Right. Google treats email as a guid for user name. Any old guid should work.
thx ..Tom (mobile) On Sat, May 11, 2024, 3:22 PM Dick Hardt <dick.ha...@gmail.com> wrote: > > > On Wed, May 8, 2024 at 4:07 PM Sam Goto <goto=40google....@dmarc.ietf.org> > wrote: > >> That's easier to answer: the browser needs name/email/picture to >> construct an account chooser >> <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>, >> which is the UX that tested best with users by a far margin. >> > > > I bring up again the issue I filed > https://github.com/fedidcg/FedCM/issues/242 > > Registration and login are conflated in OIDC. showing the > name/email/picture implies those will be shared. That is commonly what > happens when using Google -- but other IdP's might have those attributes, > and it may not be what an RP needs, breaking the Law of Identity about > minimal disclosure. > > The FedCM architecture works well to solve the 3P cookie deprecation for > fancy Google login flow -- but standardizing that as how all login works > normalizes that email, name, and picture will always be shared -- not a > goal I think many of us are aligned on. > > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
