WebID should help IdPs and RPs handle multiple identities

[timcappalli]

Immediate concern

In the Mediation API, there’s a "magic moment" where the browser knows which identity should be used for the sign in. Expanding the detail there to explain how the browser knows that identity helps us understand the implications there and what role and information the IdP plays in helping with that discovery.

Room for improvement

With the expanded detail above, it gives a jumping off point to discuss handling multiple identities that an IdP may have in session at the same time. Browsers could offer an account selector for IdPs, potentially replacing some of the IdP sign in functionality that relies on 3p cookies today (issue #34). Partitioning identities by session, such that there is only 0 or 1 identity for a given IdP in session, is not desirable as multi-account scenarios do exist (usually in the form of IdPs serving both consumer and enterprise users, example: offering a merged calendar or task view).

Suggested addition

On top of the active session discovery suggestion, support the ability to pass multiple identities from an IdP to the application in a single sign-in flow. This presents improvement over the single-user limitations of OIDC, and paves the road towards more fragmented, user-owned identity stories.

Related issues: #13

[samuelgoto]

Yep, I think this is aligned with how we have been thinking about the mediated flows.

Expanding the detail there to explain how the browser knows that identity helps us understand the implications there and what role and information the IdP plays in helping with that discovery.

This is super poorly written and maintained and we need to do a better job at exposing this, but this is the best public explanation that we have about that mechanism right now:

https://github.com/samuelgoto/WebID/blob/master/mediation_oriented_api.md

[timcappalli]

Related:

• Add support for non-modal UI w3c/webauthn#1545
• Possible experiences in a future WebAuthn w3c/webauthn#1637
• https://docs.google.com/document/d/11hWpUPAnblPtkn1f7AIQW0ujoiu_BAKzlMVhZKQPiW8/

[samuelgoto]

It has been years since this was filled, but I think this is a duplicate of a more recent issue to allow multiple IdPs to co-exist in the account chooser UI here.

I'm going to close as a duplicate, but feel free to reopen if you feel that issue https://github.com/fedidcg/FedCM/issues/319 isn't representative of this one and there is something else actionable you'd like to see taken into account.

[mitar]

Isn't this issue about one IdP having multiple identities? w3c-fedid/multi-idp#2 seems to me about multiple IdPs?

[samuelgoto]

Isn't this issue about one IdP having multiple identities? https://github.com/fedidcg/FedCM/issues/319 seems to me about multiple IdPs?

Ah, yes, I think you are right, re-opening it. Thanks!

support the ability to pass multiple identities from an IdP to the application in a single sign-in flow.

I think this is already supported, isn't it?

Anything else you think we need to act on?

[mitar]

I think this is already supported, isn't it?

I think so, yes. So it can be closed. :-) I just wanted to make sure we all agree what this issue is about.

Anything else you think we need to act on?

For me, I think not in the scope of this issue, but I made #527 for the point I still have.

[samuelgoto]

I think so, yes. So it can be closed. :-) I just wanted to make sure we all agree what this issue is about.

Ah, ok, so re-closing it then :) @timcappalli feel free to re-open if you still feel like there is something better that we could be doing!

For me, I think not in the scope of this issue, but I made #527 for the point I still have.

SGTM, will follow up there!