Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IdP Registration API: should the browser reveal to the RP when no IdP has registered before? #605

Open
samuelgoto opened this issue May 28, 2024 · 2 comments
Open

IdP Registration API: should the browser reveal to the RP when no IdP has registered before? #605

samuelgoto opened this issue May 28, 2024 · 2 comments

Comments

@samuelgoto
Copy link
Collaborator

Currently, if no IdPs registered in the past, the browser reveals to the RP that fact, which could potentially be a breach of the user's privacy.

const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: "any" // throws if no IdP has called IdentityProvider.register() ahead of time. Should it? 
    }]
  }
});

I'm not sure what the answer is, but I ran into this while testing this, so should be easily reproducible:

https://x.com/samuelgoto/status/1793776387356340357
@cbiesinger
Copy link
Collaborator

Looks like the code for that is here: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webid/federated_auth_request_impl.cc;l=694;drc=98f953c8a23d2008be9f7c8977b3c60d6fdfe53d
@npm1
Copy link
Collaborator

npm1 commented Jun 3, 2024

That code implies to me that the rejection is being delayed...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@samuelgoto @cbiesinger @npm1