Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users can't use IdPs outside of the ones enumerated by RPs #2

Open
tplooker opened this issue Mar 31, 2022 · 221 comments
Open

Users can't use IdPs outside of the ones enumerated by RPs #2

tplooker opened this issue Mar 31, 2022 · 221 comments

Comments

@tplooker
Copy link

TL;DR there is a significant amount of context at the start of this issue before we get to the proposal, here is a google doc version for an alternative form.

Background

The origins of many federated identity technologies have deep ties to providing an open ecosystem of IDPs to give End Users ample choice in how they choose to “login”. Efforts like OpenID v1 and v2, SIOP, Mozilla Persona, CHAPI, and others, strongly embodied these principles and much of this has remained in future revisions of standards such as OpenID Connect core. However, due to numerous complex issues, much of the industry today, primarily around the “social login” market has consolidated leaving a few IDPs as the dominant market players. To counteract this, FedCM in this work on establishing new browser mechanisms for supporting federated identity has an opportunity to make a meaningful impact and help re-chart the course for the future of federated identity on the web.

In the landscape of today, the choices around federated providers an End-User has available to them when going to “login” on the web is most often a small curated list of IDPs pre-determined by the Relying Party.

image

One of the main market forces that influences the options an End-User is presented with is often referred to as the NASCAR problem (https://github.com/fedidcg/FedCM/blob/main/explorations/related_problems.md#the-nascar-flag-problem). In order for a relying party to keep the UX on their login page from being overwhelming, they must pick a small number of IDPs to support (usually 2-3). How this decision is made by a relying party can be complex, but one major driving factor that applies to many is the existing user-base a particular IDP offers. Often the larger the user base, the more likely the relying party is in its desire to support it. This is because the relying party wants to offer as few login options as possible that services the largest possible user-base for them. This factor makes it difficult for new competition in the IDP side of the federated identity landscape, especially for entities that don’t have large pre-existing user-bases.

image

Who an IDP is, is often also important to factor in. As federated login technologies have developed, companies who built successful social networks, ISPs and commonly used search engines had the large user bases that made them attractive as IDPs to many Relying Parties. These IDPs have been very open about their interests in performing the IDP role, where the access it gives them to information about End User behavior, often supports their primary business models. In this context, concerns about user tracking are very real.

End Users looking to opt out of the limited federated identity login options available today are required to significantly compromise convenience because they are forced to manage a new set of credentials directly with the relying party, creating friction and usability challenges.

image

This equation in many cases has led to End Users using federated login options, trading off concerns such as the fear of being tracked by a particular IDP, for the convenience it offers. As a result, Relying Parties seeking large user bases continue to converge on the dominant IDPs and End User choice is further diminished. We end where we are today, in a self-reinforcing loop dominated by extremely limited choice at logon.

What we need to support instead is a federated login model that re-introduces the End-User into the mediation process so they can have more of a say on which provider they use and where.

Proposal

Currently the proposed FedCM API is focused around a browser mediated approach that assumes the relying party specifies a set of IDPs it supports login from. This model is largely a continuation of that described above and in many respects is just a browser mediated version of what we see most commonly on the web today.

image

Many Relying Parties will want to continue in a model where they specify the IDPs they support.

The challenge is for when this is not the case, to provide a viable way to achieve more End-User choice, greater inclusiveness, increased competition, and reduce vendor lock-in around the IDP options available.

In this proposed additional model, instead of the Relying Party specifying the IDPs it supports in the federation request, it communicates the capabilities it supports such as signature schemes, assertion formats and response modes.

End-Users can then register providers they wish to use with the browser, which are then available as options to present to the End-User when they go to login. This is enabled through the following two step process

  1. Registration Step - The End User navigates to the IDP they want to use, prior to attempting a login with an RP and registers it for use in the browser.

image

  1. Login Step - Later when the End User goes to login with a particular RP that supports this open IDP model, instead of the End User being presented with a pre-set list of IDPs determined by the RP, they are presented with a list of IDPs they have registered to use that support the capabilities required by the relying party.

image

Note - To prevent a scenario where a relying party is supporting this login model but no IDPs have been previously registered in the browser, the relying party could provide IDP hints.

image

Conclusions

Considering the cited basis for FedCM is to “preserve and elevate identity federation” please strongly consider adopting this in your work. Choosing this path would have a meaningful positive impact on federated identity on the web by improving the choices End-Users have to login on with. Ignoring this issue risks the continued consolidation of options available for End-Users and therefore undermining its value as a means of login.

Acknowledged Challenges

  • What happens to an end user when their registrations are wiped?
  • What happens if an end user has forgotten what IDP they use where?
  • Can a significant enough portion of relying parties trust login assertions from an IDP for which they don’t have a pre-existing trust relationship?
  • How are the capabilities supported by the RP communicated to the browser

Prior Art

CHAPI
Mozilla Persona
Account Chooser
OpenID

Raised with @dmitrizagidulin

@samuelgoto
Copy link
Collaborator

samuelgoto commented Mar 31, 2022

I strongly support this overall vision for FedCM, making it so that IDPs interoperate (e.g. don't require pre-registration).

We've been thinking along those lines too and calling it affectionally BYOIDP ("bring your own IDP"), as an analogy to how signing-up with email works (i.e. it is not like there is a list of email providers that the websites works with, right?).

As you may have guessed, we are deliberately not choosing to start there, because we have a responsibility to preserve the current deployment of federation, but we are in agreement of where it should/could go.

I don't think that the solution is as simple as you are making it seem (from a design of incentives perspective first, but also from a UX perspective second), but I think you got the problem and the broad strokes of how to go about it right.

Any chance you could come over some time at the FedID CG to present your work / proposal?

@tplooker
Copy link
Author

tplooker commented Mar 31, 2022

We've been thinking along those lines too and calling it affectionally BYOIDP ("bring your own IDP"), as an analogy to how signing-up with email works (i.e. it is not like there is a list of email providers that the websites works with, right?).

Yes very much aligned with this framing.

I don't think that the solution is as simple as you are making it seem (from a design of incentives perspective first, but also from a UX perspective second), but I think you got the problem and the broad strokes of how to go about it right.

Yes there are a bunch of additional incentives and UX complexities to consider here, some we have already discussed a bit but im sure there are others.

Any chance you could come over some time at the FedID CG to present your work / proposal?

Yes we would be more than happy to.

@samuelgoto
Copy link
Collaborator

Wonderful! @hlflanagan any chance you can help us coordinate a presentation by @tplooker sometime in the upcoming meetings that intersects with his availability?

@gffletch
Copy link

This model is very similar to the approach of decentralized identity. Rather than inventing something new, I highly recommend to look at making the browser be a viable "wallet" for the user and then just use decentralized identity protocols. Note that the OpenID Foundation is working in this space as well with the SIOPv2 spec and it's associated specs.

https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html

@tplooker
Copy link
Author

@gffletch my mental model here is that the browser is a mediator able to facilitate an End-User using an IDP of their choosing (within the constraints of the RP of course). That IDP could be a "wallet" taking a variety of different forms such as a server/web application or native application. So the "browser" itself isn't the wallet. I also agree with the reference to prior art, SIOP in particular needs a solution to mediation beyond the limitations of a custom URL scheme such as "openid://"

@samuelgoto
Copy link
Collaborator

samuelgoto commented Apr 30, 2022

There were a series of sessions that happened at IIW between Kristina (SIOP) / Tobias (this proposal) / Dimitri (CHAPI) / Wayne (Sign-in with ethereum) and I (FedCM) on topics adjacent to this issue, and I feel like we left with a good amount of synergy and a reasonable sense of where to start from.

This is my personal recollection of what we discussed as a group at IIW, but others feel free to chime in and correct me where I'm wrong.

Overall, I left with the sentiment that we had a good amount of appreciation for each other's work.

As far as FedCM goes, SIOP aligns really well with FedCM because it addresses two key problems: (a) the portability problem and (b) keeping issuers blind to verifiers (through a self-issued and trusted OP).

FedCM aligns well with SIOP and CHAPI because both seem to need a neutral / reliable wallet-selector: SIOP has to name IDP on desktop browsers (e.g. if a user doesn't have a phone to scan a QR code) and iOS (e.g. without an openid:// disambiguator), and CHAPI requires everybody to trust auth.io and doesn't quite work in the absence of third party cookies.

The overall idea that we floated around at IIW (largely based on @tplooker 's original architecture) was to expose a browser API to allow:

(a) the registration of IDPs (Self-Issued OPs or not) and
(b) the ability of RPs to ask for an idtoken un-opinionated about where it is being issued from

It wasn't perfectly clear / obvious, but the intuition in the group was that the browser should just keep pushing things down to the OS level (which would obviously require further cooperation from OSes).

For (a) something along the lines of following would write into browser storage the IDP's registration:

navigator.credentials.registerProvider("https://my-idp.example");

This call registers with the Browser the IDP at "https://my-idp.example", which can have all sorts of configuration under a .well-known configuration. In the configuration, there would be some sort of callback that the IDP registers to be called when the IDP is chosen later.

We discussed a few UX options, and the most obvious one was to follow @tplooker 's original proposal to prompt at this point (this also matches what CHAPI does, so that's encouraging). We discussed a few more options and generally agreed that this needs more experimentation to determine what would work best.

For (b), FedCM could expose an extra option to allow, not only named IDPs, but also allowing the user to bring their own. Something along the lines of:

const credential = await navigator.credentials.get({
  federated: {
    providers: [{
      // allows the account chooser to load named IDPs
      url: 'https://named-idp.example',   
      clientId: '********'
    }],
    // The RP accepts IDPs that called registerIDP() before.
    registered: true, 
    // the RP accepts SIOPs
    selfIssued: true,
  }
})

And, when invoked in this fashion, the account chooser would bring accounts from "named" IDPs as well as "registered" IDPs.

If a "registered" IDP is called, then the callback previously registered is called.

We also discussed how this could be used to pass VCs/mDLs over SIOP, which didn't seem to conflict/disagree with this architectural choice. One of the challenges that Wayne brought up that I don't think we talked about enough was to have the ability to register not just IDPs but also types. Something along the lines of:

navigator.credentials.registerProvider("https://my-idp.example", [
  "UniversityDegree", "DriversLicense", "COVIDVaccine", ...
]);

Such that the RP could then use a querying language to filter out SIOPs that contain them.

We also discussed briefly that we'd like the resulting idtoken to be directed, so it is likely that the callback needs to take at least the RP's name so that the SIOP server can direct it.

There is a lot of handwaving here, but this is more or less what I remember from the discussion. There were a series of diagrams that we drew in the whiteboard, and in case any of you still have them on your phones, sharing them would be appreciated.

@Sakurann
Copy link

Sakurann commented May 1, 2022

Pictures of the whiteboard we drew:
2E574CD0-3323-401F-9804-3CC19064E4CE
0D638E94-F09E-45E2-93A1-7FD19A62AF08
DD675404-4117-4C17-A8F1-78104FA85EAA
832C11D7-1745-4930-9720-499AC1AA0DA2
7C379B53-03E0-40CB-B7FF-950DD285EF9A

@quartzjer
Copy link

This all looks and sounds pretty fantastic, wish I had been there!

We also discussed briefly that we'd like the resulting idtoken to be directed, so it is likely that the callback needs to take at least the RP's name so that the SIOP server can direct it.

Not just directed, but a nonce would be essential for the resulting token to be bound and prevent replay as well. Signed requests will also be an important trust mechanism, so the RP initiation interface might be fairly rich.

@dlongley
Copy link

dlongley commented May 2, 2022

Instead of taking this approach:

navigator.credentials.registerProvider("https://my-idp.example", [
  "UniversityDegree", "DriversLicense", "COVIDVaccine", ...
]);

I'd recommend that any sort of filters be provided / be updateable either through some .well-known config or manifest.json. Providers should not require the user to visit their site and call registerProvider again to make changes / improvements to what it is supported. Browsers should pull down config updates from time to time -- and needn't do it on demand (in the middle of a particular user request) if that would be a privacy concern.

Keeping the registration API surface light (i.e., base URL as the only param) also enables better future proofing for adding new feature expression via configs / manifest.json over time.

I will note that adding filters for specific Verifiable Credential types may have challenges, given the unbounded set size. Certainly being able to specify that a provider supports VCs at all or the ability to produce Verifiable Presentations (or perhaps provides other types of credentials / supports other features / protocols) could be of value. So there are some additional considerations around what is to be filtered and at what "levels" or granularity.

@samuelgoto
Copy link
Collaborator

I'd recommend that any sort of filters be provided / be updateable either through some .well-known config or manifest.json.

Ah, that would work too!

So, something along the lines of:

navigator.credentials.registerProvider("https://my-idp.example");

Which, as a convention, points towards something like:

https://my-idp.example/.well-known/tbd.json

Which could contain:

{
  "typesOfCredentialsICanProvide": [
    "UniversityDegree", "DriversLicense", "COVIDVaccine", 
  ]
}

Did I understand that right?

@dlongley
Copy link

dlongley commented May 2, 2022

@samuelgoto,

Did I understand that right?

Yes! Thanks.

@bvandersloot-mozilla
Copy link

I think a simple version of the bring-your-own IDP is interesting, where a user can use an arbitrary identity with a site. This would be akin to a wildcard in the provider list that searches through the users' preregistrations. This could be useful for RPs that need no guarantee of identity elements, just a unique identifier– especially if they don't want to deal with handling username-password management.

@samuelgoto
Copy link
Collaborator

Just to report back on this thread with an update, we started looking into this problem and building some prototypes to see where that takes us: Firefox seems initially supportive and it shows up in multiple places, e.g. w3c-fedid/FedCM#374.

You can follow the prototype process and some early ideas on API design here: https://bugs.chromium.org/p/chromium/issues/detail?id=1406698.

@michielbdejong
Copy link

@samuelgoto It was great to discuss this in person last week at TPAC!
I would love to help prototype the BYOIDP idea, I see it would have the following advantages:

  • solve the NASCAR problem
  • make it feasible to have thousands of acceptable IDPs, especially for instance in Research and Education
  • support things like https://indieauth.com/ and "Log in with your WebID" (as used in https://solidproject.org) without requiring the user to type in the domain name of their IDP

@thhck
Copy link

thhck commented Oct 27, 2023

Hello,

@janschill and I are Solid developers, and we believe this proposal would be a great feature for FedCM to integrate well with the Solid ecosystem.

We're considering working on a Proof of Concept to explore potential solutions and understand the practical challenges.

You can follow the prototype process and some early ideas on API design here: https://bugs.chromium.org/p/chromium/issues/detail?id=1406698.

@samuelgoto it seems that there has been no update since Feb 15. What is the status of the prototype?

Is anyone else currently working on it?

Otherwise, we are looking forward to the possibility of contributing to this effort, and we'd appreciate any guidance or feedback you could provide to help us get started.

@samuelgoto
Copy link
Collaborator

We're considering working on a Proof of Concept to explore potential solutions and understand the practical challenges.

I'd love to participate in this. Is there a call that I can join or maybe a document that I can read to learn more about what you have in mind?

@samuelgoto it seems that there has been no update since Feb 15. What is the status of the prototype?

We have a basic prototype working in chrome canaries that anyone can try.

We are currently blocked on getting feedback from developers if the current proposal meets needs and is a useful API.

Any chance you'd be willing to give this a go and let us know if it works the way you'd expect it to work?

Is anyone else currently working on it?

Not at the moment. Like I said, we feel blocked by meaningful developer's interest.

Otherwise, we are looking forward to the possibility of contributing to this effort, and we'd appreciate any guidance or feedback you could provide to help us get started.

I think one first concrete step we could take is getting a better sense of:

(a) what problem you currently have that you feel like this feature would help?
(b) what alternatives you considered?
(c) how many users/developers would benefit from this feature?

At the moment, we feel like this would be a great addition to FedCM, but we are really worried about implementing and shipping something that doesn't get enough use (and then, paying a maintenance price). We are willing to take risks, but that's currently what's holding us back moving forward, so the more data points you can give us about market demand the easier we can make this happen.

@thhck
Copy link

thhck commented Oct 29, 2023

I'd love to participate in this. Is there a call that I can join or maybe a document that I can read to learn more about what you have in mind?

We want to improve user experience within the SoLiD ecosystem. Given the multitude of IdPs, it can be challenging for users often to recall their specific IdP. If browsers could display a list of previously used IdPs, it would significantly enhance the user experience and usability. We would love to dive deeper in this topic during a call. We also started working on a PoC.

We have a basic prototype working in chrome canaries that anyone can try.

We are currently blocked on getting feedback from developers if the current proposal meets needs and is a useful API.

Any chance you'd be willing to give this a go and let us know if it works the way you'd expect it to work?

We downloaded the latest version of chrome canary on MacOS activated the required flags ( including fedcm-idp-registration ) but we were not able to make it work.
We didn't found the api call to register an IdP, and calling the following didn't gave us any result:

navigator.credentials.get({
  identity: {
    providers: [{
      registered: true 
    }]
  }
});

Is there any resources on how to make it work ?

(a) what problem you currently have that you feel this feature would help?

  • To interact with an IdP, RPs must provide a text input where users can enter their IdP URL.
    • Users have to manually enter the IdP URL and need to remember it, ensuring they make no typos.
    • If a user has multiple IdPs, they must remember all the corresponding URLs.

(b) what alternatives you considered?

  • We've thought about a browser extension, but it's not ideal because it needs to be installed on each browser.
  • Field autocomplete was considered, but it doesn't offer an experience as seamless as the one FedCM provides.

(c) how many users/developers would benefit from this feature?

  • It's difficult for us to estimate these numbers. Undoubtedly, this feature would be a significant improvement for the Solid ecosystem. However, I believe it would also be highly beneficial for larger and more mature decentralized communities ( I'm thinking of the Fediverse).

@npm1
Copy link

npm1 commented Oct 30, 2023

I'm not super familiar with the flag but I think the prototype is not usable yet. You can call IdentityProvider.register('configUrl') in an IDP context but it does nothing as far as I can tell.

@samuelgoto
Copy link
Collaborator

We want to improve user experience within the SoLiD ecosystem. Given the multitude of IdPs, it can be challenging for users often to recall their specific IdP. If browsers could display a list of previously used IdPs, it would significantly enhance the user experience and usability.

Can you expand on this a bit more (just intuition is fine, we don't need super hard data at this point)? How many IdPs are operating today within the Solid ecosystem? How many users a typical IdP have? How many solid RPs exist, and how often are they used?

We also started working on a PoC.

This is really neat, and typically a strong signal that browser vendors take to make an assessment of demand: are developers going out of their way to try to make this work.

Is there an open source implementation of Solid that we could use to build some of these prototypes?

We downloaded the latest version of chrome canary on MacOS activated the required flags ( including fedcm-idp-registration ) but we were not able to make it work.
We didn't found the api call to register an IdP, and calling the following didn't gave us any result:

Ah, I think I'm still missing merging one more CL. Let me get that merged and report back to you here.

However, I believe it would also be highly beneficial for larger and more mature decentralized communities ( I'm thinking of the Fediverse).

Yeah, I share that intuition. But we really need to make sure that we are developing something that will be ultimately useful for users and developers, because the cost of development and maintenance is extremely high.

I think we'd be happy to move forward trying to complete prototypes and seeing where that takes us, but we are ultimately going to need a good set of developers who are excited about this before moving too far. Fair?

aarongable referenced this issue in chromium/chromium Nov 17, 2023
In this CL (behind a flag), we use the permission context that was
written in part 1 to insert IdPs that were registered, and expose a JS API that allows an RP to refer to the registered IdPs.

Prototypes a proposal to solve the following bug [1] to allow us to
gather guidance from developer if this is directionally correct.

[1] https://github.com/fedidcg/FedCM/issues/240#issuecomment-1785678610

Design Doc: https://docs.google.com/document/d/1MKpxTTLi-1e5-0brsdy50TVk2YM9AghoL3diSpRv_vE/edit#heading=h.jdxq4526c2ip

Change-Id: Id1bf4b2590ce55fcd6b8a50edcabe54abb652fc1
Bug: 1406698
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4163707
Reviewed-by: Yi Gu <[email protected]>
Reviewed-by: Mustafa Emre Acer <[email protected]>
Commit-Queue: Sam Goto <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1226397}
@samuelgoto
Copy link
Collaborator

@thhck I just merged a CL in chromium that implements some of the missing parts that you ran into. Can you try to use it in Chrome Canaries in a couple of days once it picks it up?

@janschill
Copy link

@samuelgoto I work with @thhck on this. I just tested this in Google Chrome Canary and it works.

I ran the demo IdP from @asr-enid with two IdPs, registered, logged into idp-1.localhost and in a Chrome console ran:

IdentityProvider.register('http://idp-1.localhost:8080/fedcm.json');

navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "not-a-nonce",
      configURL: "http://idp-2.localhost:8080/fedcm.json",
      clientId: "yourClientID",
      registered: true
    }]
  }
});

The browser then successfully prompted me with "Sign in to idp-1.localhost with idp-1.localhost".

Thanks for getting this out.

@achimschloss
Copy link

I ran the demo IdP from @asr-enid with two IdPs, registered, logged into idp-1.localhost and in a Chrome console ran:

Great to see that this is useful beyond our own usage!

@samuelgoto
Copy link
Collaborator

@samuelgoto I work with @thhck on this. I just tested this in Google Chrome Canary and it works.

Can you try this again? The code snippet you sent feels off to me: you want to skip the configURL when using registered: true.

For example:

IdentityProvider.register('http://idp-1.localhost:8080/fedcm.json');

navigator.credentials.get({
  identity: {
    providers: [{
      nonce: "not-a-nonce",
      // comment out the following line, so that the browser can load accounts 
      // from registered IdPs rather than by configURL
      // configURL: "http://idp-2.localhost:8080/fedcm.json",
      clientId: "yourClientID",
      registered: true
    }]
  }
});

@janschill
Copy link

@samuelgoto yeah, that was also my understanding. I get this error though.

image

I am on Google Chrome Canary: Version 121.0.6153.0 (Official Build) canary (x86_64)

image

The FedCM prompt shows only after the last get call where I also provide the configURL, please note that it doesn't matter what the passed value is, it just seems that configURL is not an optional parameter in your implementation.

@samuelgoto
Copy link
Collaborator

@samuelgoto yeah, that was also my understanding. I get this error though.

Could you make sure you have the following flag enabled in your chrome canary instance?

chrome://flags/#fedcm-idp-registration

@janschill
Copy link

Yes, chrome://flags/#fedcm-idp-registration was enabled during my testing.

@anderspitman
Copy link

@aaronpk any ideas on how we might be able to get this going?

@bc-pi
Copy link

bc-pi commented Sep 4, 2024

Not exactly BYOIDP but there's potential interest from the FAPI community around how, for example, the experience of choosing your bank might be improved. https://bitbucket.org/openid/fapi/issues/689/fapi-fedcm

@anderspitman
Copy link

@samuelgoto we're mobilizing to do what we can to try and get some real RP implementations. One problem is that there isn't currently any IdP people can user to try decentralized login. LastLogin could offer free subdomains for people to use with the IndieAuth profile, but that's currently blocked on #4. I could probably make #10 work if I have to, although the UX would be significantly worse.

Alternatively I could provide people with accounts on a single domain, so they could log in to RPs with URIs like https://lastlogin.net/u/user1, https://lastlogin.net/u/user2, etc. I hesitate to do this because it runs pretty counter to the culture of IndieAuth, which strongly encourages people to own their domain. My original plan was to integrate LastLogin with TakingNames to offer free lifetime subdomains, but again currently blocked as far as FedCM goes.

@anderspitman
Copy link

anderspitman commented Sep 5, 2024

Also, I'm not sure I can securely enable FedCM for LastLogin until w3c-fedid/FedCM#587 is resolved.

@samuelgoto samuelgoto transferred this issue from w3c-fedid/FedCM Sep 5, 2024
@samuelgoto samuelgoto transferred this issue from w3c-fedid/login-status Sep 5, 2024
@aaronpk
Copy link

aaronpk commented Sep 6, 2024

any ideas on how we might be able to get this going?

We're definitely up against the chicken/egg problem here as usual.

I have some notes and sketches for how I want to build a service that lets people delegate a domain for use with IndieAuth+FedCM. However like you mentioned, the eTLD+1 requirement (#613) is definitely a blocker for making this super easy to set up, since right now it requires either delegating the entire eTLD+1 (not many people will do this), or delegating a subdomain but having to then set up the .well-known file manually.

The other opportunity area here is to add FedCM support to the WordPress IndieAuth plugin. That would at least enable a bunch of websites to be a FedCM IdP by installing the plugin.

@anderspitman
Copy link

The WordPress route is a really good idea. It could tap into a large community that's used to the idea of having their own domain, and the concept of using that as their identity might be more intuitive.

@anderspitman
Copy link

anderspitman commented Sep 6, 2024

In the interest of keeping things moving, I went ahead and started implementing the alternative route I mentioned above.

Phase 1 is complete. You can now use LastLogin to log in to any IndieAuth site, for example https://webmention.io/ or https://indieweb.org/. Just enter lastlogin.io in the login field, add an identity (currently always an email address) at LastLogin, and select it. It gives you an IndieAuth profile URL based off the identity you choose.

As I mentioned, this isn't ideal because IndieAuth is more about encouraging people to have their own domain, but it will at least let us test out the technical side of the flow without people needing a domain.

Phase 2 is enabling FedCM for this. At that point we'll have an IdP that can work with any FedCM+IndieAuth RP.

@hex-m
Copy link

hex-m commented Sep 6, 2024

The FedIAM project sounds similar:

FedIAM is a research project which aims to offer an alternative: using Fediverse and IndieWeb protocols, visitors can log in using any one of thousands of small, independent networks run by ordinary people - or even using a provider that they host themselves, independently of any outside influence.

@anderspitman
Copy link

I'm working closely with FedIAM. It's an excellent project. They're focused more on the RP side, and could potentially provide valuable testing from that side.

@samuelgoto samuelgoto transferred this issue from w3c-fedid/FedCM Sep 6, 2024
@samuelgoto
Copy link
Collaborator

samuelgoto commented Sep 6, 2024

I'm working on the things that are blocking you all here, but wanted to clarify a couple of things before going too far:

@samuelgoto we're mobilizing to do what we can to try and get some real RP implementations. One problem is that there isn't currently any IdP people can user to try decentralized login.

First, I think it is worth clarifying that what we are lacking at the moment is evidence that there are enough RPs interested in this, not IdPs. Based on this thread, I think enough individuals managed to spin up their own IdP that I'm convinced there would be "enough" (even if a small number of) people that would be interested. Currently, I'm only aware of webmention.io, and we need a few more independent and real RPs to show interest too.

We're definitely up against the chicken/egg problem here as usual.

Second, the chicken and egg problem is real, and, as noted, typical. Most things fail at this stage, so I'm trying to force us all to avoid ignoring it before moving forward.

Part of the strategy for FedCM was to come up with a UX that can augment an existing website in a backwards compatible way with their existing user experience, rather than to require that the world to move in lockstep. For example: when users are logged out of their IdP, FedCM simply doesn't show up, and the user can still fallback to the typical NASCAR page.

I think that's particularly true for the IdP Registration API: a website should be able to get strictly positive benefits from FedCM (apart from cost of adoption), rather than require all (or any, altogether) users to convert to having their own IdP.

That is: because FedCM doesn't show any UI when the user hasn't registered any IdP, RPs should be able to deploy this without affecting any of their existing users, and, at the same time, having registered users have their user experience augmented.

@samuelgoto
Copy link
Collaborator

Just small update on this thread: we've moved this issue to a repo of its own, as we try to figure out a way to form a boundary between different proposals to extend FedCM. I'm using this specific proposal as a guinea pig because it (a) has an active community interested and (b) is self contained and (c) is in early stages. We are still learning how to use github here, so it is possible we'll find bumps on the way, so apologies for the trouble.

In the meantime, I added @aaronpk and @anderspitman as "champions" for this proposal, along with myself: let me know you want to opt-out. If anyone else wants to champion this too, just LMK and I'll add you to the list.

@anderspitman
Copy link

Thanks for the clarification @samuelgoto. Sorry if I was confusing with all the IdP talk. You were pretty clear before that RPs are what we need. The reason I'm focusing on LastLogin as an IdP first is so that RPs have something concrete and simple to test against.

@anderspitman
Copy link

anderspitman commented Sep 6, 2024

Phase 2 is mostly complete. Unfortunately the latest workaround for w3c-fedid/FedCM#587 didn't work for me (that's my bad for not trying it earlier) so I can't push to LastLogin prod yet, but it's up and running on staging. I might have a workaround for the cookies though so we'll see.

  1. From chrome canary (tested on 130.0.6683.2) go to https://lastlogin.net/login
  2. Click "Register FedCM"
  3. Add an identity
  4. Navigate to https://webmention.io/
  5. FedCM popup should appear
  6. Select the identity you want and it should log you in

PS - It looks like all the necessary features flags are enabled by default in canary now which is great!

EDIT - meant to say the feature flags are available, not enabled.

@erlend-sh
Copy link

From chrome canary

Is it not working in stable chrome-browsers?

@anderspitman
Copy link

anderspitman commented Sep 7, 2024

@erlend-sh well hot dang you're right! Chrome >= 128 I believe. Looks like you need to go to chrome://flags and enable FedCM with IdP Registration support and FedCmMultiIdp. @samuelgoto or @npm1 can correct me if I'm wrong on that.

This should certainly increase our base of potential testers and early adopters!

@anderspitman
Copy link

@erlend-sh do we have anyone in our posse who could quickly crank out a demo video of enabling FedCM in Chrome and logging in to webmention.io via LastLogin? I'm hoping to fix the cookie issue today so we could use prod LastLogin. It has much better latency that staging since it's globally distributed.

@anderspitman
Copy link

anderspitman commented Sep 8, 2024

Phase 2 is now actually complete. I implemented a workaround (see w3c-fedid/FedCM#587 (comment)) for the SameSite=none cookies. You can now log in to webmention.io using prod LastLogin (https://lastlogin.net) with FedCM.

@anderspitman
Copy link

anderspitman commented Sep 8, 2024

Updated steps:

  1. With Chrome >= 128, go to chrome://flags and enter "fedcm" to filter the flags
  2. Enable "FedCM with IdP Registration support" and "FedCmMultiIdp"
  3. Navigate to https://lastlogin.net/login
  4. Click "Register FedCM" then "Allow"
  5. Add an identity
  6. Navigate to https://webmention.io/
  7. FedCM popup should appear
  8. Select the identity you want and it should log you in

@anderspitman
Copy link

FYI https://lastlogin.net is going to be the production deployment from now on. lastlogin.io should still work for everything except IndieAuth stuff.

@npm1
Copy link

npm1 commented Sep 9, 2024

PS - It looks like all the necessary features flags are enabled by default in canary now which is great!

Hmm no that should not be the case. But great to hear it is working for you!

@anderspitman
Copy link

Sorry meant they are available, not enabled by default. I edited my comment.

@timcappalli
Copy link

Set this up in about 10 minutes!

image

@wip-abramson
Copy link

I got this working thanks to @samuelgoto at IIW!

image

michielbdejong added a commit to michielbdejong/fedcm-demo that referenced this issue Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests