Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FedCM Auto Re-authentication API #813

Closed
1 task done
yi-gu opened this issue Feb 3, 2023 · 6 comments
Closed
1 task done

FedCM Auto Re-authentication API #813

yi-gu opened this issue Feb 3, 2023 · 6 comments
Assignees
Labels
Resolution: withdrawn The requester has withdrawn the proposal Review type: CG early review An early review of general direction from a Community Group Topic: identity & credentials Venue: Federated ID CG

Comments

@yi-gu
Copy link

yi-gu commented Feb 3, 2023

Wotcher TAG!

I'm requesting a TAG review of FedCM Auto Re-authentication API .

An extension to the existing FedCM API that provides a streamlined UX when users return to websites. The API requires that the user has already granted permission for the RelyingParty (RP) and Identity Provider (IdP) communication in the browser through a previous FedCM call.

  • Explainer¹ (minimally containing user needs and example code): [url]
  • Security and Privacy self-review²: [url]
  • GitHub repo (if you prefer feedback filed there): [url]
  • Primary contacts (and their relationship to the specification):
  • Organization/project driving the design: [Google Chrome / FedCM]
  • External status/issue trackers for this feature (publicly visible, e.g. Chrome Status):

Further details:

  • I have reviewed the TAG's Web Platform Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): FedID CG
  • The group where standardization of this work is intended to be done ("unknown" if not known): unknown
  • Existing major pieces of multi-stakeholder review or discussion of this design: N/A
  • Major unresolved issues with or opposition to this design: N/A
  • This work is being funded by: Google Chrome

You should also know that the initial FedCM TAG review is #718. We're requesting a review specifically on the addition: auto re-authentication.

We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify @yi-gu

@hadleybeeman
Copy link
Member

hadleybeeman commented Feb 20, 2023

Hi @yi-gu. Thanks for opening this review. If you'd like our feedback, could you please draft us a quick explainer to cover how you'd like this to work and why you've chosen that approach above the other approaches you've considered?

If it helps, our explainer template and explainer explainer are posted.

We look forward to hearing more from you.

@plinss plinss added the Progress: pending editor update TAG is waiting for a spec/explainer update label Mar 5, 2023
@samuelgoto
Copy link

Hey @hadleybeeman thanks for reviewing this! I replied to @torgo over email, but figured it would be useful to give context here more publicly in case we run into this again.

Hi @yi-gu. Thanks for opening this review. If you'd like our feedback, could you please draft us a quick explainer to cover how you'd like this to work and why you've chosen that approach above the other approaches you've considered?
If it helps, our explainer template and explainer explainer are posted.

We did originally have proposals to extend FedCM in the form of explainers that follow the template (you can still see some of them here), but we got feedback from Mozilla that it would help their reviews if these were filed as github Issues as opposed to standalone markdown files: making comments in github issues is a much lower hurdle to pay to engage than it is to kick off new github issues or submit pull requests.

file issues followed by proposals followed by spec PRs, as opposed to explainers, to substantially decrease the cost of engagement (much easier to comment on github issues than to comment on explainers)

w3c-fedid/FedCM#431 (comment)

That overall makes sense to us (we'll follow whatever makes our reviewers life easier), so we started to slowly port our explainers into github issues.

So, what @yi-gu pointed you to in the TAG request here is, in fact, the place in which we explain the problem, the alternatives we considered and the proposal we have an inclination to go for.

I'm sorry if this causes extra work for you all, and we'd be happy to adapt to find ways to make reviews (mozilla's and yours included) as effective as possible, but just wanted to give context as to why these aren't standalone markdown files.

Since we do expect to send you all a few more reviews in the next few weeks/months, let me know if you feel like this isn't a reasonable format and we can work together with Mozilla to figure out something that works, Sam.

@plinss
Copy link
Member

plinss commented Apr 20, 2023

@maxpassion and I looked at this during our Tokyo F2F. One question that came up is about getting user consent for the re-auth flow. It seems like in addition to the RP opting-in to this flow, perhaps the user should also have the option to (or be required to) opt-in during the initial login flow. e.g. when prompted for intiial permissions have to choice of 'Remember me' or 'Only for this session' or such. Our concern is if a user uses FedCM to log in to a service on a public terminal, would the next person using the same terminal be able to sign back in to the original service without knowing the user's credentials? (or at least gain some knowledge about the previous user having an account on the service and possibly login name.)

@plinss plinss added Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review and removed Progress: pending editor update TAG is waiting for a spec/explainer update labels Apr 20, 2023
@yi-gu
Copy link
Author

yi-gu commented Apr 20, 2023

Thank you for the feedback!!

Quick update: in general we are moving towards to a direction to resue the existing mechanism for "automatically returning credentials" defined in Credential Management API. In particular, the mediation requirement and preventSilentAccess as discussed in the initial issue (we'll request another round of review when the proposal is updated).

For the concern regarding public terminal, here are some quick notes:

  • If the user has signed out of their identity provider before leaving the terminal (which they are expected to), auto re-authn won't be triggered because the browser cannot get any account from that identity provider.
  • If not, the next person that uses the same terminal already has access to the previous user's IdP data which provides them the capability to access the federated accounts.
  • Suppose the second user is not an attacker and won't try to steal anything from the first user. The concern is that the second user will automatically authenticated to the website unintentionally and learn about the first user by accident, right? In this case, if the website uses Credential Management API (with IdentityCredential, PasswordCredential etc.), it's expected to invoke preventSilentAccess() upon user signing out. So if the user has signed out of the RP, then auto re-authn won't be triggered; if not, the second user has access to the first user's RP account already. Unless the website does not invoke preventSilentAccess() in which case the second user will see auto re-authn with the first user's account (assuming the user is NOT signed out of their IdP). But at this point, we think this should be a rare case similar to other credential types that rely on preventSilentAccess().

Does it make sense?

@yi-gu
Copy link
Author

yi-gu commented May 11, 2023

Hello again!

We have finalized our proposal to support auto re-authentication. As mentioned earlier, we decided to reuse the existing mediation requirements and preventSilentAccess from the CredentialManagement API. i.e. no new web API will be introduced for this feature.

The spec PR has been merged after we aligned with Firefox on the proposal.

Since there's no new API, should we close this review? Please let us know if anything else is needed from us.

Thank you!

@torgo torgo added Progress: propose closing we think it should be closed but are waiting on some feedback or consensus and removed Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review labels Jun 21, 2023
@torgo
Copy link
Member

torgo commented Jun 21, 2023

Given the above info we're happy to close. As Peter commented above, we generally remain concerned about scenarios involving public terminals so we encourage you to take those into account. Thanks! ✨

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Resolution: withdrawn The requester has withdrawn the proposal Review type: CG early review An early review of general direction from a Community Group Topic: identity & credentials Venue: Federated ID CG
Projects
None yet
Development

No branches or pull requests

6 participants