The W3C Federated Identity Working Group will develop living standard specifications defining an API that allows websites to request a federated identity credential or assertion with the purpose of authenticating a user and/or requesting a set of claims in a compatible way OIDC or SAML.
| Charter Status | See the group status page and detailed change history (TBA) |
| Start date | [dd monthname yyyy](date of the "Call for Participation", when the charter is approved) |
| End date | [dd monthname yyyy] (Start date + 2 years) |
| Chairs | [chair name](affiliation), [chair name](affiliation) |
| Team Contacts | [team contact name] (0.1 FTE) |
| Meeting Schedule | Teleconferences: We expect to meet every 1-2 weeks for longer-than-hour blocks, which might be spread over several days Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year. |
The Working Group will specify new web platform features intended to be implemented in browsers or similar user agents. The purpose of these features is to support authentication and authorization flows without compromising security principles for Identity Providers (IdPs), Relying Parties (RPs), and User Agents as well as user privacy. Here "privacy" minimally refers to the appropriate processing of personal information. The result of this work is the development of new mechanisms that define how information is passed by the browser between the RP, the IdP, and authentication intermediaries to facilitate federated authentication; these mechanisms are not an authentication method.
If any of the mechanisms developed to support authentication and authorization flows look like they will result in breaking changes for existing protocols, work on that mechanism must include a well-documented transition period.
The identity space is much larger than federated authentication. While there are several topics related to identity that may be of interest, they are out of scope for our work.
Specific topics out of scope:
-
New authentication methods
-
Design and discussion regarding individual credential and assertion formats
-
Ad-tech tools or APIs
-
Interactions with identity wallets
Updated document status is available on the group publication status page.
Draft state indicates the state of the deliverable at the time of the charter approval.
The Working Group intends to publish the latest state of their work as Candidate Recommendation Snapshot and does not intend to advance their documents further in this charter period.
The Working Group will deliver the following W3C normative specifications:
- Federated Credential Management API
- Login Status API
- Web platform tests
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Implementation reports for the specification;
- Primer or Best Practice documents to support web developers when designing applications.
- Charter +1 month: First teleconference
The Working Group will bring one or more Review Drafts from W3C Candidate Recommendation to Proposed Recommendation.
In order to advance Review Drafts to Candidate Recommendation (CR), each feature is expected to be marked with its implementation status. The CR will indicate that all features with fewer than two implementations are at-risk.
The Proposed Recommendation (PR) and Recommendation (REC) endorsement of WHATWG Review Drafts will indicate that all features which do not have at least two independent implementations are considered informative, not normative, for W3C purposes.
In order to advance to Proposed Recommendation, each extension specification is expected to have at least two independent implementations of every feature defined in the specification.
Each specification is encouraged to contain or point to considerations detailing all known security and privacy implications for implementers, Web authors, and end users.
Each specification is encouraged to contain or point to information describing accessibility implications for implementers, Web authors, and end users; and point to guidance on how specification features can be used to maximize accessibility in implementations.
For all specifications, this Working Group will progress its normative specifications through the following standardization process: First Public Working Draft, Working Draft, Candidate Recommendation Snapshot, and Candidate Recommendation Draft.
The WG does not intend to publish specifications as Proposed Recommendations.
The WG will coordinate with the Federated Identity Community Group (FedIDCG) to solicit feedback from a wider community of interest.
Additional technical coordination with the following Groups will be made, per the W3C Process Document.
Federated Identity Community Group
This Working Group will work closely with FedIDCG. The expectation is that FedIDCG will incubate proposals which it then hands off to this Working Group for standardization. Most proposals in this Working Group should start in FedIDCG.
This Working Group will coordinate with PING on the development of principles that will guide the development of privacy-preserving capabilities while still supporting federated authentication and authorization flows.
Web Application Security Working Group (WebAppSec)
WebAppSec is both a potential venue for standardization of security-related capabilities and a source of expertise on web privacy.
The Privacy Community Group is developing privacy-focused features. This working group is expected to regularly coordinate with the Privacy CG to ensure that the work of the two groups is not in conflict.
Technical Architecture Group (TAG)
The TAG develops general design principles that will guide the work of this Working Group. The TAG might provide input and guidance on specific aspects of the work.
Web Authentication (WebAuthn) Working Group
While we are not developing an authentication mechanism, it still must work in conjunction with existing authentication mechanisms. The WebAuthn Working Group may provide input and guidance for this requirement.
Accessible Platform Architectures (APA) WG
The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.
A number of IETF working groups are likely venues for standardization of protocol components that authentication and authorization features depend on and research groups are investigating issues that will feed into the designs this group will consider.
The OpenID Foundation (OIDF) is a likely venue for standardization of components that certain authorization flows depend on (i.e., OIDC specs).
OASIS is a likely venue for standardization of components that certain authorization flows depend on (i.e., SAML specs).
REFEDS is a likely venue for multi-lateral federation best practices and a representative of the complex use cases of the research and education communities around the world.
To be successful, this Working Group should have participation from large-scale Identity Provider (IdP) operators, large-scale Relying Parties (RPs), federation operators, and browser vendors. In addition, there must be active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The Working Group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct.
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, as participation is limited to Working Group members.
Information about this Working Group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Federated Identity Working Group Home Page.
Most Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
At the discretion of the Chairs and subject to a consensus call, the Working Group may designate a Design Team to study a particular subject, and report back to the Working Group their findings and a recommendation. These Design Teams shall consist of a small group of volunteers who commit to investing significant amounts of time on the task over a short, time-bound, period.
This Working Group primarily conducts its technical work in the Web Identity Credential Working Group GitHub repository, which is configured to send all issues and pull requests to the public mailing list: public-[email-list]@w3.org (archive). The public is invited to review, discuss and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
This Working Group will seek to make decisions through consensus and the documented decision making process of the W3C Process Document (Section 5, Decisions). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the Working Group and other reviewers, and consensus emerges with little formal voting being required.
After discussion in a GitHub issue and other informal discussion, substantive change proposals should be submitted as GitHub pull requests. These can come from the editors or from WG members. Editors are responsible for "curating" the pull requests to reject frivolous ones and substantive ones that the Chairs have determined do not comply with the IPR policies.
Chairs are responsible for determining whether or not there is WG consensus for the changes contained in a pull request. Unanimity is not required, but the Chairs should strive to make consensus decisions where there is significant support and few abstentions.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a Working Group vote and record a decision along with any formal objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via GitHub issue or web-based survey), with a response period from one week to 10 working days, depending on the Chair's evaluation of the consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the Working Group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs or the Director.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.
This Working Group will use the W3C Software and Document license for all its deliverables.
This Working Group operates under the W3C antitrust policy.
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
Charter Period Start Date End Date Changes
[Initial Charter] [dd monthname yyyy] [dd monthname yyyy] n/a
[TBD]