On Wed, May 8, 2024 at 4:07 PM Sam Goto <goto=40google....@dmarc.ietf.org> wrote:
> That's easier to answer: the browser needs name/email/picture to construct an > account chooser > <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>, > which is the UX that tested best with users by a far margin. > I bring up again the issue I filed https://github.com/fedidcg/FedCM/issues/242 Registration and login are conflated in OIDC. showing the name/email/picture implies those will be shared. That is commonly what happens when using Google -- but other IdP's might have those attributes, and it may not be what an RP needs, breaking the Law of Identity about minimal disclosure. The FedCM architecture works well to solve the 3P cookie deprecation for fancy Google login flow -- but standardizing that as how all login works normalizes that email, name, and picture will always be shared -- not a goal I think many of us are aligned on.
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
