A not-yet logged in IDP has no route to success with this flow #442
Comments
|
Yes, this will be needed, especially if an RP wants to use FedCM for a button flow (as opposed to triggering it onload, where silent failure is probably acceptable) #436 adds a signin_url field, which is part of what is needed here. |
Agreed. A key piece will be having the proposed dialog that shows that link show up when a user isn't yet logged in. In addition to that, there are two options:
I think the best way forward is the latter. |
|
Yes option 2 sounds good to me. But I think we need to figure out how to trigger this behavior. Maybe add a flag somewhere saying that if there are no accounts found, that we should show a signin prompt instead of returning failure silently? And/or have the presence of transient user activation trigger this behavior? |
I think this is also another instance where the RP would want a flag to influence this behavior especially with the introduction of multi-idp support - see #438 (comment) - there could be a IDP specific flag where the RP could indicate to be wanting to enable a IDP sign-in from its site. |
|
This would be quite relevant to Seamless Access. We expect that users will move between many sites, wanting to access for example scientific content. They will be shown the option, but it needs to be clear that they are signed in or still need to |
+1 that the
Yeah, maybe an extra attribute like
await navigator.credentials.get({
identity: {
providers: [{
// ...
signedOut: "signin" // defaults to "dismiss"
}]
}
});@bvandersloot-mozilla does this sound more or less right to you? any intuition on where this should hang? There is also a related discussion on allowing users to "add/change accounts" when users are already signed-in, which we would expect not all IdPs would necessarily want to support (e.g. not all IdPs have the concept of "multiple accounts"), so maybe we need another flag like await navigator.credentials.get({
identity: {
providers: [{
// ...
signedOut: "signin", // defaults to "dismiss"
allowNewSession: true // defaults to false
}]
}
});Another challenge here is (IdPs) supporting the combinatorial explosion of flags here, so another option here is to hard code a few known supported flows rather than individual flags with an enumeration of await navigator.credentials.get({
identity: {
providers: [{
// ...
mode: "button" || "widget"
}]
}
});So maybe we can start with the coarse Another related discussion is that of Another consideration is whether this should be a configuration per-IdP or at the await navigator.credentials.get({
identity: {
mode: "button" || "widget"
providers: [{
// ...
}]
}
}); |
|
hm, I think RPs may want different behavior at different times. For example, they may want to show an account chooser onload but only if the user is logged in; but they may have a "sign in" button which should not fail silently. |
Yeah, I was thinking that IdPs would have the ability to have more than one So, RPs can still choose between two different |
|
I think that enumerating a set of supported flows may be painting ourselves into a corner. How does either proposal interact with a multiple-IDP use case? |
In this CL, we expose - behind a flag - a "mode" parameter in the FedCM API and plumb it to the browser process through the mojom interface. This starts allowing the FedCM API to degrade more gracefully when the user is *not* logged-in to the IdP. Specific feature request here from Mozilla: fedidcg/FedCM#442 (comment) The "mode" (={button, widget}) parameter controls the internal algorithms of FedCM to handle logged-out users. In mode=button, the browser opens a pop-up window when users are logged-out, whereas in mode=widget (the default) the prompt is just automatically dismissed. Part (pre-requisite) for this larger feature: fedidcg/FedCM#477 (comment) Privacy and Security Early Reviews: https://docs.google.com/document/d/1WtiG-JwlcuCJPI0EZdo61vxg6sjTAuxFFm5I2Jk4x6s/edit The browser implementation, that will actually change based on this flag, is being implemented in a separate CL (see gerrit CL dependency). Bug: 1429083 Change-Id: If9f6b453cc5e16c479b89a16191d010892bd0377 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4779439 Commit-Queue: Sam Goto <goto@chromium.org> Reviewed-by: Yi Gu <yigu@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Cr-Commit-Position: refs/heads/main@{#1204181}
In this CL, behind a flag, we make the algorithm degrade gracefully for logged-out users when in "button" mode by opening a pop-up window that allows the user to sign-in to the IdP (as opposed to dismissing the request, when in "widget" mode)). This allows the FedCM API to support button flows where the user expects a fallback, as opposed to a dismissal. fedidcg/FedCM#442 (comment) Change-Id: Id1492f8f3e10fbd9e400b809caf64e90ac2806ca Bug: 1490588 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4790926 Commit-Queue: Sam Goto <goto@chromium.org> Reviewed-by: Yi Gu <yigu@chromium.org> Cr-Commit-Position: refs/heads/main@{#1206673}
|
I've tried this with the multi-idp mode. As it is a global property, it seems to pop up the |
|
If that comment is about the Chrome flag, we haven't worked on that in a while so it is likely not working correctly at this point. In multi-idp mode, I'd expect the user to pick the IDP they want to sign in to, not for one popup per IDP to open. |
|
That's it (chrome flag), thanks. The behavior I observed was a popup per signed-out IdP. But I realize the multi-idp support is a WiP, so just adding a data point from testing. |
Interesting, thats really not what you'd want for a final version. As noted in the CG call I think the RP/Authentication Intermediary should be able top open a pop-up in this case to let the user choose how to proceed (not a browser mediated UI, or at least both options must be available) See also the implementation bug in Chrome to track this: https://bugs.chromium.org/p/chromium/issues/detail?id=1487268 |
|
@samuelgoto seems this should be a proposal under https://github.com/fedidcg/FedCM/tree/main/proposals ? |
|
2023-11-28 call: prototype exists in Chrome Canary, please test |
|
Just a small update on this: we built a prototype in chrome canaries with the following formulation: await navigator.credentials.get({
identity: {
mode: "button" || "widget"
providers: [{
// ...
}]
}
});You can try this by flipping this flag in chrome canaries: What it does is that, on Any chance we have anyone around interested in giving this a try and letting us know if this behaves the way that they'd expect this to behave? |
FWIW - this is also already supported as an option in the demonstrator implementations (mode = button) on the RP side. |
|
Yes. This looks like the implementation I tested with multi-idp support above. I uploaded a demo video of how it acts in that case, for reference. |
|
I should add, that it behaves in the way described for a single IdP. |
|
I have no good suggestions of how to fix that for multi-idps, even if you moved the mode option into the provider's array (i.e., per-provider) I am not sure how the RP would know to set it differently per IdP (or even why it would do that), and would probably just set it the same for each provider anyway (so I think it makes sense to set globally as it is). I guess, as already suggested in this thread, you might need the user to select which IdP to use first before trying to retrieve accounts from it, and therefore before deciding if the sign-in popup is needed. |
|
Yeah, we'd probably have to have an "IDP selection" dialog if the user is not signed in to any of the IDPs, and if the user is signed in to at least one IDP the dialog should still let the user sign in to one of the others |
|
Don't forget that SeamlessAccess has a lot of experience with that IdP choosing process. Lessons to be learned there (and possibly code to use). |
|
Hmm @asr-enid may want a single button that works for GMX/web.de/etc? In general I would like to think that we can be more ambitious than the current state of the web and it would be nice to have a single "Log in" button that supports all the IDPs |
|
Yes, you could probably do the IdP discovery part external to the FedCM API—whether that is a list of buttons (sign in with X.com) or something more sophisticated when there are thousands of possible IdPs—and then seed FedCM with that choice. I guess in which case you would never directly need to support more than one I was thinking it would operate more along the lines of what @cbiesinger said, a single button that ran through the entire selection flow. This does become hard in the 'hundreds or thousands of IdPs R&E world', however. Obviously, where FedCM is going to see (at least initial) uptake, hundreds or thousands of IdPs is probably not what you will be dealing with. I just wanted to highlight that is possible in some communities. |
|
I think supporting multiple IdPs in a button flow will allow RPs to provide a better user experience. Providing this means that the user would not need to remember what account they had, which IdP they used before, or even if they already had an account or not. |
Absolutely |
|
We have some mocks to show how we plan to support the button flow in Chrome. We can go over the CUJs in the next CG call but in the meantime please feel free to leave your feedback here. |
|
(mocks are available here.) MotivationThe web needs a long term solution for federated login, as browsers handle tracking on the web. While heuristics can buy us some time in the short term, these two proposals extend FedCM to put us a couple steps closer to being able to operate federated login without them. The first extension handles a “button” mode (as opposed to / in addition to the current “widget” mode), where the browser needs to handle more gracefully when users are logged out of IdPs (take the user to login to the IdP, as opposed to failing silently), as Mozilla pointed out here. The second extension allows users to “use other accounts” in the account chooser, for example, when IdPs support multiple accounts or replacing the existing account. ContextThe button flow differs from the widget flow in several ways. The most significant difference is that the button flow is on the critical path of a user's sign-in journey. This means that a user must be able to successfully sign in with a federated account using this flow. In contrast, the widget flow is an optimized flow that can reduce sign-in friction. This means that if the widget flow is unavailable, a user can still click a "Sign in with IdP" button to continue. In view of the complexity of the critical sign-in flow, as well as the diversity of deployment environments (e.g., an RP may or may not use an IdP SDK), it is necessary to explicitly define the responsibilities of all parties involved.
ProposalIdP controlRP controlBrowser controlInclude POST /fedcm_assertion_endpoint HTTP/1.1 account_id=123&client_id=client1234&nonce=Ct0D&disclosure_text_shown=true&is_auto_selected=false&mode=button Overview
Open questionsMode optionsThe current option "button" and "widget" are not ideal because they are focused on the UI affordance instead of the essential distinction of the two types of flows. What "button flow" implies is that it's user initiated and the user must be served by the UA to complete the sign-in flow. This is a critical user journey so the browser should mediate it in a prominent way. What "widget flow" implies is that it may not be gated by user activation therefore it should be treated as an optimized sign-in option and it's OK to fail silently. In other words, it's up to the UA how to implement these two flows with different UI affordances. e.g. one may implement the optional flow with quieter UI like a chip on the URL bar. We will try to gather more feedback on the naming before shipping. Feature detectionThere's no dedicated way to feature detect dictionary members. There have been discussions over the years but folks haven't been sufficiently aligned on the proposals. In the interim, developers can use the following way for feature detection for better interoperability. We can revisit this decision if the community has other thoughts or better options. Security ConsiderationsThe button mode shares most of the security properties from the widget mode. e.g. honoring CSP, CORS, using security headers, not asking users to type in the browser UI etc.. It’s worth noting that the pop-up window has the same web platform properties as what one would get with window.open(url,””,”popup,noopener,noreferrer”)) that loads the login_url. There's no communication between the website and this pop-up is allowed (e.g. no postMessage, no window.opener). Privacy ConsiderationsThe button mode shares all the privacy properties from the widget mode. There are some notable differences:
|
|
@yi-gu re: feature detection, we could consider something like getClientCapabilities() which we recently added to WebAuthn L3. This could be useful for both FedCM and the Digital Credentials API. |
|
Thanks @timcappalli for the suggestion! That idea was brought up late 2023 when it was un-merged. Will take a closer look and we can discuss about it in the CG. |
|
Plan to share some update from the Chrome team on this topic in the next CG call. In addition, we could discuss about Tim's suggestion on feature detection. |
|
Question for @bvandersloot-mozilla - is the button mode as currently being tested in origin trials sufficient to resolve this issue? |
|
For context, here are some details on Chrome's FedCM button flow origin trial. From group discussion, we think IDP login for multi-IDP is a separate (harder) problem, as it requires the browser to take on the "nascar flag" UI. |
|
Yeah, the button flow is sufficient for our concern. We agree that multiple cold IDPs is a much harder problem, and may not be desirable for the browser to solve. |
and others
Enabling an option in which the IDP can provide a way to be logged in (via a controlled call to window.open) and then immediately be dropped back into the account chooser would be nice! I discussed something related to this in fedidcg/proposals#3 but it could be adapted here. I'll add a comment with a general shape of the proposal.
The text was updated successfully, but these errors were encountered: