1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect

Wiki

Clone wiki

connect / Browser Interactions Special Topics Call - 20210210

View History

OIDC Browser Interactions Special Topics Call

2020-02-10

Attendees

  • Tim Cappalli (Microsoft Identity)
  • Brian Campbell (Ping)
  • Vittorio (Auth0)
  • Don Thibeau (OIDF)
  • Heather Flanagan
  • Edmund Jay
  • Bjorn Hjelm (Verizon)
  • Anthony Nadalin
  • Brock Allen
  • Daniel Buchner (Microsoft Identity)
  • Adam Lemmon
  • David Waite (Ping)
  • Chris Pillips (CANARIE)
  • Andrii Deinega
  • Keith Uber (Ubisecure)
  • George Fletcher (Verizon)

Agenda

  • Intros from any new folks
  • IsLoggedIn / FPS (George, rescheduled from last week)
  • Update on Declarative Link Capturing for PWAs (Tom Jones)
  • Review submitted use cases (Vittorio + group)
  • Open discussion

Notes

{George} Overview of IsLoggedIn. Presentation Link: https://bitbucket.org/openid/connect/downloads/GFletcher-Apple_Webkit_IsLoggedIn-20210210.pdf

  • Apple Wants to ensure that the user has given connsent to login (explicit choice)
  • On logout, things get cleaned up appropriately
  • Rules are not clearly defined yet, not in explainer
  • They want a strong signal to clear browser data when the user logs out
  • Also out of band reminder that the user is logged in somewhere
  • Can only be used with authentication methods that the browser knows about (Password manager, WebAuthn, auto OTP fill)
  • What happens with other things like app push?
  • Clearing cookies on logout has implications (aka always untrusted or account chooser)
  • Status: initial implementation in WebKit
  • Get involved: join W3C Privacy Community group, also the ID Browser Use cases repo that has been previously discussed

{Vittorio} No submissions. Meant for big things in production.

{Tom} Tom discussed: https://tcwiki.azurewebsites.net/index.php?title=Identifier_use_in_Browsers

  • First Party Sets: aol.com + yahoo.com, etc. It's in testing today.
  • Discovery problem: PWAs - Eveyr relying party needs to know the URL of the PWA. can this launch a PWA nicely
  • Native app: OIDC section 7, openid:// which has issues with more than one wallet

{George} FPS is a topic in Privacy CG call tomorrow. There is some opposition to FPS. We could end up with major fragmenetation based on browser implementations. Bad for everyone if we end up in this state. Creates a walled property garden that allows sharing cookies across sites owned by the same org with different domains

{George} Discovery (wallets connecting to browsers), will

{Tim} hard to get folks past "SSI" vs looking at the underlying technology

{Daniel} Things like directed identifiers are just a form of DID (general scheme for having a unified URI format with a proof). Web is filled with a lot of one off identity APIs.

{Tom} Reinforcing coordinated approach. Work together, here's what the identity folks think. Can Edge partipiate in this calls?

{Daniel} We're working closely with Edge. Putting an explainer out. We can bring to this group ahead of publishing.

{Tom} Good idea. Explainer is first step to get something into Blink (group of browsers where they figure out what goes into browser implentations)

{Heather} Browsers tend to listen to CA/BF. Anything going on there?

{Tom} CA/BF is X.509 oriented. Tom Albertson (tomalb)

{Chris} What about a score card to rank how well or poorly something scores against things like ILI, DID, FPS, etc.

{Tim} Against use case library or specs?

{Chris} Both. (Ex: Amazing has these qualities)

{Tom} We should stay away from implementations. Use score card, but stick to use cases

{Vittorio} What are the ultimate goals of the use case document(?).

{Chris} Let people score themselves

{Chris} Question on use cases. Example?

{Vittorio} Draft doc / example: OIDC in frontchannel. Fork template.

{Vittorio} Stack ranking the use cases

Updated