Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CREDENTIAL: Support 3rd party credential storage and retrieval protocol #254

Open
dlongley opened this issue Apr 15, 2015 · 9 comments
Open

Comments

@dlongley
Copy link

The Credentials CG and Web Payments IG expect credentials to be stored by third party IdPs and the mechanism for fetching them to be standardized.

This doesn't preclude browsers from being IdPs themselves or from simply caching credentials, but there's an expectation that people will want to store their credentials in a way that makes them accessible from a number of different devices/user agents. These credentials aren't simply "login credentials", they may be long-lived pieces of information about them (eg: driver's license, work permits, etc.). Such credentials may have only been issued after a lengthy verification process. It's a very different scenario from "You're using a new browser, so just enter your username and password again and we'll store the credential in this one, too." That approach is untenable for a whole variety of credentials.

Communicating with third party IdPs should be integral to the API. There should be a standardized protocol to allow the browser to communicate with IdPs to transport credentials. If we unify how credentials are passed around, relying parties don't have to use a different SDK and work flow for every possible credential provider. There should be one way to receive a set of credentials and they should arrive in a standard format. The API may not need to support this feature outright to begin with, but it should be listed as future work so that it's clear that it will eventually be built in to the API -- and the current API should be future proofed to support it.

@annevk
Copy link
Member

annevk commented Apr 15, 2015

It seems this is largely orthogonal to what this document is about. There's nothing that prevents such a thing from being deployed.

@dlongley
Copy link
Author

The current API presumes that credentials are only stored in the browser. The only way around this is to implement a browser plugin. Third party storage support should be, at a minimum, mentioned as desirable in future work.

Assumptions about what credentials are and how they are issued, stored, and used also play into the core design in ways that may limit extensibility. See #256.

@annevk
Copy link
Member

annevk commented Apr 15, 2015

No, it assumes they're stored in a user agent, asynchronously. Anything else is out of scope as is normal for API documents.

@dlongley
Copy link
Author

@annevk, I believe this is related to #256. I understand that the API simply specifies that the user agent does X and then resolves a promise when it's finished. However, it seems like state management might be an issue when the user agent needs to potentially leave the page to store/fetch credentials.

@annevk
Copy link
Member

annevk commented Apr 16, 2015

If the user agent wanted to implement such a model it could do that through a dialog or in the background, no?

@jmajnert
Copy link

Communicating with third party IdPs should be integral to the API.

I disagree. This API doesn't need to communicate to IdPs.

@mikewest mikewest added this to the CREDENTIALS: Future Work milestone Apr 16, 2015
@mikewest
Copy link
Member

We can future-proof the API to ensure that this kind of thing isn't made difficult/impossible, but it's not something I think we can or should explicitly mandate with normative language in the spec.

Are there API-level requirements here that you're not already covering with the suggestions in #256?

Marking as "future".

@dlongley
Copy link
Author

Are there API-level requirements here that you're not already covering with the suggestions in #256?

No, I don't think so, other than that whatever requirements we have for the .get() method, in terms of potentially leaving the page, we would also have for the .store() method. I think we can cover most of this discussion over in #256.

@dlongley
Copy link
Author

If the user agent wanted to implement such a model it could do that through a dialog or in the background, no?

It may be better stated that it would be forced to implement it that way if leaving the page isn't possible. Either that or some postMessage/iframe magic (which is how a polyfill would need to implement it, I'd think).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants