-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TAG review request for the IDP signin status API #884
Comments
I should have mentioned in the initial request: We (Chrome) think that this proposal in combination with measuring user metrics is sufficient to address the timing attack. We are tracking per-RP and per-IDP metrics to detect abusive IDPs; combined with this proposal (which shows a dialog when a credentialed requested was made) solves the silent timing attack problem and makes the "loud" timing attack impractical. We understand that other browsers have different privacy tradeoffs and have (tried to) write the spec such that they can gate FedCM requests on user interaction before credentialed requests are sent. |
Hi @cbiesinger : a few questions came up in our discussion today on this one:
|
|
FYI we're making some minor naming changes in https://github.com/fedidcg/FedCM/pull/505/files |
Hi there, we were just getting back to this, and we've lost track of the explainer as the current link is a 404. Are we right in thinking the name of the feature has changed to Login Status API? We can see a few linked issues and PRs, but none of them are clearly an explainer for this feature, as well as this explainer in the privacy cg for a feature with the same name, although I don't think this is recent. Can you clarify what we should be looking at at this point? Thanks. |
Sorry about that, you can use https://github.com/fedidcg/FedCM/blob/83f30cccb3b48e66f2760030906e2853b124d9c8/proposals/idp-sign-in-status-api.md We were aiming at producing an API that can also satisfy the goals of the privacycg proposal; however, our proposal is more mature (Chrome is now shipping it). See also privacycg/is-logged-in#53 (comment) and https://github.com/fedidcg/login-status which more directly integrates the privacycg proposal and other extensions. |
Hi @cbiesinger, we discussed this on our call today; we're happy with the direction the work is going, so we're closing this review. Thanks for flying TAG. |
Draft: TAG review request for the IDP SignIn status API
こんにちは TAG-さん!
I'm requesting a TAG review of the IDP SignIn status API (addition to the Federated Credential Management API).
This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)
Further details:
You should also know that...
https://github.com/fedidcg/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%202022-08-31.pdf contains a lot of background reading
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
The text was updated successfully, but these errors were encountered: