The UA should not implicitly link different RPs and should rather rely upon user consent for each origin #315
Comments
|
This spec cannot control how origins within the same domain share cookies. The spec allows idtoken from the IDP origin to the RP origin, but it is up to the RP to choose whether the sign in state of the user should be stored in a cookie locked to that single origin or a cookie shared with origins within the same domain. |
|
Couldn't the approved_clients list in section 5.2 be defined as required and become a list of origins that have registered for a particular account? This could be done during the |
Also, just realized there may have been a bit of miscommunication. This isn't concerned with origins of the same domain, it's origins with different domains. E.g. The practical example I'm thinking of here is that |
This seems like something the user agent can do in their UI if they choose to do so (i.e. instead of listing all accounts, only listing the ones that are returning and more clearly separate the list of new accounts). What do you think? |
Yeah that makes sense and my interpretation was that's the intended route of the spec today by making this attribute optional. Is that correct? The only additional requirement I hand in mind would be that this becomes a required attribute that the RP registers during the initial call so that the browser can enforce the boundary at the origin rather than allowing this to be potentially collapsed like it does in the Speaking of which, I still haven't figured out how that's occurring but it is cross-browser so it must be something behind the scenes that YT as an RP was able to coordinate with the Google IDP since they are one of the few cases that can be coordinated in this way. This definitely isn't a common case (if it was I'd guess FB would have taken a similar route and not many consumer companies are also IDPs - enterprise/EDU is a different story), but it's something that I don't necessarily want to see encouraged by the spec without explicit user consent being involved at least. |
We currently show all accounts together in our UI, although I would argue that this is not ideal and having some indication about which account(s) have been used before is better.
I don't follow the concern here. I will note that we already do our checks at the origin level. So for example RP1 getting sign in permission from IDP will not imply anything about RP2 in our API, even if RP1 and RP2 are same domain. That said, RP1 could create domain level cookies.
Can you elaborate on what you are seeing? |
The primary concern here is cross domain login being allowed. A secondary concern is cross subdomain tracking. The reason this concerns me is for two reasons: A.) The users login credentials (primarily username) can be used as an identifier for cross domain tracking which goes against the default value I'd like to see. I think the Google/YT example exemplifies the trouble I'm encountering here and am hoping would be blocked by this spec. Here's a video to show what I mean. signin.cross.domain.mp4See how there's cross domain login flows right now? This is confirmed in both Brave (chromium based) and Safari. I'd like to see this not be allowed. |
|
This is same party federation vs third party federation. One goal of same party federation is single sign on. Why shouldn't this be allowed? Should you have to sign in explicitly to both Google Sheets and Google Slides when interacting with Google Drive? |
|
I'm not sure what FedCM could do to prevent that anyway? Once we give the token to the RP, there's nothing stopping them from setting domain cookies. I'm not 100% sure how YouTube does it but it probably (?) involves a redirect through *.google.com. |
|
To recap, FedCM is already using per-origin controls in its state machine, but it seems that there are ways to obtain cross-domain cookies (probably via redirects) which are being used by YouTube to sync user login journeys. This is not really actionable on this spec, can this one be closed? |
I'm pretty sure that would cause a conflict with the per-origin controls being defined because the subdomain produces a different origin so this would make it cross-origin. As @cbiesinger pointed out this is extensible to achieve those types of flows.
Wouldn't that make it a different RP with a different client_id since it's going across the origin boundaries set in the state machine? Or is it acceptable for many different origins to register as the same RP? That seems like it would be bypassing some token validation steps since the IDP is issuing the token to a specific client_id. |
I agree that it's not fully actionable by this spec as the RP/IDP can subvert them (sometimes for valid reasons such as better UX. I definitely think this is extremely convienent), but I still think it's a good thing to discuss as to where we want the boundaries to lie here. Primarily because I think it will lead to some editorial clarifications as to the way some things are being defined and also some security and privacy considerations potentially to talk more about cross domain tracking and other such considerations like re-use of the client_id. |
I think this is true (through subdomain cookie sharing and top-level redirects) and worth establishing: this isn't actionable by the FedCM spec.
This seems like a worthy discussion, but one that I think should happen at a different layer (as you suggested, not actionable by the FedCM spec specifically). Specifically, one of the places that I think would be most constructive to have this discussion is Privacy Principles Definition of "partition" which, as noted, there is not a shared / interoperable definition of across user agents. I think the stance that FedCM can take is to allow each user agent to define the "privacy boundary" (e.g. for example with regards to First Party Sets) and to be an API that allows identity to cross that boundary with a user's consent. So, may I suggest that we close this issue and follow on this discussion in this spec instead? |
I'm not against SSO, I'm just trying to make it clear that as it currently stands today the origin is where the boundary has been set and is where it will generally lie unless the user opts in to a FPS. So for example, if a user wishes to sign in once for an set of first party origins they can opt in to, but it shouldn't be implicitly handled by the UA without their knowledge in my opinion.
In my opinion the safer answer here is yes. This is because as is stated in 2.1.1.1 of the privacy principles
Below that it states the following:
So, if the UA is unable to determine the site boundaries (Google Sheets is a wholly separate service from gmail for example), and can't infer the users wishes of whether they intend to change identities, shouldn't it be required to prompt the user for their wishes to determine whether they want to share across boundaries whether that be cross origin or same-site? This to me seems to be the safer option that's more aligned with the privacy principles today even though it goes against the current state of the art.
Yes, and are these the types of behaviors we want to discourage without consent correct since it may go against the users wishes? That's the direction I'm hoping to land towards with this issue. So this is why I put forward this possible solution. #315 (comment) This seems to tread the balance between we want to discourage this by requiring RPs to explicitly retrieve credentials themselves via the APIs defined here rather than by passing credentials around either server side or via the domain level cookies. Assuming the refresh tokens need to be retrieved via this API as well then this would make it so the secondary RPs wouldn't be able to retrieve refresh tokens as well since it would require them redirecting back to the original RP who requested the credentials in order to refresh the token and re-store it in the top level domain which would be far more complicated then the second RP just requesting it's own credentials or the first RP requesting authorization for the secondary origins such that the UA can know they now share the same account and any one of the approved_clients could then request an updated credential. I recognize that this isn't a perfect solution, however I'm trying to create patterns that are aligned with what some users may expect to behave more like an antipattern in order to discourage their usage while also creating a legitimate patterns that utilize user consent to offer a legitimate solution to the problem still. That seems actionable to me. WDYT? |
Today, one of the more annoying things that can occur is that default accounts that are signed into on one origin can get re-used as the same default account at a separate origin. For example, I maintain multiple accounts, which the first one I sign into is the one I default to. This default is then set and shared across different origins such as rpBrand1.example, rpBrand2.example, and subdomain.rpBrand3.example. While for many users this may be incredible convenient for them (especially people with a single account) it can also be an inconvenience and a privacy concern where the user is being automatically linked on an origin even if they don't intend to login to one of the origins.
For example, one of my accounts is managed under an enterprise policy which doesn't allow for me to take certain actions on a service offered, but if I use my secondary, non-default account I do have access to that service which I use. In this case, because the RPs are being linked and shared across origins it presents issues where my browser is being automatically configured in a way that I cannot change and I'm left to consistently account switch depending on the service I'm trying to access.
Instead, this spec should limit cross-origin linkage such that the user has to explicitly set the accounts and re-login to each origin so that they maintain maximum control over which accounts are being shared with which RPs.
The text was updated successfully, but these errors were encountered: