Reconsider required email field in IdentityProviderAccount #435
Comments
|
I'm curious -- has this come up in practice with some IDP, or is this more a concern in principle? |
|
More of a concern in principle. However, this makes Directed Identifiers easier to integrate, which have been brought up before. |
|
Why do you say that regarding directed identifiers? The email field here is only used for showing to the user, it is not shared with the RP. Is the concern that this would be misleading to users? (the selective disclosure proposal also seems somewhat relevant, #242 (comment)) In general I would prefer to walk through use cases first. I know some IDPs use phone numbers as a primary identifier. An IDP like Facebook may prefer to only show photo+name (?). Ideally a change here would address all these use cases. |
|
One challenge we should probably keep in mind when making
In previous explorations we thought about requiring a customized "identifier" bit in IdentityAccount to help users to differentiate the accounts. e.g. IDP can use email or phone number as an "identifier" and the browser will display it on the UI. This new bit works for both the single idp and multiple idp cases. (Note: we didn't go too far on this route nor thinking through all the abuse vectors due to lack of demand. Things may have changed?) |
This came up at least two times: the first, on principles, on the TAG review and the second, in practice, by
I think email addresses, specifically, are concerning enough from a privacy/tracking perspective, that I think it is worth finding ways to make them not required (if the IdP and the RP don't need them). We can hope that emails get directed in the future, but there are enough a global ones right now, that it is worth making them optional, I think. |
|
I think the cleanest way to go about this is to introduce API surface that allows a relying party to express that it doesn't need email addresses if they aren't available. I don't know what that may look like, but something we could start from is the OIDC's claim parameter and OIDC's standard claims. Here is what this could look like in practice: await navigator.credentials.get({
identity: {
fields: ["name", "picture"], // yo, just need your name and picture, not email
// well-known enumeration of typical claims
// claims: ["name", "nickname", "given_name", "family_name", "email", "phone", "picture"],
providers: [{
url: "https://idp.example",
clientId: "123"
}]
}
});@bvandersloot-mozilla wdyt? |
I mention it because I forgot that it isn't necessarily included in the token :) Never mind that point!
I fear that we can't enumerate all use cases, however here are a few, broken down by how a user understands their account:
One thing that comes to mind is having a name and visible_id (or primary_name and secondary_name), rather than a name and email. This effectively generalizes the email into many more use-cases |
|
I think that generalization meets this challenge by @yi-gu :
Then those IDPs can include the optional disambiguating field.
Interesting! Is this a literal bit or is it just an additional field instead of the "email" that was more general, like my proposal. I don't think this is currently in demand- I just don't want to overconstrain the IDP options in the API so we don't scare off adopters that are unwilling to engage deeply in W3C processes (a high bar). |
This is a little orthogonal to the current topic, but is interesting! Would you be restricting the values in the claims sequence to the well-known enumerated values? Presumably those would be forwarded in the Account List request. I was already thinking of another alternative: permit an arbitrary string to be included in the AccountList request and require a two-click flow for it to be sent. |
|
As an IDP think an arbitrary string is a better option. We have requests from customers to allow logging in via phone number which means we might not have an email. It seems too restrictive to require email specifically, especially if it's only to show in the account chooser. Ideally whatever is shown to the user is what they enter when they visit the IDP (whether that's an email, phone number, username, badge number, etc). |
I agree with @jameshartig, at our company (IdP) we already have users who only register with a phone number so they don't have an email address. In order to make FedCM available to as many users as possible, putting a phone number in the field 'email' would work for us, but is obviously confusing. |
|
I might suggest changing |
One of the problems with accepting arbitrary strings is that I think it will lead to abuse. At some point, someone will start putting "Click here to get $5" and decrease the value proposition to non-abusive IdPs. So, I'd rather start with something that is constrained and high level, rather than general purpose but abusable. |
|
even worse, is that with an arbitrary string you don't know how to handle it in a useful way. I would be really annoying to figure out if a if (email) { contactViaEmail(); }
else if (phone) { contactViaPhone(); } |
@TallTed I was thinking we could align these field names with the ones that HTML autocomplete uses: https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill-field WDYT? |
It's been noted above that some users don't have an email address, only a phone number. I'm sure others will have (or want to provide) only an email address, not a phone number. The HTML autocomplete list doesn't seem to have a The authors of the HTML autocomplete list should also educate themselves about falsehoods programmers believe about things including sex (which is not the same as gender!), human names, email addresses, postal addresses, and more ... and then we should all see the HTML autocomplete list change radically. |
|
Just wanted to cross-post this issue here with another one (in another repo) where we are running into this problem, and wanted to try to reconcile both threads: privacysandbox/privacy-sandbox-dev-support#379 (comment) The proposal that we arrived at in that thread is to:
Would that address this issue? |
|
Every one of these fields is problematic to some extent, especially when one goal is to have one or more universally unique identifiers for each "account" (which might include "role" accounts as well as individual "user" accounts). Requiring "any combination of one or more of these fields, each of which is optional, where the combination is unique to service x" would be a good step. |
This can give a little flexibility to the IDP where accounts may not have an email address tied to them or be a useful way for the user to identify the account.
The text was updated successfully, but these errors were encountered: