-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Returning users have to unnecessarily re-approve #429
Comments
Updated on April 25: Proposal with Mediation Requirements Credential Management API supports handing over credentials to API caller automatically when certain conditions are met. It's achieved by using the mediation requirements field. We believe that it fits well with the FedCM use case. i.e. the browser can help to reduce user friction at the re-authentication moment for RPs/IDPs without paying such security cost. In addition, since the new streamlined re-authn experience only applies to returning users who have granted permission for the RP-IDP communication in the past, we believe that this can be done without reducing privacy. A quick overview of how the proposed “auto re-authn” works:
ProposalsAuto re-authn is for “returning users” only. In addition, it’s gated by several other conditions. We define “Auto re-authn is available” if all the following are true
Auto re-authn flow overviewMediation RequirementsIn the initial launch of FedCM API, we did not include the mediation requirements field which is part of the upstream Credential Management API. One of the goals of “mediation requirements” is to automatically share credentials with the API caller when certain conditions are met. Given that it meets the product requirements of FedCM auto re-authn and it has been used by Password Credentials, we believe that implementing mediation requirements for auto re-authn could not only complete FedCM API but also ensure consistency across similar products. An RP can specify that they’d like to use auto re-authn by using proper mediation requirements in the existing API:
In particular:
Note: since the mediation requirements field is not supported in the current FedCM specification and the spec treats it as preventSilentAccessAs mentioned in the Credential Management API specification,
By supporting Note that SummaryWhen
When
Privacy ConsiderationThe major difference between the existing authentication flow and the auto re-authn flow is that the latter does not require explicit user permission for authentication. However, an explicit user permission to allow the RP-IDP communication MUST have been granted in the browser in the past (e.g. the browser stores such permission locally after a previous FedCM grant). i.e. the new feature only works “post permission”. From privacy’s perspective, this “post permission” feature does not introduce new privacy risks because an explicit user permission to allow RP-IDP communication has been granted in the browser in the past. Thus, bad actors can track user visits on an RP already. e.g. during the last time the user logged in with FedCM, RP and IDP could have already exchanged an identifier such that the RP could just make a fetch to the IDP and reveal relevant information to IDP anyway. To align user expectations of whether they are logged into an RP, we propose UA revoking the previously granted permission when users clear cookies etc. for either IDP or RP. e.g. In Chrome, the permission gets cleared when a user clears Browsing history or cookies or SiteData in chrome://settings/clearBrowserData or chrome://settings/content/all (SiteData for either RP or IDP). i.e. auto re-authn won't work after such user actions. mediation: silentPer specification of the mediation: ‘silent’:
On the one hand, the key difference between On the other hand, UAs may have requirements to show UIs in a FedCM API call to mitigate IdP tracking problem. e.g. Firefox shows an IdP selector before sending the request to fetch accounts from IdP; Chrome shows the account selector (and will show sign in to IdP UI or some error UI) after the accounts fetch. We believe that it’s possible to respect both with the following proposal: when
Security ConsiderationTechnically speaking, the concept “auto re-authn” is achievable on the RP land. e.g. when a user is signing in to an RP with an IDP, the RP can set a long-lived cookie (e.g. 400 days) such that the user is always signed in to the RP as long as they revisit the RP within 400 days. However, while being able to automatically sign returning users back in is a promising feature for RPs, having to extend 1P cookies may be suboptimal or even impractical for some RPs. The proposed API on the other hand:
Alternative proposalInitially we proposed adding a new boolean FedCM extensions considerationIdpSigninStatus API integrationAs part of the IdpSigninStatus API, the browser can be notified by the IdP that whether a user has an active session with them. If no user is signing in to the IdP when FedCM API is called, the browser will terminate the flow early before sending out an account fetch request. The same strategy will apply to auto re-authn. i.e. auto re-authn will be treated as “unavailable” if the IdpSigninStatus is Multiple IDP supportFedCM is adding multiple IDP support (explainer) which may have an intersection with auto re-authn. e.g. if both IDP1 and IDP2 are eligible for FedCM, how does FedCM handle auto re-authn? Similar to the “single IDP with multiple accounts” use case, we can choose to trigger auto re-authn only if the user has one returning account across the IDPs. e.g.
|
@bvandersloot-mozilla |
@martinthomson : thoughts on if feedback is needed before an Intent to Experiment? |
To the proposal: I think I prefer using mediation modes- this feels like re-inventing that wheel. To your concerns in the considered alternatives:
Also,
|
Thanks Ben for the quick response!
Agreed. On the other hand, For one, it changes the default behavior for FedCM sign-in flow. We need to think about what it means to future extensions like multiple IDP support and other potential use cases we have discussed about at FedIDCG.
That's a fair point. I suppose we can ask for some wording changes in CM API to make it more generic if needed.
TIL :) As mentioned earlier, origin trial is a way for us to understand whether the current proposal (API, UX etc.) makes sense such that we can course correct before shipping. While we are totally open with the "mediation mode" path and will be actively thinking it through, we'd like to proceed with the "autoReauthn" path for this round of origin trial to get some feedback on other fronts. Does it make sense? Regardless the API shape, can I assume that there's no "objection" from you for the feature itself? Of course we need to agree on the API before shipping but that could be a separate conversation when we get there. WDYT? |
I think that we'd like to get a little further into this before we can be happy. I'd say that if this were more clearly the right design, then it might be easier to say "no problem", but I don't see that being the case here. Let's look at this from a privacy perspective. Once the RP has obtained a user-bound identifier from the IdP, then the two sites are able to link activity from that person. That means that re-login flows can indeed be done without re-prompting, assuming that cookies have not been cleared on either site1. It's not clear to me whether this is just about recovering from lost RP cookies, or whether it is really about complying with IdP policies about token validity and periodic re-authorization (of the RP by the IdP). The proposed Boolean parameter doesn't really cover cases where there are potentially multiple identities involved though. I would prefer that the RP indicate directly which identity they want to re-authenticate, including the associated IdP. This would allow for multiple linked identities (potentially across different IdPs) without additional friction on this flow. There are ways to make this state more robust than a login cookie, which might expire for good reasons. If the goal is to offer an option to choose a different identity, the browser is in a position to manage that. It will have better information. Though I will note that we might want to avoid offering new identities in general once one has been established; we might prefer to only show the chooser in the case where the original identity is no longer available for use. There are lots of things in this proposal that I don't think are necessary (rate limiting re-authorization and showing browser UX being the ones that spring to mind). Footnotes
|
Thanks Martin for the feedback! Some comments inline:
Great to hear that we are aligned on the privacy side! Yes if a user has cleared cookies/site data on either RP or IDP, the previous permission should be revoked. I listed it as the
The mail goal of this API is not about solving the RP cookie problem (if any). Rather, it's to reduce unnecessary user friction "post permission". As mentioned in the "Problem" section, any explicit confirmation after user returning to an RP does not provide privacy/security benefit like it does during the sign-up moment.
That makes sense. Rps should have the opportunity to specify which identity (or account) they'd like to re-authenticate. We have proposed another API (login_hint) which I believe can help with this situation. i.e. for Rps who want to re-authenticate a specific account, they could add
Understood! There are a couple of ways to reduce the chance for duplicated accounts. Skipping the chooser when there's one that's available is definitely a compelling solution. Another possible path is to show which account is new or returning on the chooser such that the user could be better informed about the situation. Will report back. That said, do you think this could be UA specific UX that's orthogonal to the re-authn API?
For "showing browser UX", IIUC, do you prefer skipping browser UI during re-authentication? |
This is a little ambiguous to me. The form of login_hint is such that you can't always rely on it being an identity. That is, in OIDC, login_hint is poorly defined to the extent that it could just be a message that the RP sends to the IdP. That is clearly unacceptable in this context, so we might need to tighten this up more and define it as an identity. At that point, the notion of automatic login is something the browser can look after. The Boolean parameter is not needed. If the identity is correct, then you are in one of two states:
If the identity is not correct, then you proceed with the full flow. Note that if the user has previously authorized a different identifier, this might be a way to force the browser into getting a different identifier. I'm not sure if this is something I like or not. I would prefer if RPs had only had one identity from one IdP, but I'd need to hear more about use cases to be confident in that position.
Yeah, we might offer guidance, but, as above, my preference is to avoid prompting where possible. If a prompt is shown, we might nudge people toward a previous choice rather than expand RP-IdP communication options, but mostly this is to avoid inadvertent account explosions.
I refer to your little popup that has no user interaction, other than maybe a cancellation. The mock shows this as fully inside the content area, with suggests that sites can render their own UX if they like. Also, the idea that a user might cancel a login is a bit pessimistic about IdP performance. Yes, IdPs can be quite slow, but they don't have to be. The cancellation only works well if they are very slow, but even then it has poor accessibility properties. I'd say you'd need excellent reflexes and fine motor control to hit that small button in time.
By this, I refer to your proposed 10 minute timer. Let the IdP manage that. Note that I said re-authorization because the authentication happens at the IdP; the RP is authorized by the IdP (or by the user). |
Sorry for not being clear. In case you haven't seen our
Agreed.
As discussed earlier, this is definitely an option for Chrome that we want to iterate on.
Agree that this is a bit tricky. Basically it means that the browser has observed a single returing account that it can auto re-authenticate with but the RP has hinted a different account. We haven't really thought about this use case through but my intuition is that we should respect the RP's choice and NOT proceed with auto re-authn. We are also proposing
As you mentioned (also listed in the proposal) we won't proceed with a cancelable auto re-authn. (just to be clear, the thinking was about only sending the token request if a user doesn't cancel in N seconds so it should be orthogonal to IdP performance? Anyway it sounds like that this UX should be off the table)
We are introducing the cooldown to make sure that a user can logout and switch accounts if needed. Totally understand that you prefer "one identity per RP" and we share the same principle such that we'd suggest users to reuse their existing account other than creating new ones. That said, according to some user study we ran, there are users who have multiple identities on an RP for a variety of reasons so they may need to switch accounts every now and then. Ideally, once a user is signed out of the RP explicitly (e.g. via a "Sign me out" button), the RP should not call FedCM with auto re-authn such that the user can switch accounts. However that's not guaranteed and the user will be signed in with the wrong account again when the RP fails to call FedCM properly. While it's indeed a programming error on the RP/IDP side, maybe the browser can take a position in this case to help with that? e.g. disabling auto re-authn for some time so they can switch accounts. Again, for the origin trial, we'd like to gather feedback from all parties and evaluate the decisions we made before shipping. WDYT? |
I've made a draft of what I was talking about RE the mediation parameter in #439. It is a draft because I don't think it is ready, however it is worth having something concrete to argue against. |
How would this work in the use case where the user has two IDP's (my university and my research institute). They try both with the scientific publishers site, and find out that only one works. In the sense, only one actually has a contract so content access is granted. How do we make it clear to the user, either one has to be removed (but only for this publishers site) or the user can choose which to tie initial re-auth with? |
Before the user has completed a FedCM flow with either account, we always show both accounts without auto re-authn. If the user has created an account with one of them (either university or research institute), next time the user is visiting the same publishers site, the publisher site can choose to trigger auto re-authn with that selected account. if the user has created two accounts with both of them on the publisher site, auto re-authn will not be triggered and instead the user will need to manually select which one they want to proceed this time. Note that the decisions are made based on the browser's knowledge of whether the user has created an account or not. i.e. if the user clears cookies or browsing history etc., the browser can choose to reset that knowledge. |
Currently, after a user has created a federated account on an RP with an IDP via the FedCM API, the next time they revisit the website they need to go through the same steps with the same UI affordances. i.e. they will need to explicitly and manually re-confirm to re-authenticate and proceed with the sign-in flow. This UX makes more sense before the user has created the federated account to prevent tracking, which is one of the main goals of FedCM API, but less so after the user has gone through it once: after the user grants permission to allow an RP-IDP communication, there’s no privacy or security benefit for enforcing another explicit user confirmation for something that they have already previously acknowledged.
We have heard from both RPs and IDPs that they would like the authentication experience to be more streamlined for users who have already created a federated account with them. In fact, there are already use cases on the web that are implemented with third-party cookies. From UA’s perspective, supporting re-authentication without explicit user confirmation can:
The text was updated successfully, but these errors were encountered: