Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicit Sign-in 1.1.2.2 => direct interaction between user and IdP? #245

Closed
dickhardt opened this issue Apr 9, 2022 · 6 comments
Closed

Explicit Sign-in 1.1.2.2 => direct interaction between user and IdP? #245

dickhardt opened this issue Apr 9, 2022 · 6 comments
Labels
feature request

Comments

@dickhardt
Copy link

All large IdPs dynamically evaluate each attempted sign in to an RP by a user, and will require additional direct interaction if a risk threshold is exceeded. The proposal reads that the IdP has no mechanism to directly interact with the user.
@dj2
Copy link
Collaborator

dj2 commented Apr 11, 2022

What kinds of interactions are typically seen? Is the risk threshold custom per IDP or is there something specific they're looking for?

@dickhardt
Copy link
Author

The big IdPs all gather their own unique signals and feed them into their ML to make decisions. They are not doing this as IdPs -- it is what they do for account protection generally.

@gffletch
Copy link

Agree with @dickhardt! The IDP MUST have a direct communication path with the user. Sometimes it's to require an additional verification (ala Google when you login from a new device and new location). Sometimes it's to alert the user to some other aspect of change to their identity at the IDP. Given that many IDPs have additional services there might be a privacy check-up flow that is required (etc). There is also the case of authentication methods (e.g. QR codes) that don't involve the browser at all but require the IDP to be able to return content to the user so that the user can complete the flow.

This is a key benefit of the existing redirect based flows. The RP has transferred the user to the IDP to do whatever is necessary at the IDP and when those steps are completed the IDP returns the user to the RP in an authenticated state. Changing that dynamic and significant impacts on the user's security and the dynamics of how identity works today.

@npm1
Copy link
Collaborator

npm1 commented Jul 20, 2022

The IDP needs to produce an ID token that is going to be used by the RP to sign the user in. Is this last step not sufficient? If an IDP deems the risk to the user to be high in the particular scenario, they could reject sending an IDP token. However, I do agree that we have not replaced all of the flows available via redirects with this API.

@achimschloss
Copy link
Contributor

#253 (comment)

@achimschloss achimschloss mentioned this issue Aug 9, 2022
Open
@yi-gu
Copy link
Collaborator

yi-gu commented May 2, 2024

This has been addressed with the Error API #498 e.g. the IdP can return an error instead of a token and the browser can render UI for the IdP to communicate with the users.

In case that the IdP needs to gather further user permission before issuing an token, they could use the Continuation API w3c-fedid/custom-requests#1

@yi-gu yi-gu closed this as completed May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dj2 @dickhardt @gffletch @yi-gu @npm1 @achimschloss