OIDC Browser Interactions Special Topics Call

2020-03-10

Attendees

• Tim Cappalli (Microsoft Identity)
• Brian Campbell (Ping)
• Vittorio (Auth0)
• Don Thibeau (OIDF)
• Heather Flanagan
• Achim Schlosser (EnID)
• Andrii Deinega (Independent)
• Eric Goodman (University of California System)
• Kristina Yasuda (Microsoft Identity)
• Adam Lemmon
• Tom Jones
• Mike Jones (Microsoft Identity)
• Tony Nadalin (Independent)
• David Waite (Ping)

Agenda

• Intros and Reintros
• WebID and Chrome Privacy Updates (Achim / Tim)
• Use Case Reviews (Vittorio / George)
• Updates from SIOPv2 STC (Tom?)
• Topics for next call
• Open Discussion

Notes

[Tim] Tim showed the changes to the Sam's fork of the WebID explainer

• Consolidation of dialogs in permission-oriented flow (from 3 to 1)
• Discussion around directed identifiers and portable identities
• Sam's fork with changes
• Added HTTP API
• "One of the most basic things that we could do to classify federation is to detect patterns in HTTP requests."
• Enterprise profile

[Achim] Recent Google blog post: concerned the position as an adtech company, positioning and next steps. Follow suit with Chrome team and use Privacy sandbox. Expressed concerns about alternative proposals that use logins (email address, etc). Will not support in the Google Ad stack. Leads to classification, consent and directed identifiers. Logins and first parties. Production in 2022; deprecation of 3P cookies. Full meaning isn't clear since there seems to be a flag day in 2022.

Blog Reference

[Tom] When you get to blink, they're sensitive to other browser. Can Edge throw something into Canary if Google doesn't want to try something?

[Tim] What about Safari?

[Tom] IsLoggedIn is from WebKit

[Achim] IsLoggedIn and StorageAccess API via Privacy CG

[Tim] Apple has concerns about First Party Sets, and is not involved in WebID conversations

[Achim] Roadmap, if WebID is a multi-year effort, and is being deployed in production without consideration of other privacy features (ILI, FPS, etc).

[Tom] Setting parameters in header, doesn't that control things like iframes?

Use Cases Discussion

Repo

[Vittorio] Thanks Heather for the use cases. Important scenarios. Tactical things we can do: use case docs should be accelerants for conversations. Need to call out what browser features are used for each leg of a flow (ex: this leg assumes use of a 1P cookie). Love the impact statements (XYZ organizations are impacted)

[Heather] Proxy use cases (ex: SAML to OIDC connector); chasing down how those use cases are different with the browser. Continue to chase down those scenarios. Important to have multiple sectors/verticals represented, not just EDU. Please send feedback to Heather on the PRs that could help future use case submissions

[Vittorio] Call out things that may be opaque to the browser. Important to Sam's work. (ex: identifier inaccessible in the opaque blob)

[Eric G] Different configurations and variation create confusion when consuming use cases; what is the most important piece? Ex: got around SameSite issues by using LocalStorage. Stop gap, not long term solution.

[Vittorio] Extreme denormalization across implementations. Be very tactical. Ex: State can be persisted using local storage, but existing art is to use 3P cookies. Capture very specific things that may only change a small piece of the use case but is very important.

[Tim] When do we want to invite Sam? He wants to get in front of wider groups [Heather] Bringing him to use may help him understand

[Vittorio] IPR considerations

[Mike] Google has an all employees can contribute in all working groups. Remind him that it's happening under OIDF IPR policy.

Topics for Next Call

• Use Case Review
• Potentially invite Sam and Ken (Small group to hash this out)
• Tim
• Heather
• Vittorio
• Tom
• David W