|
| 1 | +### 1. What information does this feature expose, and for what purposes? |
| 2 | +In the FedCM API, the user is visiting a relying party (RP) and is presented with a prompt to perform federated sign-in by choosing one of their accounts from an identity provider (IDP). |
| 3 | +This API exposes the following information to enable this federated sign-in flow: |
| 4 | +the user agent fetches metadata about the RP from the IDP. |
| 5 | +The user agent queries this from the IDP for a few reasons: |
| 6 | + |
| 7 | +* The goal of FedCM is to work without requiring any RP interventions, assuming that the RP has embedded an IDP SDK in its site. Therefore, in these cases, all of the information would come from the IDP. |
| 8 | +* The IDP may have legal requirements that it needs to verify the links presented to the user. That said, we have a feature request to allow the RP to provide their own links, at least in certain cases. See w3c-fedid/idp-registration#8 for more details. |
| 9 | + |
| 10 | +This metadata includes a privacy policy URL and Terms of Service. |
| 11 | +This exposes to the IDP that someone is visiting the RP, and is necessary to present these links to the user on the FedCM UI. |
| 12 | +However, assuming that the RP has embedded an IDP SDK, this does not let the IDP learn anything new, as the IDP can send itself an uncredentialed fetch. |
| 13 | + |
| 14 | +The user agent performs a separate credentialed fetch to get a list of user’s accounts from the IDP. |
| 15 | +This exposes to the IDP that the given user is visiting some unknown website which uses the FedCM API. |
| 16 | +Once the user chooses an account from the list of accounts, the user agent gets a token from the IDP and provides this token to the RP. |
| 17 | +This exposes information about the user’s selected IdP and account to the RP. |
| 18 | +It is necessary to complete the sign-in process. |
| 19 | +Exposing this information serves user needs because it enables them to login to sites using credentials from IDPs which they already have. |
| 20 | +This removes the need to create a username and password in the RP, thus making it an easier and more secure user experience. |
| 21 | + |
| 22 | +We are actively working on alternatives to reduce the information exposed before the user chooses an account. |
| 23 | +For instance, we could use a delegation model to prevent the IdP from knowing every time the user uses FedCM with them: see https://github.com/w3c-fedid/FedCM/issues/677 for more details. |
| 24 | +In addition, there are timing attacks that the RP and IDP can execute (by using the information in the uncredentialed fetch revealing the RP and the credentialed fetch revealing the user’s IdP accounts above) in order to gain knowledge about the user just based on the credentialed request to the IDP to get the user accounts. |
| 25 | +We have mitigated this in a couple of ways: |
| 26 | + |
| 27 | +* We use the login status API to keep track of when users are logged in to the IdP, avoid fetching accounts if they are not, and always show UI if the IdP claims the user is logged in but they are not. This was solved in w3c-fedid/FedCM#447. |
| 28 | +* We are actively working on an alternative model where the API does not need to fetch accounts before the user agrees to linking information between the RP and the IDP. The repository for this is https://github.com/fedidcg/LightweightFedCM. |
| 29 | + |
| 30 | +### 2. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? |
| 31 | +In order to enable logging in, the browser must request the user accounts from the IDP, and it must provide the ID tokens to the RP once the user chooses an account. |
| 32 | +The information exposed includes an account ID, the user’s name, email, and profile picture (and this may be expanded in the future as well). |
| 33 | +This information is requested by the browser to create a user-comprehensible dialog. |
| 34 | +The information sent to the RP to create the user account is controlled by the IdP, and it is only sent once the user agrees to use the IdP account. |
| 35 | +The ID of the account is sent to the IdP to know which account the user has selected. |
| 36 | +It is possible to think of a future where the IdP is blind so that either (a) it does not know anything until the user agrees to use the API or (b) it does not know who the RP is even after the exchange of information occurs. |
| 37 | +As mentioned above, these are future iterations of the API that we are working on. |
| 38 | + |
| 39 | +### 3. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? |
| 40 | +PII is only exposed to the RP once the user consents to login. |
| 41 | +The actual information exposed once user consents to login is up to the IdP, and it is not something that this API can control. |
| 42 | + |
| 43 | +### 4. How do the features in your specification deal with sensitive information? |
| 44 | +The user agent facilitates communication, but it is the IDP who crafts the ID token exposed to the RP for login. |
| 45 | +The purpose of this API is to allow federated login, and as such it is necessary to expose the sensitive user information to JavaScript once the user has consented. |
| 46 | +It is worth noting that this information does not include any passwords. |
| 47 | +This API protects the user’s privacy before consent by not sharing any data with the RP before consent. |
| 48 | + |
| 49 | +### 5. Does data exposed by your specification carry related but distinct information that may not be obvious to users? |
| 50 | +No |
| 51 | + |
| 52 | +### 6. Do the features in your specification introduce state that persists across browsing sessions? |
| 53 | +Yes. There is intentionally a new state: the connected accounts set, which stores information about which RP, IDP, accountIDs have been used via FedCM. |
| 54 | +This allows the origin to identify the user across multiple page visits, but only because the user has consented to login to this RP via the IDP credentials. |
| 55 | +The RP can achieve the same result by just storing a cookie with this information. |
| 56 | +The IDP would not receive any information when repeat visits occur, unless the RP requests a new ID assertion (via a navigator.credentials.get request) for whatever reason. |
| 57 | +The user should have the ability to logout of the RP as well and even clear the credentials that are created from FedCM. |
| 58 | +Thus we believe that browsers consider how clearing Cookies and site data should affect FedCM, when implementing the API. |
| 59 | +At a minimum, clearing site data should clear FedCM’s connected accounts set. |
| 60 | +In addition, the browser should consider adding FedCM-specific site clearing settings. |
| 61 | +Another state introduced with this API is the IDP login status. |
| 62 | +This state is used to ensure that fetching accounts always results in some visible UI being shown to the user. |
| 63 | +The state is not something that neither the RP nor the IDP can query. |
| 64 | + |
| 65 | +### 7. Do the features in your specification expose information about the underlying platform to origins? |
| 66 | +No |
| 67 | + |
| 68 | +### 8. Does this specification allow an origin to send data to the underlying platform? |
| 69 | +No |
| 70 | + |
| 71 | +### 9. Do features in this specification enable access to device sensors? |
| 72 | +No |
| 73 | + |
| 74 | +### 10. Do features in this specification enable new script execution/loading mechanisms? |
| 75 | +No |
| 76 | + |
| 77 | +### 11. Do features in this specification allow an origin to access other devices? |
| 78 | +No |
| 79 | + |
| 80 | +### 12. Do features in this specification allow an origin some measure of control over a user agent’s native UI? |
| 81 | +Yes. This feature allows the introduction of a sign-in sheet created by the user agent based on the information provided by the IDP. |
| 82 | +The user’s choice on the sign in sheet may or may not block other user agent UI: this choice is up to the user agent. |
| 83 | +And the user selections on the sheet (other than clicking on the privacy policy or terms of service links) are not redirected to the website, but rather handled directly by the user agent. |
| 84 | + |
| 85 | +### 13. What temporary identifiers do the features in this specification create or expose to the web? |
| 86 | +The tokens created and used by the FedCM API are managed by the IDP, and hence it is the IDP that has to choose token expiry. |
| 87 | +The user agent does not store tokens, and the RP should coordinate with the IDP to refresh tokens as needed. |
| 88 | + |
| 89 | +### 14. How does this specification distinguish between behavior in first-party and third-party contexts? |
| 90 | +The FedCM API can be called by a top-level frame without issue. |
| 91 | +Due to the risk of abuse from giving cross-origin iframes access to the API, by default these cannot access the API. |
| 92 | +However, there are use-cases for requesting users to sign in from an iframe. |
| 93 | +We use Permissions Policy to allow top-level frames to grant iframes with permissions for calling the API. |
| 94 | + |
| 95 | +### 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? |
| 96 | +The FedCM API should work the same way in Incognito mode, thus not introducing a way for the RP to tell that the user is currently browsing in that mode. |
| 97 | +In addition, as with cookies, any state resulting from browsing in incognito mode should be cleared once the user ends the session. |
| 98 | + |
| 99 | +### 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? |
| 100 | +Security section: https://w3c-fedid.github.io/FedCM/#security |
| 101 | + |
| 102 | +Privacy section: https://w3c-fedid.github.io/FedCM#privacy |
| 103 | + |
| 104 | +### 17. Do features in your specification enable origins to downgrade default security protections? |
| 105 | +No. This API allows the RP and IDP to communicate with each other to enable federated login in the absence of third-party cookies. |
| 106 | +The specification will allow the usage of Permissions Policy to enable the API on iframes, so in particular this API is disabled by default on iframes. |
| 107 | + |
| 108 | +### 18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? |
| 109 | +The dialog to choose an IDP and a user account within the IDP should not be shown when the document is not visible, which in particular means that it should not be shown for non-fully active documents. |
| 110 | +So in particular a FedCM request should be dismissed once the document enters the BFCache, and the document may resurface a request after |
| 111 | + |
| 112 | +### 19. What happens when a document that uses your feature gets disconnected? |
| 113 | +The FedCM request associated with a disconnected document should be rejected and any UI being shown dismissed. |
| 114 | + |
| 115 | +### 20. Does your spec define when and how new kinds of errors should be raised? |
| 116 | +Our spec does not use new kinds of errors, but rather existing ones |
| 117 | + |
| 118 | +### 21. Does your feature allow sites to learn about the user’s use of assistive technology? |
| 119 | +No |
| 120 | + |
| 121 | +### 22. What should this questionnaire have asked? |
| 122 | +Timing attacks were discussed briefly in 2.1. |
| 123 | +It could be useful to ask whether there are multiple bits of information that are disclosed separately but when correlated help break privacy or security assumptions. |
0 commit comments