So we have a suite of B2B products, hosted on p1.com, p2.com, p3.com, with an OAuth2 provider on a1.com. a1.com isn't very "well known", and it won't be, because we run it privately for auth and user management for our own products only. There are no subdomains anywhere, only individual domains.
Does this break our setup? And how do we tell users to un-break it? And is there a way to tell Mozilla via directives that we have a private list of sites we'd like to share a1.com cookies in?
User clicks log in at p1.com, they get forwarded to a1.com which checks their (now first-party) cookies, then once they're logged in they get forwarded back to p1.com with a token in an URL parameter.
Ah, right, thanks. So this is a problem only if we have in-page widgets from a1.com that load on p1.com and hope to find a the currently logged in user there. Makes sense, that's basically what an ad is.
This weakens security. Now auth tokens can be logged or actively intercepted on corporate networks with TLS MITM and these URLs will eventually find their way into emails and other unencrypted locations. Not exactly progress.
The behaviour with third party cookies blocked is how oauth2 works by design.
Even without third party cookie blocking, if you're at p1.com and you click to log in with a1.com but you're not logged into a1.com yet, you get forwarded to a1.com to sign in.
So with third party cookies blocked, it's no less secure than it was before.
Safari solves this by sending third-party cookies only if the user visited the originating domain within 24 hours.
Not sure how Firefox handles this but I guess it would be easy to detect a redirect from a1.com to p1.com and recognize this as a use-case where a third-party cookie from p1.com should be sent for a request originating from a1.com.
That said it's probably more privacy-friendly to append an access token as a hash parameter to the URL when redirecting and extract it via JS, which will not be affected by cookie limitations.
Does this break our setup? And how do we tell users to un-break it? And is there a way to tell Mozilla via directives that we have a private list of sites we'd like to share a1.com cookies in?