Re: [w3ctag/design-reviews] FedCM's IdP Registration API (Issue #974) from Sam Goto on 2025-03-04 (public-webapps-github@w3.org from March 2025)

From: Sam Goto <notifications@github.com>
Date: Tue, 04 Mar 2025 10:20:28 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/974/2698526681@github.com>

samuelgoto left a comment (w3ctag/design-reviews#974)

> but we're curious as to what has been done in the last 8 months or so. Is this still an active proposal?

This is still an active proposal. It somewhat depends on the [multi-idp](https://github.com/w3c-fedid/multi-idp) proposal (i.e. the browser needs to be able to handle "many" IdPs, because there can be "many registered" IdPs), so we have been focusing on that first. Chrome has since put the [multi-idp proposal in origin trials](https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-128-updates) and we have a corresponding [spec PR](https://github.com/w3c-fedid/FedCM/pull/686), so I think what was most blocking us looking into the IdP Registration API is starting to get resolved.

> One thing that we observe is that the permission to act as IdP seems a bit unnecessary. 

Yeah, that occurred to us. 

> Why would a browser not just store the IdP's willingness to act as IdP (maybe after checking it)? That shifts some burden to the login phase, but we think that could be easily managed (in the extreme case, with a search).

Yeah, so that's a plausible outcome, and one that I think could be a possible end state here. You are right that there is no privacy / security violation here. 

I think, as you may have already noted by your "search UI", the problem is abuse: if any website that you visit can "claim" that it is an IdP, than it is possible that we'll live in a world where a lot of them would (just to show up in login dialogs).

So, yeah, I think you got that right: we added the prompt exclusively so that we can prevent abuse (seemed much simpler than a search UI and met, so far, the requirements that small IdPs have - where convincing a user to "register" isn't that big of a deal).

So, yeah, I think we are open to exploring other forms of preventing abuse, including not having the prompt at all and a Search UI.

> This engagement with a user also creates a presumption that the IdP would be usable, when that isn't really true, because each RP will have their own rules about what IdPs they accept.

Interoperation between RPs and IdPs I think we know how to solve with [this](https://github.com/w3c-fedid/idp-registration/issues/1).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/974#issuecomment-2698526681
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/974/2698526681@github.com>

Received on Tuesday, 4 March 2025 18:20:32 UTC