1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect

Wiki

Clone wiki

connect / Browser Interactions Special Topics Call - 20210602

View History

OIDC Browser Interactions Special Topics Call

2021-06-02

Attendees

  • Tim Cappalli (Microsoft Identity)
  • Tony Nadalin
  • Vittorio Bertocci (Auth0/Okta)
  • Heather Flanagan
  • Brian Campbell (Ping)
  • Melanie Richards (Microsoft Edge)
  • Sam Goto (Google/Chromium)
  • Brock Allen ()
  • David Waite (Ping)

Agenda

Notes

Workshop Recap

{Heather} Went well, 80ish first day, 60ish second. (Notes)[https://github.com/WICG/WebID/tree/main/meetings/2021].

Output was desire for a W3C CG group (no specs). Potential for a broader Identity group in the future, and the federated-focused group would become a sub-group. Focused on federation for now.

Diverse group of companies and people. All 4 major browsers represented.

{Vittorio} great to have browsers hearing direct from IdPs and RPs, even their own companies. Shared context for the problem. "Smashing success!"

{Heather} Use cases / scenarios are definitely useful to the community

{Sam Goto} Shared ownership of the problem, desire to form CG helps that. Tension was constructive. Excited and looking forward to the CG charter. Good insights that will help with the explainer.

W3C CG Discussion

{Tim} This call will likely go away when that CG starts meeting

{Heather} Lots of folks involved in creating the draft charter. Feedback welcome via (GitHub)[https://github.com/hlflanagan/fedidcg].

{Tim} Any concerns with moving this call to the new W3C CG when the time comes?

<none voiced>

Role of the browser

{Vittorio} Likely to be hotly debated in the new CG. Concerning: (paraphrase) "cross-origin is a privileged operation that should only allowed through the user agent".

Innovation thus far likely wouldn't have been possible. Agree with consent, but shackles through the UA. UA not the ultimate root of trust in my experience.

{Sam Goto} Worried about philospohical debate over role of the browser without specifics. Variations explored so far can coexist.

Browsers are indeed run by companies.

{Tim} Some browsers have had history of linking sites owned by the browser vendor to the browser automatically and enabling sync. This makes people uneasy about giving the browser a more active role in all identity flows.

{Vittorio} Largely principle and philosophy due to framing

{Sam Goto} Married to problems, not solutions. How we get to end state, largely unopinionated about.

{Vittorio} There are subtlties in the problem statements. Ex: RP < > IdP awareness. If you make it impossible to support use cases, not going to work.

{Sam Goto} Presenting 3 options that we don't expect to be mutually exclusive.

{Vittorio} Suggestion: you're talking about two stages: how we get there and the ultimate extreme utopia. Impression is its a temporary state and you want the extreme end state. Mention in the explainer that we expect the 3 options to continue.

{Sam Goto} One variation in which the browser asks the user if they want to kick off an enterprise-managed profile.

{Vittorio} HBO Max with Comcast subscription. No difference between enterprise and this consumer use case. Cannot limit to an enterprise profile.

{Sam Goto} From a process perspective: find a variation that works for a use case instead of a specific variation doesn't work for the use case.

{Vittorio} Trying to get agreement on where we want to go.

{Sam Goto} Do the variations preserve federation?

{Heather} Challenge appears to be timeline. Three variations are what are being explored today. Not always clear what timeline are we talking about: exploring or long term.

{Tim} Something to think about Sam: how do you envision some of the heuristic approaches being standardized?

Updated