Thanks for these slides and recording. This is a fascinating proposal. I have plenty of potential thoughts and comments to digest, but I guess the most fundamental is that this spec assumes that users and IdPs will be happy for their browser to be a trusted party involved in login flows. In particular, the call to the accounts endpoint assumes that the IdP is willing to provide PII about the user to the browser. That seems questionable. This endpoint also has no CSRF protection, so risks leaking PII more generally (eg to any origin that has been CORS-allowlisted).
As another general comment, I'd say that if you want this to be easy for RPs to apply to existing login flows then it needs to be something that is easy to configure/initiate via a reverse proxy. That would suggest HTTP header-based rather than a JS API in my opinion. -- Neil > On 8 May 2024, at 13:33, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > > Attached is the slide deck presented during this meeting. > > The following is a link to the meeting video recording: > https://www.youtube.com/watch?v=cngVbSkEYL8 > <https://www.youtube.com/watch?v=cngVbSkEYL8> > > Regards, > Rifaat > > > On Thu, Apr 25, 2024 at 1:01 PM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com > <mailto:rifaat.s.i...@gmail.com>> wrote: > > The Web Authorization Protocol (oauth) WG will hold a virtual interim meeting > on 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). > > Agenda: > FedCM update and discussion > https://fedidcg.github.io/FedCM/ > > Information about remote participation: > https://meetings.conf.meetecho.com/interim/?group=06583774-aede-401e-aa29-4ed8f23365b8 > > > > -- > A calendar subscription for all oauth meetings is available at > https://datatracker.ietf.org/meeting/upcoming.ics?show=oauth > When > Tuesday May 7, 2024 ⋅ 12pm – 1pm (Eastern Time - Toronto) > Guests > Rifaat Shekh-Yusef - organizer > oauth@ietf.org > View all guest info > Reply for oauth@ietf.org > Yes > No > Maybe > > More options > Invitation from Google Calendar > > You are receiving this email because you are an attendee on the event. To > stop receiving future updates for this event, decline this event. > > Forwarding this invitation could allow any recipient to send a response to > the organizer, be added to the guest list, invite others regardless of their > own invitation status, or modify your RSVP. Learn more > > <http://fedidcg.gi/> > > The Web Authorization Protocol (oauth) WG will hold a virtual interim meeting > on 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). > > Agenda: > FedCM update and discussion > https://fedidcg.github.io/FedCM/ > <https://www.google.com/url?q=https%3A%2F%2Ffedidcg.github.io%2FFedCM%2F&sa=D&ust=1714496460000000&usg=AOvVaw0JV0JXkKL9I3BCHl-m7rv5> > > Information about remote participation: > https://meetings.conf.meetecho.com/interim/?group=06583774-aede-401e-aa29-4ed8f23365b8 > > <https://www.google.com/url?q=https%3A%2F%2Fmeetings.conf.meetecho.com%2Finterim%2F%3Fgroup%3D06583774-aede-401e-aa29-4ed8f23365b8&sa=D&ust=1714496460000000&usg=AOvVaw0l_s_s7ul4uxexFYwDmugJ> > > > > -- > A calendar subscription for all oauth meetings is available at > https://datatracker.ietf.org/meeting/upcoming.ics?show=oauth > <https://www.google.com/url?q=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2Fupcoming.ics%3Fshow%3Doauth&sa=D&ust=1714496460000000&usg=AOvVaw0ywqP3q7cECegR2l_cMof6> > When > Tuesday May 7, 2024 ⋅ 12pm – 1pm (Eastern Time - Toronto) > Guests > Rifaat Shekh-Yusef <mailto:rifaat.s.i...@gmail.com> - organizer > oauth@ietf.org <mailto:oauth@ietf.org>View all guest info > <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> > Reply for oauth@ietf.org <mailto:oauth@ietf.org> > Yes > > <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=1&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> > No > > <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=2&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> > Maybe > > <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=3&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> > More options > > <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> > Invitation from Google Calendar <https://calendar.google.com/calendar/> > You are receiving this email because you are an attendee on the event. To > stop receiving future updates for this event, decline this event. > > Forwarding this invitation could allow any recipient to send a response to > the organizer, be added to the guest list, invite others regardless of their > own invitation status, or modify your RSVP. Learn more > <https://support.google.com/calendar/answer/37135#forwarding>_______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > <IETF-OAuthInterim24-FedCM.pdf>_______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
