On Sat, May 11, 2024 at 3:22 PM Dick Hardt <dick.ha...@gmail.com> wrote:
> > > On Wed, May 8, 2024 at 4:07 PM Sam Goto <goto=40google....@dmarc.ietf.org> > wrote: > >> That's easier to answer: the browser needs name/email/picture to >> construct an account chooser >> <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>, >> which is the UX that tested best with users by a far margin. >> > > > I bring up again the issue I filed > https://github.com/fedidcg/FedCM/issues/242 > Yeah, that's a known issue. We actively are working on a subset of this problem here: https://github.com/fedidcg/FedCM/issues/559 > > Registration and login are conflated in OIDC. showing the > name/email/picture implies those will be shared. That is commonly what > happens when using Google -- but other IdP's might have those attributes, > and it may not be what an RP needs, breaking the Law of Identity about > minimal disclosure. > > The FedCM architecture works well to solve the 3P cookie deprecation for > fancy Google login flow -- but standardizing that as how all login works > normalizes that email, name, and picture will always be shared -- not a > goal I think many of us are aligned on. > Yeah, no disagreement from my side that that's a non-goal, and not part of the end state. Purely sequencing strategy based on practicalities, from where I stand. As I said, I think the following will go a long way in making email/picture optional/unnecessary. https://github.com/fedidcg/FedCM/issues/559
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
