#718: FedCM (was WebID)
Discussions
Comment by @samuelgoto Mar 29, 2022 (See Github)
(small update: just added the link to the answers to the privacy questionnaire that was initially missing)
Discussed
Apr 1, 2022 (See Github)
Peter: browser mediated take on SAML... trying to fix the things that will break when we lose third party cookies... It smells like an early review. They have a manifest - browser calls an identity provider for basic information like branding. They should add light and dark color modes and follow some of the examples of the webapp manifest. Concern: they have an accounts endpoint which could be abused... Not sure how to get around. The browser can hit an IDP and ask "does this user have an account on this service" - not sure how they identify this. A nonce? They say many places they haven't worked out the details... Needs to be designed so crawlers can't just scrape all your accounts. Renamed evolutiuon of WebID...
Dan: todo: link to WebID discussion with Sam Goto...
Dan: I felt quite positive about the initial WebID propsoal.
Peter: overall the direction is good the approach is good.. reusing as much as you can... you won't have to rewrite everything if you're building an IDP... We need more data.
Peter: SAML and OIDC require public key crypto ... don't see anything here doing that. They do also have section on privacy.. will look at that more and leave some feedback.
Comment by @hadleybeeman Apr 13, 2022 (See Github)
Linking to our previous review of webID
Discussed
Jun 1, 2022 (See Github)
Amy: see the cg report. A list of existing auth scenarios - only a few small parts actually break in absence of 3p cookies. Someone who knows more about js apis than I do should review the explainer.
Peter: in OIDC or SAML the IDP signs the response so the RP knows to trust the IDP. I don't see anything about signatures, does it implicitly trust the UA
Amy: Not sure, seems so?
Peter: Hard to believe they would have just ignored that. ID token itself is maybe a JWT? Kind of vague.
Amy: Has there been much discussion in privacycg?
Tess: we've had a couple of joint meetings. Specific topics. PrivacyCG doesn't do privacy reviews, so nothing to point at. Eg. we met on the relationship between fedCM and the login status api. At least one other, generally about when 3p cookies go away.
Peter: ability to scrape accounts api? But looks like you have to have a cookie to access that, so signed in once with the IDP before you can get back the accounts.
Amy: not clear there's anything to stop IDP tracking you across sites, they need to know what you're logging into
Peter: yep, more of a feature, for session management
Peter: is it possible to spoof the logout endpoint and log people out of sites? You should be able to go to the IDP and say log me out of everywhere - that's a feature. But not for other people.
Tess: out of scope for this is logging into the IDP itself right? Reasonable to assume the IDP would gate that button.
Peter: can I go to RPs and say by the way Tess logged out? More of a DOS attack than a leakage. Apparently an API call from the UA to the RPs. Not sure what that handshake looks like. Other than that generally looks fine to me. Minor things in the fedcm.json, they have colours and branding - dark mode support?
Amy: intent to trial on chrome status..
Peter: where does it go from here?
Peter: already an issue about light mode vs dark mode
Amy: could ask about feedback from their origin trial? and from devs?
Peter: token is a JWT, just not clear in the spec.
Amy: seems to always require name and picture... not all sites will want that. What's the bare minimum to identify an account?
Tess: username probably
Comment by @plinss Jun 27, 2022 (See Github)
Where is this work intended to go after the CG?
Comment by @rhiaro Jun 27, 2022 (See Github)
The explainer seems to imply that a name and picture are always required as part of the login flow. Is this actually the case or have I misunderstood? I'm sure not all IDPs or RPs are going to want/require names and pictures, and some IDPs may provide different ways of distinguishing between accounts (eg. a colour profile, or description?).
In general we are really interested to hear any feedback you have from developers and users following your origin trial.
Comment by @samuelgoto Jun 30, 2022 (See Github)
Where is this work intended to go after the CG?
We don't feel strongly about where this will go, but a reasonable starting point is somewhere like the WebAppSec where more Credential Management APIs are discussed.
But, we don't feel strongly and are open to other venues if the group finds more appropriate ones.
Comment by @samuelgoto Jun 30, 2022 (See Github)
The explainer seems to imply that a name and picture are always required as part of the login flow. Is this actually the case or have I misunderstood? I'm sure not all IDPs or RPs are going to want/require names and pictures, and some IDPs may provide different ways of distinguishing between accounts (eg. a colour profile, or description?).
Yes, this is a known issue that we'd like to move away from. But you are right in reading that this is where the spec/explainer is at the moment, and we agree that it an undesirable shortcoming, in that it is not expressive enough yet. We think where the spec is starting at is a reasonable baseline, and we agree that it needs to be more expressive going forward to capture the nuance of different requirements.
One idea is to allow the relying party specify what it needs from the IDP (one idea is to re-use the query structure developed by OIDC here).
Here is an example of what that API could look like:
await navigator.credentials.get({
federated: {
claims: {
name: {essential: true}, // required
email: null, // optional
emailVerified: null, // optional
picture: {essential: true}, // required
},
providers: [{
url: "https://idp.example",
clientId: "123"
}]
}
});
Which could lead to a UX that allows a browser to ask more specific questions to the user. Example:
WDYT?
Comment by @samuelgoto Jun 30, 2022 (See Github)
In general we are really interested to hear any feedback you have from developers and users following your origin trial.
We are trying to compile what we have learned from a quantitative perspective and will report back as soon as we have that ready.
In the meantime, qualitatively, we have compiled some of the most popular feature requests* (from github issues) and ways that developers are seeing how the api COULD evolve here. Note that this is largely a collection of feature requests that we got from developers, rather than a committed direction.
Does that help?
*(including the one you mentioned above, which we are calling "selective disclosure")
Discussed
Jul 1, 2022 (See Github)
Hadley: Amy are you happy with sam's response ?
Amy: yes - although "web identity API" is not my favourite naming... could be "web identification API"... identity is a controversial word.. invites potential scope creep or general confusion or upset..
Hadley: I think it would be useful to tell them that.
Amy: I'll leave a comment to say "thanks looks good" and leave that comment.
Hadley: name and picture always involved? Sam says it's an undersirable shortcoming. If we're going to sign off on the review can we say something like that?
Amy: At this stage of early review - just that they know it's an issue is good enough.
discussion on venue
Peter: It would be nice if a working group had this on their radar...
Amy: have they liaised with web app sec? I will leave a comment and set it to proposed close.
plenary
Discussed
Jul 1, 2022 (See Github)
Dan: do we think this is going in the right direction?
Rossen: check of directionality.
Tess: I'm fine with it as long as it's understood that it's an early review and there's no enormous red flags.
Rossen: Not a license to ship.
Rossen: maybe mark as preliminary OK label?
Dan: could we ask them to file subsequent reviews when they get further?
Rossen: all the API I assume they will bring back to us when they are more solid.
Dan: propose: "Thanks for the opportunity to review this work. We largely think it's going in the right direction. this is not a full endorsement of the current API or architecture as specified in the CG report. As this is a big piece of work with multiple moving pieces, we'd like to suggest you come back to us to request indivdual reviews of these components once they reach an appropriate stage of maturity / consensus."?
agreement to close with the above comment
Comment by @rhiaro Jul 12, 2022 (See Github)
Thanks @samuelgoto! That's very helpful. We're happy with the problem this is setting out to solve, and the general direction, and in particular the alignment with patterns from related well-used mechanisms like OIDC. It is reassuring to see your acknowledgement of known issues, and note that our positive review of this work is based on the assumption they will be addressed as the work progresses.
reasonable starting point is somewhere like the WebAppSec where more Credential Management APIs are discussed
Do you have anyone from the WebAppSec WG in the FedID CG? Generally we advise connecting with a WG as early as possible to make sure they're aware of the direction of the work and have an opportunity to input, to make it more likely to be confidently adopted when you are ready to take the work on the REC track.
One final note - I saw in the document you linked to that you have made or may be considering a name change to "Web Identity API"? As I'm sure you're aware, "Identity" is a very ambiguous and loaded term! This might cause misunderstandings or concern about the scope of the work down the line, so we would strongly encourage you to consider "Web Identification API" instead (although sticking with FedCM is also fine).
Comment by @torgo Jul 18, 2022 (See Github)
Hi @samuelgoto! Thanks for the opportunity to review this work. We largely think it's going in the right direction. this is not a full endorsement of the current API or architecture as specified in the CG report. As this is a big piece of work with multiple moving pieces, we'd like to suggest you come back to us to request indivdual reviews of these components once they reach an appropriate stage of maturity / consensus.
Comment by @samuelgoto Aug 13, 2022 (See Github)
(just coming back from vacations now, so apologies for the delay in responding)
That's very helpful. We're happy with the problem this is setting out to solve, and the general direction, and in particular the alignment with patterns from related well-used mechanisms like OIDC. It is reassuring to see your acknowledgement of known issues, and note that our positive review of this work is based on the assumption they will be addressed as the work progresses.
That's great to hear, thanks for the time put into reviewing this and providing thoughtful feedback!
Do you have anyone from the WebAppSec WG in the FedID CG? Generally we advise connecting with a WG as early as possible to make sure they're aware of the direction of the work and have an opportunity to input, to make it more likely to be confidently adopted when you are ready to take the work on the REC track.
We've been working with @mikewest since early stages of the API design. We are starting to actively work with @hlflanagan (FedID CG chair) and other browser vendors to figure out whether/where/when/which to move this to a WG, and we are generally excited about that possibility indeed.
One final note - I saw in the document you linked to that you have made or may be considering a name change to "Web Identity API"? As I'm sure you're aware, "Identity" is a very ambiguous and loaded term! This might cause misunderstandings or concern about the scope of the work down the line, so we would strongly encourage you to consider "Web Identification API" instead (although sticking with FedCM is also fine).
Yeah, I personally like "Web Identification API" too (largely because it pairs well with "Web Authentication API" as a complement, as opposed to as an alternative), but as you can imagine, naming is hard (we opened suggestions up for voting in this github issue and most people didn't quite like "Web Identification API"). We haven't settled on a formulation yet (sticking with FedCM is challenging because we are not extending the existing FederatedCredential object anymore, but rather creating a new one.), but I hear where you are coming from. "Web Identity API" remains my least-worse choice at the moment, but we are actively working towards finding a better framing/naming.
Hi @samuelgoto! Thanks for the opportunity to review this work. We largely think it's going in the right direction. this is not a full endorsement of the current API or architecture as specified in the CG report. As this is a big piece of work with multiple moving pieces, we'd like to suggest you come back to us to request indivdual reviews of these components once they reach an appropriate stage of maturity / consensus.
That's great to hear @torgo and @rhiaro and @hadleybeeman (thanks for the early quick review)!! We really appreciate the thought and time you spent into given us advice and recommendations and I hope you feel like we incorporated most of them!
OpenedMar 10, 2022
Braw mornin' TAG!
I'm requesting a TAG review of FedCM (was WebID).
A Web Platform API that allows users to login to websites with their federated accounts in a privacy preserving manner.
Further details:
You should also know that...
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback