Login Status API #250
Labels
topic: authentication
Spec relates to authentication, e.g. passwords, passkeys, OAuth
venue: Federated Identity CG
Comments
|
Ping @othermaciej, @pascoej, @rmondello, @g-davidson, and @annevk. |
lukewarlow
added
topic: authentication
1 task
|
Closing in favor or #309 as we have never given a position of the actual FedCM spec. |
|
It may be worth keeping this one open separately because it is my understanding that webkit wants to support the login status API aka IDP signin status API independently of FedCM? |
|
I don't know about supporting it, but I've updated the title to be more specific about the Login Status API and now pointing to what's in the FedCM draft. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WebKittens
@johnwilander
Title of the spec
Login Status API
URL to the spec
https://fedidcg.github.io/FedCM/#browser-api-login-status
URL to the spec's repository
https://github.com/fedidcg/FedCM
Issue Tracker URL
No response
Explainer URL
fedidcg/FedCM#436
TAG Design Review URL
w3ctag/design-reviews#884
Mozilla standards-positions issue URL
No response
WebKit Bugzilla URL
No response
Radar URL
No response
Description
This is an extension to the FedCM API.
This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)
The text was updated successfully, but these errors were encountered: