Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowing IDPs to expose different account lists in different contexts #553

Open
cbiesinger opened this issue Apr 3, 2024 · 2 comments
Open

Allowing IDPs to expose different account lists in different contexts #553

cbiesinger opened this issue Apr 3, 2024 · 2 comments
Labels
chrome FPWD

Comments

@cbiesinger
Copy link
Collaborator

cbiesinger commented Apr 3, 2024
edited
Loading

Some identity providers (IDPs) want to show different sets of accounts in different contexts. For example, some relying parties (RPs) may want to filter out certain account types such as minors.

The most straightforward way to do that is to allow IDPs to specify different account endpoint URLs for different contexts, but that has undesirable privacy properties (ie., the specific account endpoint URL would tell the IDP which subset of accounts is being queried by the client, which could provide the IDP with some information on which RP the user is currently on if specific account subsets were associated with specific sets of RPs, potentially impacting the user's privacy). Hence, this document proposes a way to filter accounts in a privacy-preserving way by filtering the accounts on the client side..
@cbiesinger cbiesinger changed the title Custom account labels and filtering Allowing IDPs to expose different account lists in different contexts Apr 3, 2024
@cbiesinger
Copy link
Collaborator Author

Proposal

We are proposing an optional “labels” attribute in the returned account list:

{
 "accounts": [{
   "id": "1234",
   "given_name": "John",
   "name": "John Doe",
   "email": "john_doe@idp.example",
   "picture": "https://idp.example/profile/123",

   // New field:
   "labels": ["type1", "type2"] 
  }]
}

Similarly, the configURL can optionally specify a label that needs to match at least one of the labels in the list:

{
  "accounts_endpoint": "accounts.py",
  "client_metadata_endpoint": "client_metadata.py",
  "id_assertion_endpoint": "token.py",
  "login_url": "login.html",

  // New field:
  "accounts": {
    include: "type1"
  }
}

Labels are strings. If the “labels” array or “include” field contains something that is not a string, it is ignored.

If no label is specified in the configURL, all accounts will be displayed in the FedCM account chooser. If no labels are specified for an account, it will only be displayed in the account chooser if the configURL also does not specify a label.

The requested label from the configURL will not be sent to the server and is purely used client-side.

If no account matches the requested label, we treat it the same as if no login_hint or domain_hint matches.

This is different from the login_hint/domain_hint attributes in that it provides a way to associate accounts with more generic, abstract groups, not constrained to domain-specific associations like a domain or login hint.

Note that this proposal depends on the proposal in #552

Alternatives considered

Change domain_hint and/or login_hint to an array in the navigator.credentials.get call

The way this would work is that the server would include a “fake” login hint or domain hint in the array it sends in the account list. The caller would specify the desired label in the call to navigator.credentials.get in addition to any “real” login or domain hint they need, and both/all have to match.

Advantages:

Disadvantages:

  • Backwards compatibility complexity (need to accept either a string or an array for login/domain_hint)
  • Have to specify the label in each caller instead of having it provided automatically through the config file
  • Seems a bit of an abuse to use a login/domain_hint for something that is neither

Relax the limit of a single account endpoint

Allowing IDPs to have multiple (two) account endpoints under an eTLD+1 (#333) would solve this problem as well, however this provides an extra bit of entropy to the server that is undesirable from a privacy perspective.

Append a query parameter to the account endpoint

Based on some parameter to the FedCM call, we could append a query parameter to the accounts endpoint. As a strawman, if non-default scopes were requested, we would append ?has_scopes=1 when requesting the account list. From a privacy perspective, this is equivalent to the previous option; from a technical perspective this would be somewhat simpler but less flexible.

@cbiesinger cbiesinger added the agenda+ Regular CG meeting agenda items label Apr 9, 2024
This was referenced Apr 15, 2024
Open
Open
@yi-gu yi-gu removed the agenda+ Regular CG meeting agenda items label May 8, 2024
@wseltzer wseltzer added the FPWD label Jul 9, 2024
@samuelgoto samuelgoto mentioned this issue Aug 1, 2024
Closed
@wseltzer
Copy link
Collaborator

Discussed at TPAC 2024 https://github.com/fedidcg/meetings/blob/main/2024/2024-09-24-TPAC-notes.md#account-labels

Proposal advanced to Stage 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chrome FPWD
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wseltzer @samuelgoto @cbiesinger @yi-gu