Re: [w3ctag/design-reviews] FedCM Auto Re-authentication API (Issue #813) from yi-gu on 2023-04-20 (public-webapps-github@w3.org from April 2023)

From: yi-gu <notifications@github.com>
Date: Thu, 20 Apr 2023 05:34:16 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/813/1516249285@github.com>

Thank you for the feedback!!

Quick update: in general we are moving towards to a direction to resue the existing mechanism for "automatically returning credentials" defined in Credential Management API. In particular, the [mediation requirement](https://w3c.github.io/webappsec-credential-management/#mediation-requirements) and [preventSilentAccess](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-preventsilentaccess) as discussed in the initial [issue](https://github.com/fedidcg/FedCM/issues/429#issuecomment-1424282049) (we'll request another round of review when the proposal is updated). With that we plan to follow the precedences in this area w.r.t. user opting in, user signing out etc..

For the concern regarding public terminal, here are some quick notes:
- If the user has signed out of their identity provider before leaving the terminal (which they are expected to), auto re-authn won't be triggered because the browser cannot get any account from that identity provider.
- If not, the next person that uses the same terminal already has access to the previous user's IdP data which provides them the capability to access the federated accounts.
- Suppose the second user is not an attacker and won't try to steal anything from the first user. The concern is that the second user will automatically authenticated to the website **unintentionally** and learn about the first user by accident, right? In this case, if the website uses Credential Management API (with IdentityCredential, PasswordCredential etc.), it's expected to invoke `preventSilentAccess()` upon user signing out. So if the user has signed out of the RP, then auto re-authn won't be triggered; if not, the second user has access to the first user's RP account already. Unless the website does not invoke `preventSilentAccess()` in which case the second user will see auto re-authn with the first user's account (assuming the user is NOT signed out of their IdP). But at this point, we think this should be a rare case similar to other credential types that rely on `preventSilentAccess()`.

Does it make sense?

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/813#issuecomment-1516249285
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/813/1516249285@github.com>

Received on Thursday, 20 April 2023 12:34:22 UTC