On Wed, May 8, 2024 at 7:23 AM Neil Madden <neil.e.mad...@gmail.com> wrote:
> Thanks for these slides and recording. This is a fascinating proposal. I > have plenty of potential thoughts and comments to digest, but I guess the > most fundamental is that this spec assumes that users and IdPs will be > happy for their browser to be a trusted party involved in login flows. > Yep, that is, indeed, the privacy and security threat model that we (FedCM specifically, Web Platforms API in general) use: the user agent is a trusted party. > In particular, the call to the accounts endpoint assumes that the IdP is > willing to provide PII about the user to the browser. That seems > questionable. > Aside from a privacy/security threat model perspective (meaning, the user agent already has visibility over every network request made available to the content area), I think that, if you look through the lenses of the design of incentives, this is indeed something that we are still gathering validation. So far, it seems to strike a good balance, but I think you are right in that this introduces an extra game theoretical position that can be questioned. > This endpoint also has no CSRF protection, so risks leaking PII more > generally (eg to any origin that has been CORS-allowlisted). > As far as CSRF goes, we expose a Sec-Fetch-Dest HTTP request, which is a forbidden request header <https://fetch.spec.whatwg.org/#forbidden-request-header> (meaning that it can't be polyfilled in userland). https://fedidcg.github.io/FedCM/#sec-fetch-dest-header > > As another general comment, I'd say that if you want this to be easy for > RPs to apply to existing login flows then it needs to be something that is > easy to configure/initiate via a reverse proxy. That would suggest HTTP > header-based rather than a JS API in my opinion. > Yep, that sounds reasonable to me. For the most part, we think of JS APIs and HTTP request are largely isomorphic in the important parts (again, privacy/security wise), and we can expose either/both purely based on ergonomics (as you suggest), so yeah, if this makes it easier for developers, it is easy to make it happen, I think. > > -- Neil > > On 8 May 2024, at 13:33, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > Attached is the slide deck presented during this meeting. > > The following is a link to the meeting video recording: > https://www.youtube.com/watch?v=cngVbSkEYL8 > > Regards, > Rifaat > > > On Thu, Apr 25, 2024 at 1:01 PM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > >> OAuth WG Virtual Interim - FedCM >> The Web Authorization Protocol (oauth) WG will hold a virtual interim >> meetingon 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 >> UTC).Agenda:FedCM update and discussionhttps://fedidcg.gi >> >> The Web Authorization Protocol (oauth) WG will hold a virtual interim >> meeting >> on 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). >> >> Agenda: >> FedCM update and discussion >> https://fedidcg.github.io/FedCM/ >> <https://www.google.com/url?q=https%3A%2F%2Ffedidcg.github.io%2FFedCM%2F&sa=D&ust=1714496460000000&usg=AOvVaw0JV0JXkKL9I3BCHl-m7rv5> >> >> Information about remote participation: >> https://meetings.conf.meetecho.com/interim/?group=06583774- >> aede-401e-aa29-4ed8f23365b8 >> <https://www.google.com/url?q=https%3A%2F%2Fmeetings.conf.meetecho.com%2Finterim%2F%3Fgroup%3D06583774-aede-401e-aa29-4ed8f23365b8&sa=D&ust=1714496460000000&usg=AOvVaw0l_s_s7ul4uxexFYwDmugJ> >> >> >> >> -- >> A calendar subscription for all oauth meetings is available at >> https://datatracker.ietf.org/meeting/upcoming.ics?show=oauth >> <https://www.google.com/url?q=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2Fupcoming.ics%3Fshow%3Doauth&sa=D&ust=1714496460000000&usg=AOvVaw0ywqP3q7cECegR2l_cMof6> >> WhenTuesday May 7, 2024 ⋅ 12pm – 1pm (Eastern Time - Toronto) >> Guests >> Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> - organizer >> oauth@ietf.org >> View all guest info >> <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> Reply for oauth@ietf.org >> Yes >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=1&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> No >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=2&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> Maybe >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=3&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> More options >> <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> >> Invitation from Google Calendar <https://calendar.google.com/calendar/> >> >> You are receiving this email because you are an attendee on the event. To >> stop receiving future updates for this event, decline this event. >> >> Forwarding this invitation could allow any recipient to send a response >> to the organizer, be added to the guest list, invite others regardless of >> their own invitation status, or modify your RSVP. Learn more >> <https://support.google.com/calendar/answer/37135#forwarding> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > <IETF-OAuthInterim24-FedCM.pdf> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
