-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FedCM Auto Re-authentication API #813
Comments
Hi @yi-gu. Thanks for opening this review. If you'd like our feedback, could you please draft us a quick explainer to cover how you'd like this to work and why you've chosen that approach above the other approaches you've considered? If it helps, our explainer template and explainer explainer are posted. We look forward to hearing more from you. |
Hey @hadleybeeman thanks for reviewing this! I replied to @torgo over email, but figured it would be useful to give context here more publicly in case we run into this again.
We did originally have proposals to extend FedCM in the form of explainers that follow the template (you can still see some of them here), but we got feedback from Mozilla that it would help their reviews if these were filed as github Issues as opposed to standalone markdown files: making comments in github issues is a much lower hurdle to pay to engage than it is to kick off new github issues or submit pull requests.
That overall makes sense to us (we'll follow whatever makes our reviewers life easier), so we started to slowly port our explainers into github issues. So, what @yi-gu pointed you to in the TAG request here is, in fact, the place in which we explain the problem, the alternatives we considered and the proposal we have an inclination to go for. I'm sorry if this causes extra work for you all, and we'd be happy to adapt to find ways to make reviews (mozilla's and yours included) as effective as possible, but just wanted to give context as to why these aren't standalone markdown files. Since we do expect to send you all a few more reviews in the next few weeks/months, let me know if you feel like this isn't a reasonable format and we can work together with Mozilla to figure out something that works, Sam. |
@maxpassion and I looked at this during our Tokyo F2F. One question that came up is about getting user consent for the re-auth flow. It seems like in addition to the RP opting-in to this flow, perhaps the user should also have the option to (or be required to) opt-in during the initial login flow. e.g. when prompted for intiial permissions have to choice of 'Remember me' or 'Only for this session' or such. Our concern is if a user uses FedCM to log in to a service on a public terminal, would the next person using the same terminal be able to sign back in to the original service without knowing the user's credentials? (or at least gain some knowledge about the previous user having an account on the service and possibly login name.) |
Thank you for the feedback!! Quick update: in general we are moving towards to a direction to resue the existing mechanism for "automatically returning credentials" defined in Credential Management API. In particular, the mediation requirement and preventSilentAccess as discussed in the initial issue (we'll request another round of review when the proposal is updated). For the concern regarding public terminal, here are some quick notes:
Does it make sense? |
Hello again! We have finalized our proposal to support auto re-authentication. As mentioned earlier, we decided to reuse the existing mediation requirements and preventSilentAccess from the CredentialManagement API. i.e. no new web API will be introduced for this feature. The spec PR has been merged after we aligned with Firefox on the proposal. Since there's no new API, should we close this review? Please let us know if anything else is needed from us. Thank you! |
Given the above info we're happy to close. As Peter commented above, we generally remain concerned about scenarios involving public terminals so we encourage you to take those into account. Thanks! ✨ |
Wotcher TAG!
I'm requesting a TAG review of FedCM Auto Re-authentication API .
An extension to the existing FedCM API that provides a streamlined UX when users return to websites. The API requires that the user has already granted permission for the RelyingParty (RP) and Identity Provider (IdP) communication in the browser through a previous FedCM call.
Further details:
You should also know that the initial FedCM TAG review is #718. We're requesting a review specifically on the addition: auto re-authentication.
We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify @yi-gu
The text was updated successfully, but these errors were encountered: