-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Share performance measurement with IDP #352
Comments
We have updated the proposal with details. PTAL. |
OK, to keep y'all updated on the current status: If the fedcm request was successful, we send a credentialed request that includes the RP origin and these timings:
In the failure case, we send an uncredentialed request that does not contain the RP origin and only the "error_code=%d" data. The error code is one of:
The metrics endpoint is specified using a Things I would love to have feedback on:
|
For that last point, it would be possible to send the timing data in the ID assertion endpoint request itself, but of course then we couldn't include the timing for the ID assertion request itself. If you have thoughts on this tradeoff, please comment :) |
Motivation
A successful web API must perform to the level required by the developers that use it. Sharing metrics with the developer to assist them monitoring how the API performs is beneficial to developers, users and FedCM API itself. e.g. an identity provider (IDP) can debug relying party (RP) specific deployment issues or monitor timing related measurements to fix bottlenecks such that their users could have more smooth federation experience. IDP developers can also provide feedback based on the metrics to improve FedCM API.
To achieve this goal at scale, we propose to send data to IDP via a new endpoint in the config file (optional unless IDP wants to receive measurement).
Proposal
Server
If an IDP wants to receive the measurement, it should specify a new endpoint metrics_endpoint in the config file. e.g.
Similar to other endpoints, it must be same-origin with the IDP.
Client
Depending on whether the API call is successful (user grants permission via the "Continue as" button), we can share different data with the IDP. For privacy reasons, any data sent to IDP must be uncredentialed without user information.
API Succeeded
When the API call succeeded, i.e. IDP has issued an id token to the RP upon user’s approval, we can send the following timing information to IDP:
A sample request to the metrics endpoint in the API success case looks like:
Note: there could be a survivorship bias. e.g. higher latency may lead to lower reporting rate.
API failed
For privacy reasons, we cannot inform the RP “when the API call fails and why” in most cases via DOM exceptions. Thus, it’s hard for developers to understand the performance of the API without knowing the API call status.
One important reason why we cannot reject the promise immediately is that the API is called on the RP site and we do not want to leak user or IDP information to RP. However, we could communicate with IDP directly with failure information depending on the failure type.
If the API call failed due to IDP configuration instead of user action, we can expose the reason for failure via the metrics endpoint immediately. e.g. the endpoints are misconfigured, the response is malformed etc.
If the API call failed due to RPs (multiple in-flight requests, aborting etc.) currently we reject the promise immediately. With the SDK, IDP is capable of learning that information already. That said, it’s possible that the RP can call the API directly without an IDP SDK and in that case we should not expose RP failure details to IDP. If IDP SDK is used, RP failures can be detected by IDP already since we reject the promise immediately (e.g. request is aborted, multiple in-flight requests etc.).
If the API call failed due to users (declined / ignored the permission, disabled FedCM, not signed in to IDP etc.), we should expose a generic failure code instead of the exact reason for failure because IDP can forward anything we share with them to RP without user permission.
Failure types
Note
Invalid Accounts Response
for a specific RP, they can further debug what could be the cause (e.g. CSP issue, geo based network issue).A sample request to the metrics endpoint looks like:
Forwards Compatibility Consideration
As noted in the blog post, FedCM API is under active development and some of the new features may have impact on the metrics endpoint as well. Notably:
browser can know about whether a user is signed in to an IDP
if a user is not signed in to an IDP, in the single IDP case, it’s OK to send a generic UserFailure to the IDP. Once we support - multiple IDPs, we should be consistent about whether to send the failure to such IDP regardless if it's used as a single IDP or as part of multiple IDPs. See below for more discussions.
browser can support multiple IDPs in the same federation flow
Once we support multiple IDP there will be some new challenges:
metrics_subscription: [always|signin]
. “always” means that the browser will send metrics to the IDP regardless of the IdpSigninStatus while “signin” means that the browser only sends metrics if the user is signed in to the IDP.Privacy Consideration
The new endpoint is for IDPs to receive API call status. Thus, it should follow the same principal of FedCM API:
In this proposal, all data shared with IDP is
uncredentialed
without user cookies so IDP cannot correlate the RP centric measurement with users. (note: there’s a known timing attack problem that’s orthogonal to this proposal and once IdpSigninStatus API is launched, the timing attack problem can be mitigated).Security Consideration
The new endpoint follows the same standard as other FedCM endpoints do. e.g. it has a
Sec-Fetch-Dest: webidentity
header withOrigin
instead ofReferer
.In addition, we use uncredentialed POST to the IDP endpoint which could technically be abused. e.g. an attacker can use
curl
out of any browser client to POST data to the endpoint. Similar to the Reporting API, typically it’s up to the server to build mechanisms to mitigate the potential problem.Considered Alternatives
Reporting API
The Reporting API allows browsers to send reports created based on various platform features (e.g. document policy violation, CSP violation etc.) to web developers to help them with fixing bugs or improving their websites. See a sample report below for document policy violation:
The Reporting API should be able to achieve the same goal. That being said, a dedicated API should be a better choice because:
That being said, we chose to use a format that's compatible with the Reporting API in case that we want to switch to it in the future.
The text was updated successfully, but these errors were encountered: