Users can't use IdPs outside of the ones enumerated by RPs #2
Comments
|
I strongly support this overall vision for FedCM, making it so that IDPs interoperate (e.g. don't require pre-registration). We've been thinking along those lines too and calling it affectionally BYOIDP ("bring your own IDP"), as an analogy to how signing-up with email works (i.e. it is not like there is a list of email providers that the websites works with, right?). As you may have guessed, we are deliberately not choosing to start there, because we have a responsibility to preserve the current deployment of federation, but we are in agreement of where it should/could go. I don't think that the solution is as simple as you are making it seem (from a design of incentives perspective first, but also from a UX perspective second), but I think you got the problem and the broad strokes of how to go about it right. Any chance you could come over some time at the FedID CG to present your work / proposal? |
Yes very much aligned with this framing.
Yes there are a bunch of additional incentives and UX complexities to consider here, some we have already discussed a bit but im sure there are others.
Yes we would be more than happy to. |
|
Wonderful! @hlflanagan any chance you can help us coordinate a presentation by @tplooker sometime in the upcoming meetings that intersects with his availability? |
|
This model is very similar to the approach of decentralized identity. Rather than inventing something new, I highly recommend to look at making the browser be a viable "wallet" for the user and then just use decentralized identity protocols. Note that the OpenID Foundation is working in this space as well with the SIOPv2 spec and it's associated specs. https://openid.net/specs/openid-connect-self-issued-v2-1_0.html |
|
@gffletch my mental model here is that the browser is a mediator able to facilitate an End-User using an IDP of their choosing (within the constraints of the RP of course). That IDP could be a "wallet" taking a variety of different forms such as a server/web application or native application. So the "browser" itself isn't the wallet. I also agree with the reference to prior art, SIOP in particular needs a solution to mediation beyond the limitations of a custom URL scheme such as "openid://" |
|
There were a series of sessions that happened at IIW between Kristina (SIOP) / Tobias (this proposal) / Dimitri (CHAPI) / Wayne (Sign-in with ethereum) and I (FedCM) on topics adjacent to this issue, and I feel like we left with a good amount of synergy and a reasonable sense of where to start from. This is my personal recollection of what we discussed as a group at IIW, but others feel free to chime in and correct me where I'm wrong. Overall, I left with the sentiment that we had a good amount of appreciation for each other's work. As far as FedCM goes, SIOP aligns really well with FedCM because it addresses two key problems: (a) the portability problem and (b) keeping issuers blind to verifiers (through a self-issued and trusted OP). FedCM aligns well with SIOP and CHAPI because both seem to need a neutral / reliable wallet-selector: SIOP has to name IDP on desktop browsers (e.g. if a user doesn't have a phone to scan a QR code) and iOS (e.g. without an The overall idea that we floated around at IIW (largely based on @tplooker 's original architecture) was to expose a browser API to allow: (a) the registration of IDPs (Self-Issued OPs or not) and
For (a) something along the lines of following would write into browser storage the IDP's registration: navigator.credentials.registerProvider("https://my-idp.example");This call registers with the Browser the IDP at We discussed a few UX options, and the most obvious one was to follow @tplooker 's original proposal to prompt at this point (this also matches what CHAPI does, so that's encouraging). We discussed a few more options and generally agreed that this needs more experimentation to determine what would work best. For (b), FedCM could expose an extra option to allow, not only named IDPs, but also allowing the user to bring their own. Something along the lines of: const credential = await navigator.credentials.get({
federated: {
providers: [{
// allows the account chooser to load named IDPs
url: 'https://named-idp.example',
clientId: '********'
}],
// The RP accepts IDPs that called registerIDP() before.
registered: true,
// the RP accepts SIOPs
selfIssued: true,
}
})And, when invoked in this fashion, the account chooser would bring accounts from "named" IDPs as well as "registered" IDPs. If a "registered" IDP is called, then the We also discussed how this could be used to pass VCs/mDLs over SIOP, which didn't seem to conflict/disagree with this architectural choice. One of the challenges that Wayne brought up that I don't think we talked about enough was to have the ability to register not just IDPs but also types. Something along the lines of: navigator.credentials.registerProvider("https://my-idp.example", [
"UniversityDegree", "DriversLicense", "COVIDVaccine", ...
]);Such that the RP could then use a querying language to filter out SIOPs that contain them. We also discussed briefly that we'd like the resulting There is a lot of handwaving here, but this is more or less what I remember from the discussion. There were a series of diagrams that we drew in the whiteboard, and in case any of you still have them on your phones, sharing them would be appreciated. |
|
Pictures of the whiteboard we drew: |
|
This all looks and sounds pretty fantastic, wish I had been there!
Not just directed, but a nonce would be essential for the resulting token to be bound and prevent replay as well. Signed requests will also be an important trust mechanism, so the RP initiation interface might be fairly rich. |
|
Instead of taking this approach: navigator.credentials.registerProvider("https://my-idp.example", [
"UniversityDegree", "DriversLicense", "COVIDVaccine", ...
]);I'd recommend that any sort of filters be provided / be updateable either through some Keeping the registration API surface light (i.e., base URL as the only param) also enables better future proofing for adding new feature expression via configs / I will note that adding filters for specific Verifiable Credential types may have challenges, given the unbounded set size. Certainly being able to specify that a provider supports VCs at all or the ability to produce Verifiable Presentations (or perhaps provides other types of credentials / supports other features / protocols) could be of value. So there are some additional considerations around what is to be filtered and at what "levels" or granularity. |
Ah, that would work too! So, something along the lines of: navigator.credentials.registerProvider("https://my-idp.example");Which, as a convention, points towards something like: Which could contain: {
"typesOfCredentialsICanProvide": [
"UniversityDegree", "DriversLicense", "COVIDVaccine",
]
}Did I understand that right? |
Yes! Thanks. |
|
I think a simple version of the bring-your-own IDP is interesting, where a user can use an arbitrary identity with a site. This would be akin to a wildcard in the provider list that searches through the users' preregistrations. This could be useful for RPs that need no guarantee of identity elements, just a unique identifier– especially if they don't want to deal with handling username-password management. |
|
Just to report back on this thread with an update, we started looking into this problem and building some prototypes to see where that takes us: Firefox seems initially supportive and it shows up in multiple places, e.g. w3c-fedid/FedCM#374. You can follow the prototype process and some early ideas on API design here: https://bugs.chromium.org/p/chromium/issues/detail?id=1406698. |
|
@samuelgoto It was great to discuss this in person last week at TPAC!
|
|
Hello, @janschill and I are Solid developers, and we believe this proposal would be a great feature for FedCM to integrate well with the Solid ecosystem. We're considering working on a Proof of Concept to explore potential solutions and understand the practical challenges.
@samuelgoto it seems that there has been no update since Feb 15. What is the status of the prototype? Is anyone else currently working on it? Otherwise, we are looking forward to the possibility of contributing to this effort, and we'd appreciate any guidance or feedback you could provide to help us get started. |
I'd love to participate in this. Is there a call that I can join or maybe a document that I can read to learn more about what you have in mind?
We have a basic prototype working in chrome canaries that anyone can try. We are currently blocked on getting feedback from developers if the current proposal meets needs and is a useful API. Any chance you'd be willing to give this a go and let us know if it works the way you'd expect it to work?
Not at the moment. Like I said, we feel blocked by meaningful developer's interest.
I think one first concrete step we could take is getting a better sense of: (a) what problem you currently have that you feel like this feature would help? At the moment, we feel like this would be a great addition to FedCM, but we are really worried about implementing and shipping something that doesn't get enough use (and then, paying a maintenance price). We are willing to take risks, but that's currently what's holding us back moving forward, so the more data points you can give us about market demand the easier we can make this happen. |
We want to improve user experience within the SoLiD ecosystem. Given the multitude of IdPs, it can be challenging for users often to recall their specific IdP. If browsers could display a list of previously used IdPs, it would significantly enhance the user experience and usability. We would love to dive deeper in this topic during a call. We also started working on a PoC.
We downloaded the latest version of chrome canary on MacOS activated the required flags ( including Is there any resources on how to make it work ?
|
|
I'm not super familiar with the flag but I think the prototype is not usable yet. You can call |
Can you expand on this a bit more (just intuition is fine, we don't need super hard data at this point)? How many IdPs are operating today within the Solid ecosystem? How many users a typical IdP have? How many solid RPs exist, and how often are they used?
This is really neat, and typically a strong signal that browser vendors take to make an assessment of demand: are developers going out of their way to try to make this work. Is there an open source implementation of Solid that we could use to build some of these prototypes?
Ah, I think I'm still missing merging one more CL. Let me get that merged and report back to you here.
Yeah, I share that intuition. But we really need to make sure that we are developing something that will be ultimately useful for users and developers, because the cost of development and maintenance is extremely high. I think we'd be happy to move forward trying to complete prototypes and seeing where that takes us, but we are ultimately going to need a good set of developers who are excited about this before moving too far. Fair? |
In this CL (behind a flag), we use the permission context that was written in part 1 to insert IdPs that were registered, and expose a JS API that allows an RP to refer to the registered IdPs. Prototypes a proposal to solve the following bug [1] to allow us to gather guidance from developer if this is directionally correct. [1] https://github.com/fedidcg/FedCM/issues/240#issuecomment-1785678610 Design Doc: https://docs.google.com/document/d/1MKpxTTLi-1e5-0brsdy50TVk2YM9AghoL3diSpRv_vE/edit#heading=h.jdxq4526c2ip Change-Id: Id1bf4b2590ce55fcd6b8a50edcabe54abb652fc1 Bug: 1406698 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4163707 Reviewed-by: Yi Gu <[email protected]> Reviewed-by: Mustafa Emre Acer <[email protected]> Commit-Queue: Sam Goto <[email protected]> Cr-Commit-Position: refs/heads/main@{#1226397}
|
@thhck I just merged a CL in chromium that implements some of the missing parts that you ran into. Can you try to use it in Chrome Canaries in a couple of days once it picks it up? |
|
@samuelgoto I work with @thhck on this. I just tested this in Google Chrome Canary and it works. I ran the demo IdP from @asr-enid with two IdPs, registered, logged into idp-1.localhost and in a Chrome console ran: IdentityProvider.register('http://idp-1.localhost:8080/fedcm.json');
navigator.credentials.get({
identity: {
providers: [{
nonce: "not-a-nonce",
configURL: "http://idp-2.localhost:8080/fedcm.json",
clientId: "yourClientID",
registered: true
}]
}
});The browser then successfully prompted me with "Sign in to idp-1.localhost with idp-1.localhost". Thanks for getting this out. |
Great to see that this is useful beyond our own usage! |
Can you try this again? The code snippet you sent feels off to me: you want to skip the For example: IdentityProvider.register('http://idp-1.localhost:8080/fedcm.json');
navigator.credentials.get({
identity: {
providers: [{
nonce: "not-a-nonce",
// comment out the following line, so that the browser can load accounts
// from registered IdPs rather than by configURL
// configURL: "http://idp-2.localhost:8080/fedcm.json",
clientId: "yourClientID",
registered: true
}]
}
}); |
|
@samuelgoto yeah, that was also my understanding. I get this error though. I am on Google Chrome Canary: Version 121.0.6153.0 (Official Build) canary (x86_64) The FedCM prompt shows only after the last |
Could you make sure you have the following flag enabled in your chrome canary instance? chrome://flags/#fedcm-idp-registration |
|
Yes, chrome://flags/#fedcm-idp-registration was enabled during my testing. |
|
Thanks @samuelgoto. It may be possible to push for some more RP implementations, but I suspect we'll run into situations similar to the proposed Discourse plugin: https://socialhub.activitypub.rocks/t/federated-credentials-api-developer-feedback-needed/3961/25?u=apitman It's a bit of a chicken/egg problem. |
|
@aaronpk any ideas on how we might be able to get this going? |
|
Not exactly BYOIDP but there's potential interest from the FAPI community around how, for example, the experience of choosing your bank might be improved. https://bitbucket.org/openid/fapi/issues/689/fapi-fedcm |
|
@samuelgoto we're mobilizing to do what we can to try and get some real RP implementations. One problem is that there isn't currently any IdP people can user to try decentralized login. LastLogin could offer free subdomains for people to use with the IndieAuth profile, but that's currently blocked on #4. I could probably make #10 work if I have to, although the UX would be significantly worse. Alternatively I could provide people with accounts on a single domain, so they could log in to RPs with URIs like |
|
Also, I'm not sure I can securely enable FedCM for LastLogin until w3c-fedid/FedCM#587 is resolved. |
We're definitely up against the chicken/egg problem here as usual. I have some notes and sketches for how I want to build a service that lets people delegate a domain for use with IndieAuth+FedCM. However like you mentioned, the eTLD+1 requirement (#613) is definitely a blocker for making this super easy to set up, since right now it requires either delegating the entire eTLD+1 (not many people will do this), or delegating a subdomain but having to then set up the The other opportunity area here is to add FedCM support to the WordPress IndieAuth plugin. That would at least enable a bunch of websites to be a FedCM IdP by installing the plugin. |
|
The WordPress route is a really good idea. It could tap into a large community that's used to the idea of having their own domain, and the concept of using that as their identity might be more intuitive. |
|
In the interest of keeping things moving, I went ahead and started implementing the alternative route I mentioned above. Phase 1 is complete. You can now use LastLogin to log in to any IndieAuth site, for example https://webmention.io/ or https://indieweb.org/. Just enter lastlogin.io in the login field, add an identity (currently always an email address) at LastLogin, and select it. It gives you an IndieAuth profile URL based off the identity you choose. As I mentioned, this isn't ideal because IndieAuth is more about encouraging people to have their own domain, but it will at least let us test out the technical side of the flow without people needing a domain. Phase 2 is enabling FedCM for this. At that point we'll have an IdP that can work with any FedCM+IndieAuth RP. |
|
The FedIAM project sounds similar:
|
|
I'm working closely with FedIAM. It's an excellent project. They're focused more on the RP side, and could potentially provide valuable testing from that side. |
|
I'm working on the things that are blocking you all here, but wanted to clarify a couple of things before going too far:
First, I think it is worth clarifying that what we are lacking at the moment is evidence that there are enough RPs interested in this, not IdPs. Based on this thread, I think enough individuals managed to spin up their own IdP that I'm convinced there would be "enough" (even if a small number of) people that would be interested. Currently, I'm only aware of webmention.io, and we need a few more independent and real RPs to show interest too.
Second, the chicken and egg problem is real, and, as noted, typical. Most things fail at this stage, so I'm trying to force us all to avoid ignoring it before moving forward. Part of the strategy for FedCM was to come up with a UX that can augment an existing website in a backwards compatible way with their existing user experience, rather than to require that the world to move in lockstep. For example: when users are logged out of their IdP, FedCM simply doesn't show up, and the user can still fallback to the typical NASCAR page. I think that's particularly true for the IdP Registration API: a website should be able to get strictly positive benefits from FedCM (apart from cost of adoption), rather than require all (or any, altogether) users to convert to having their own IdP. That is: because FedCM doesn't show any UI when the user hasn't registered any IdP, RPs should be able to deploy this without affecting any of their existing users, and, at the same time, having registered users have their user experience augmented. |
|
Just small update on this thread: we've moved this issue to a repo of its own, as we try to figure out a way to form a boundary between different proposals to extend FedCM. I'm using this specific proposal as a guinea pig because it (a) has an active community interested and (b) is self contained and (c) is in early stages. We are still learning how to use github here, so it is possible we'll find bumps on the way, so apologies for the trouble. In the meantime, I added @aaronpk and @anderspitman as "champions" for this proposal, along with myself: let me know you want to opt-out. If anyone else wants to champion this too, just LMK and I'll add you to the list. |
|
Thanks for the clarification @samuelgoto. Sorry if I was confusing with all the IdP talk. You were pretty clear before that RPs are what we need. The reason I'm focusing on LastLogin as an IdP first is so that RPs have something concrete and simple to test against. |
|
Phase 2 is mostly complete. Unfortunately the latest workaround for w3c-fedid/FedCM#587 didn't work for me (that's my bad for not trying it earlier) so I can't push to LastLogin prod yet, but it's up and running on staging. I might have a workaround for the cookies though so we'll see.
PS - It looks like all the necessary features flags are enabled by default in canary now which is great! EDIT - meant to say the feature flags are available, not enabled. |
Is it not working in stable chrome-browsers? |
|
@erlend-sh well hot dang you're right! Chrome >= 128 I believe. Looks like you need to go to chrome://flags and enable This should certainly increase our base of potential testers and early adopters! |
|
@erlend-sh do we have anyone in our posse who could quickly crank out a demo video of enabling FedCM in Chrome and logging in to webmention.io via LastLogin? I'm hoping to fix the cookie issue today so we could use prod LastLogin. It has much better latency that staging since it's globally distributed. |
|
Phase 2 is now actually complete. I implemented a workaround (see w3c-fedid/FedCM#587 (comment)) for the SameSite=none cookies. You can now log in to webmention.io using prod LastLogin (https://lastlogin.net) with FedCM. |
|
Updated steps:
|
|
FYI https://lastlogin.net is going to be the production deployment from now on. lastlogin.io should still work for everything except IndieAuth stuff. |
Hmm no that should not be the case. But great to hear it is working for you! |
|
Sorry meant they are available, not enabled by default. I edited my comment. |
|
Set this up in about 10 minutes! 
|
|
I got this working thanks to @samuelgoto at IIW!
|
and others
TL;DR there is a significant amount of context at the start of this issue before we get to the proposal, here is a google doc version for an alternative form.
Background
The origins of many federated identity technologies have deep ties to providing an open ecosystem of IDPs to give End Users ample choice in how they choose to “login”. Efforts like OpenID v1 and v2, SIOP, Mozilla Persona, CHAPI, and others, strongly embodied these principles and much of this has remained in future revisions of standards such as OpenID Connect core. However, due to numerous complex issues, much of the industry today, primarily around the “social login” market has consolidated leaving a few IDPs as the dominant market players. To counteract this, FedCM in this work on establishing new browser mechanisms for supporting federated identity has an opportunity to make a meaningful impact and help re-chart the course for the future of federated identity on the web.
In the landscape of today, the choices around federated providers an End-User has available to them when going to “login” on the web is most often a small curated list of IDPs pre-determined by the Relying Party.
One of the main market forces that influences the options an End-User is presented with is often referred to as the NASCAR problem (https://github.com/fedidcg/FedCM/blob/main/explorations/related_problems.md#the-nascar-flag-problem). In order for a relying party to keep the UX on their login page from being overwhelming, they must pick a small number of IDPs to support (usually 2-3). How this decision is made by a relying party can be complex, but one major driving factor that applies to many is the existing user-base a particular IDP offers. Often the larger the user base, the more likely the relying party is in its desire to support it. This is because the relying party wants to offer as few login options as possible that services the largest possible user-base for them. This factor makes it difficult for new competition in the IDP side of the federated identity landscape, especially for entities that don’t have large pre-existing user-bases.
Who an IDP is, is often also important to factor in. As federated login technologies have developed, companies who built successful social networks, ISPs and commonly used search engines had the large user bases that made them attractive as IDPs to many Relying Parties. These IDPs have been very open about their interests in performing the IDP role, where the access it gives them to information about End User behavior, often supports their primary business models. In this context, concerns about user tracking are very real.
End Users looking to opt out of the limited federated identity login options available today are required to significantly compromise convenience because they are forced to manage a new set of credentials directly with the relying party, creating friction and usability challenges.
This equation in many cases has led to End Users using federated login options, trading off concerns such as the fear of being tracked by a particular IDP, for the convenience it offers. As a result, Relying Parties seeking large user bases continue to converge on the dominant IDPs and End User choice is further diminished. We end where we are today, in a self-reinforcing loop dominated by extremely limited choice at logon.
What we need to support instead is a federated login model that re-introduces the End-User into the mediation process so they can have more of a say on which provider they use and where.
Proposal
Currently the proposed FedCM API is focused around a browser mediated approach that assumes the relying party specifies a set of IDPs it supports login from. This model is largely a continuation of that described above and in many respects is just a browser mediated version of what we see most commonly on the web today.
Many Relying Parties will want to continue in a model where they specify the IDPs they support.
The challenge is for when this is not the case, to provide a viable way to achieve more End-User choice, greater inclusiveness, increased competition, and reduce vendor lock-in around the IDP options available.
In this proposed additional model, instead of the Relying Party specifying the IDPs it supports in the federation request, it communicates the capabilities it supports such as signature schemes, assertion formats and response modes.
End-Users can then register providers they wish to use with the browser, which are then available as options to present to the End-User when they go to login. This is enabled through the following two step process
Note - To prevent a scenario where a relying party is supporting this login model but no IDPs have been previously registered in the browser, the relying party could provide IDP hints.
Conclusions
Considering the cited basis for FedCM is to “preserve and elevate identity federation” please strongly consider adopting this in your work. Choosing this path would have a meaningful positive impact on federated identity on the web by improving the choices End-Users have to login on with. Ignoring this issue risks the continued consolidation of options available for End-Users and therefore undermining its value as a means of login.
Acknowledged Challenges
Prior Art
CHAPI
Mozilla Persona
Account Chooser
OpenID
Raised with @dmitrizagidulin
The text was updated successfully, but these errors were encountered: