On Thu, May 9, 2024 at 7:24 AM Neil Madden <neil.e.mad...@gmail.com> wrote:
> On 9 May 2024, at 00:06, Sam Goto <g...@google.com> wrote: > > [...] > >> >> I guess, flipping this around, we might ask what is the legitimate >> purpose for which browsers need to access the user’s name, email address >> (both requires) and other identifying information? I’d have thought an >> identifier (possibly randomised) and some user-supplied account nickname >> would be sufficient. >> > > That's easier to answer: the browser needs name/email/picture to construct an > account chooser > <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>, > which is the UX that tested best with users by a far margin. > > Static/unpersonalized permission prompts - example > <https://www.cookiestatus.com/images/content/storage-access-api.jpg> in > Safari, example > <https://developers.google.com/static/privacy-sandbox/assets/images/storage-access-api-permission-prompt.png> > in Chrome - perform extremely poorly (in comparison to account choosers), > although have other benefits too (namely ergonomics and extensibility), so > Chrome (and others) expose that too in the form of the Storage Access API > <https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API>. > > > > Yeah, that's what I suspected. Did you do research that specifically > called out email addresses as a must-have? > Oh yeah, that's a known issue that we are actively working on: making email optional, and, beyond that, selective disclosure (e.g. phone numbers rather than email addresses, preferred language, etc). https://github.com/fedidcg/FedCM/issues/317#issue-1312109391 https://github.com/fedidcg/FedCM/issues/242#issue-1197135276 We are actively working on this, with an origin trial coming out soon, so stay tuned! > > PS - although this is an OAuth group, you may also want to look at things > like Dropbox's Chooser/Saver widgets ( > https://www.dropbox.com/developers/chooser), which provide fine-grained > permissions to access specific files/folders using a file dialog UX rather > than a redirect-based flow. I appreciate that may not be your initial > focus, but one for the "mood board" as it were... > We did look extensively into prior art, as far as UX constructions and design of incentives go (largely with many people in this community, thanks!), namely, Microsoft's Cardspace/Infocards <https://twitter.com/vibronet/status/1554553875385880577>, OIDF's accountchooser.org <https://twitter.com/samuelgoto/status/1582172677531324416>, Mozilla's Persona <https://twitter.com/samuelgoto/status/1580991527366467585>, Hello <https://twitter.com/samuelgoto/status/1580320591080435712> and OpenID's URL Identifiers <https://twitter.com/samuelgoto/status/1745147272055390295> (for the development of the IdP Registration API, UX here <https://github.com/fedidcg/FedCM/issues/240#issuecomment-2065607797> for comparison). I haven't gotten to this yet, but Why we failed <https://twitter.com/justin__richer/status/1778681191693947078> is on my reading list too. I hadn't run into Dropbox's chooser UX, I'll add that to my list and report back on what I learn. > > -- Neil >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
