Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FedCM Multi IDP Support #730

Open
npm1 opened this issue Jan 11, 2023 · 4 comments
Open

FedCM Multi IDP Support #730

npm1 opened this issue Jan 11, 2023 · 4 comments

Comments

@npm1
Copy link

npm1 commented Jan 11, 2023

Request for Mozilla Position on an Emerging Web Specification

Other information

Hey, I am requesting standards position on the FedCM API multi IDP support. The explainer is up from GitHub and is based on a bunch of discussions in the FedID CG. The original FedCM request was done in #701 but since this is a substantial update, I figured it's worth requesting standards position for this as well.
This was referenced Jan 11, 2023
Closed
Open
@bvandersloot-mozilla
Copy link
Contributor

This represents my understanding of the problem and solution spaces pretty well. I assume this request is for the Batched Get Implementation- is that right?

Overall, I think this proposal makes sense and is a substantial improvement to FedCM. But I have a few open concerns:

  • The cutoff for inclusion in the dialog for the before-or-during-onload case should be “an implementation-defined time, no sooner than the end of the window onload event.” This gives a little more flexibility and is a relaxation of your definition.
  • IDP ordering is unresolved and an important feature. I don’t like response time factoring into the ordering- this favors IdPs with multiple points of presence when RPs don’t specify the ordering. However, there are answers here that I like: prioritization based on prior use, randomization, and/or sort-by-hash.

I agree that this version is probably confusing for developers, however with good documentation that offers a one-sentence explanation of the semantics of a call to navigator.credentials.get({‘identity’: {}}) I think it will work out in the end.

This does further complicate the eventual vision of the Credential Management API to integrate all options in a single dialog. However, similar issues need to be solved in WebAuthN, so I don’t worry too much.

Do my suggestions in the open concern bullets above sound like positive improvements to your proposal?

@npm1
Copy link
Author

npm1 commented Feb 2, 2023

This represents my understanding of the problem and solution spaces pretty well. I assume this request is for the Batched Get Implementation- is that right?

Indeed!

  • The cutoff for inclusion in the dialog for the before-or-during-onload case should be “an implementation-defined time, no sooner than the end of the window onload event.” This gives a little more flexibility and is a relaxation of your definition.

We haven't spec'd this out but that is certainly the intention. It is mentioned in the explainer here https://github.com/fedidcg/FedCM/blob/main/proposals/multi-idp-api.md#2-batched-get-implementation

  • IDP ordering is unresolved and an important feature. I don’t like response time factoring into the ordering- this favors IdPs with multiple points of presence when RPs don’t specify the ordering. However, there are answers here that I like: prioritization based on prior use, randomization, and/or sort-by-hash.

Good ideas! I wonder if the IDP ordering needs to be specified since it is part of the user agent dialog? I think all of those prioritization options would be valid under the spec we come up with. If you force me to pick a specific ordering from the above, I would say that prior use is good for the user so I would use that, and randomization could be used to break ties (i.e. to order all the previously unused IDPs).

Do my suggestions in the open concern bullets above sound like positive improvements to your proposal?

Yep, they all sound good to me! Thanks for the feedback.

@npm1
Copy link
Author

npm1 commented Feb 21, 2024

Pinging this thread along with an update. In Chrome, we are planning to do an Origin Trial (not ship yet) the multi IDP support restricted to the case where all IDPs are indicated in a single get() call. In particular, it will still be the case that any subsequent get() call will be rejected when there is a pending one.

This restriction makes a lot of the complicated UX problems go away, and we have found cases (companies owning multiple IDPs) where it would be beneficial, so we think moving forward with this will be beneficial. Any position with regards to this specific extension of the FedCM API would be appreciated. Thanks!

@bvandersloot-mozilla
Copy link
Contributor

The speific extension outlines with a single get call is a reasonable one and addresses the concerns from above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
standards-positions review
Status: Unscreened
Milestone
No milestone
Development

No branches or pull requests
2 participants
@npm1 @bvandersloot-mozilla