#884: TAG review request for the IDP signin status API
Discussions
Comment by @cbiesinger Aug 23, 2023 (See Github)
I should have mentioned in the initial request:
We (Chrome) think that this proposal in combination with measuring user metrics is sufficient to address the timing attack. We are tracking per-RP and per-IDP metrics to detect abusive IDPs; combined with this proposal (which shows a dialog when a credentialed requested was made) solves the silent timing attack problem and makes the "loud" timing attack impractical.
We understand that other browsers have different privacy tradeoffs and have (tried to) write the spec such that they can gate FedCM requests on user interaction before credentialed requests are sent.
Discussed
Sep 4, 2023 (See Github)
Amy: I looked at this - seems probably fine - they've identified a problem and made an effort to solve it.
Amy: my other thought with FedCM is that a lot of it is early - and we're spending time on small feature reviews...
Dan: if it's being put forward as a more privacy preserving alternative for federated sign-in and enjoys some level of multi stakeholder support , any way we could accelerate it through .. if we can add energy into that it's positive. One of the things people want to replace the use of 3p cookies for is federated ID - it would be nice if we can say they can use fedcm. In Chrome status it says firefox under consideration, and going to origin trial.. For this feature they have an indication of positive or non-negative feelings from mozilla but link to a github thread.. not to any standards positions. We could ask about that.
Dan: can't find a moz standards pos.
Peter: a little confused - it looks like the problem they are trying to solve is IDPs silently tracking users - solution is IDP telling browser - wouldn't it be a problem if the IDP is malicious?
Amy: Isn't it a malicious RP not malicious IDP?
Peter: in their pdf they say the problem is the "tracker" gets a credentialled request that allows them to track the user at the RP.. makes it sound like the "tracker" is the IDP. You're visiting an RP and they want to expose some UI that says go sign in with google or whoever and they don't want to show that if you're not logged into google. So the browser can make a request to google to check if you're logged in.. which lets google know you're visiting the RP. Stopping the RP from calling the IDP if the IDP says you're not logged in. In an example they show the "tracker" is an IDP
Dan: wnat to clarify the problem they're trying to solve, and how to mitigate against a malicious IDP
peter: IDP has to opt in to giving a mechanism it can't use to track you. I don't see why an IDP that wants to track you can't just opt out.
Amy: the fedcm people have made a PR to the login status API that is currently under review. Lots of multistakeholder discussion
Dan: login api doesn't look very active, lots of open issues. We haven't reviewed it. Would be useful to know more...
<blockquote> Hi @cbiesinge: a few questions came up in our discussion today on this one:-
Our understanding is that this is designed to prevent an IDP from tracking users. However, the mechanism provided allows the IDP to optionally signal the signed in status of the user to the UA. Couldn't an IDP that wants to track users simply not send the signed-out signal and thus still get the silent requests?
-
Regarding multi-stakeholder support, we see from ChromeStatus that Firefox is listed as "under consideration" - however I don't actually see a Mozilla standards position on this - is there one? Is there a webkit standards position?
-
What is the general status of FedCM from an implementation stand-point? What is the multi-stakeholder story with FedCM right now and when do we expect to achieve "critical mass" for FedCM? This is especially relevant to the discussion on deprecation of third party cookies, as federated sign-in is often cited as a use case supported by third party cookies.
-
Small addition question - you've reference a PR against is-logged-in in your explainer - however the is-logged-in API itself seems to not be very active – and we haven't been asked to review it. Can you shed some light on the status of this API?
Comment by @torgo Sep 4, 2023 (See Github)
Hi @cbiesinger : a few questions came up in our discussion today on this one:
-
Our understanding is that this is designed to prevent an IDP from tracking users. However, the mechanism provided allows the IDP to optionally signal the signed in status of the user to the UA. Couldn't an IDP that wants to track users simply not send the signed-out signal and thus still get the silent requests?
-
Regarding multi-stakeholder support, we see from ChromeStatus that Firefox is listed as "under consideration" - however I don't actually see a Mozilla standards position on this - is there one? Is there a webkit standards position?
-
What is the general status of FedCM from an implementation stand-point? What is the multi-stakeholder story with FedCM right now and when do we expect to achieve "critical mass" for FedCM? This is especially relevant to the discussion on deprecation of third party cookies, as federated sign-in is often cited as a use case supported by third party cookies.
-
Small addition question - you've reference a PR against is-logged-in in your explainer - however the is-logged-in API itself seems to not be very active – and we haven't been asked to review it. Can you shed some light on the status of this API?
Comment by @cbiesinger Sep 7, 2023 (See Github)
-
Yes, an IDP could decide not to send the signed-out signal, however this would not give them silent requests, the browser would show a "mismatch" dialog. See the "If the sign-in state was “signed in" bullet point in https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md#effect-on-fedcm-requests. We think this dialog will encourage IDPs to send the signed-out signal, but again, even if they do not this is not silent and it's also a onetime thing (we set the status to signed-out in this situation)
-
I just filed https://github.com/WebKit/standards-positions/issues/250. We had informal conversations with Mozilla and they seem supportive; they prefer commenting on PRs instead of standards positions for changes to FedCM. We want to continue these conversations at TPAC.
-
Firefox is prototyping FedCM, current work behind a pref (
dom.security.credentialmanagement.identity.enabled). Safari is “generally supportive”. Brave also seems supportive towards a “more promising future”. -
We are hoping to make some progress on this during TPAC and had discussions in the Privacy CG; we are in the somewhat unfortunate position that we are trying to not ship something that is similar to but incompatible with is-logged-in, but at the same time is-logged-in is not ready. Hence, we are trying to specify something that is likely compatible with that API, should it end up shipping.
Comment by @cbiesinger Sep 21, 2023 (See Github)
FYI we're making some minor naming changes in https://github.com/fedidcg/FedCM/pull/505/files
Discussed
Dec 18, 2023 (See Github)
Ready to progress. We need to look at their responses.
Discussed
Feb 19, 2024 (See Github)
Amy: they replied to Dan's questions...
Peter: it's been renamed to LoginStatus API and there's an open issue on privacy cg.. there's a pr about merging ipd sign in status to the api...
Amy: looks like they made some progress at tpac, but don't say what it is
Peter: inclination is to ask them for current status, exlpainer is 404 and things seem to be in flux. The privacy cg has an explainer in it now...
Amy: last update was 3 years ago that can't be it
Peter: Looks like is-logged-in is supposed to play with fedcm but doesnt' depend on it..
Amy: [leaves comment]
Comment by @rhiaro Feb 19, 2024 (See Github)
Hi there, we were just getting back to this, and we've lost track of the explainer as the current link is a 404. Are we right in thinking the name of the feature has changed to Login Status API? We can see a few linked issues and PRs, but none of them are clearly an explainer for this feature, as well as this explainer in the privacy cg for a feature with the same name, although I don't think this is recent. Can you clarify what we should be looking at at this point? Thanks.
Comment by @cbiesinger Feb 21, 2024 (See Github)
Sorry about that, you can use https://github.com/fedidcg/FedCM/blob/83f30cccb3b48e66f2760030906e2853b124d9c8/proposals/idp-sign-in-status-api.md
We were aiming at producing an API that can also satisfy the goals of the privacycg proposal; however, our proposal is more mature (Chrome is now shipping it). See also https://github.com/privacycg/is-logged-in/issues/53#issuecomment-1747670589 and https://github.com/fedidcg/login-status which more directly integrates the privacycg proposal and other extensions.
Discussed
Mar 11, 2024 (See Github)
[Peter:] Amy and I looked at this and think we can close as satisfied, but wanted Dan's feedback since he posted a number of questions.
Discussed
Mar 11, 2024 (See Github)
Amy: it's shipping, and they did change the name
Peter: sounds like it's moving in the direction of letting the browser manage all of this. Let's the IDPs tell the browser whether they're logged in or not. Doing it with a header ... would only apply during a direct interaction with the idp? They are putting this in a separate object which isn't in a namesapce, ties into DP conversation last week...
Amy: we could give them guideance if we have an opinion...
Peter: I'd prefer the extra namespacing... but they're only adding one method, which is an argument for putting it on the navigator. I could see this api expanding in future. NO way to query this logged in state. Which is good. My main concern is tying it into the privacy cg is logged in api. Can we just combine all of these things?
Amy: sounds like it has overtaken/superseded that API?
Peter: happy to close this? Can check with Dan
Amy: yep
Discussed
Mar 18, 2024 (See Github)
Peter: We pinged Dan (as previously discussed); he's OK with us closing this.
<blockquote>Hi @cbiesinger, we discussed this on our call today; we're happy with the direction the work is going, so we're closing this review. Thanks for flying TAG.
</blockquote> Comment by @plinss Mar 18, 2024 (See Github)
Hi @cbiesinger, we discussed this on our call today; we're happy with the direction the work is going, so we're closing this review. Thanks for flying TAG.
OpenedAug 15, 2023
Draft: TAG review request for the IDP SignIn status API
こんにちは TAG-さん!
I'm requesting a TAG review of the IDP SignIn status API (addition to the Federated Credential Management API).
This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)
Further details:
You should also know that...
https://github.com/fedidcg/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%202022-08-31.pdf contains a lot of background reading
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback