anymore both * silent-renew for access token management * OIDC JS session notifications Will not work anymore. Or don’t work anymore already today - e.g. in Brave. This means SPAs would need to be forced to do refresh tokens - and there is no solution right now for session notifications. Maybe the browser apps BCP / OAuth 2.1 should strictly advice against the “browser apps without a back-end” scenario and promote the BFF style architecture instead. Cheers ——— Dominick Baier
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
