search

fedidcg / FedCM

A privacy preserving identity exchange Web API
https://fedidcg.github.io/FedCM
Other
357 stars 66 forks source link

IdP Registration API: should the browser reveal to the RP when no IdP has registered before? #605

Open samuelgoto opened 1 month ago

samuelgoto commented 1 month ago

Currently, if no IdPs registered in the past, the browser reveals to the RP that fact, which could potentially be a breach of the user's privacy.

const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: "any" // throws if no IdP has called IdentityProvider.register() ahead of time. Should it? 
    }]
  }
});

I'm not sure what the answer is, but I ran into this while testing this, so should be easily reproducible:

https://x.com/samuelgoto/status/1793776387356340357

cbiesinger commented 1 month ago

Looks like the code for that is here: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webid/federated_auth_request_impl.cc;l=694;drc=98f953c8a23d2008be9f7c8977b3c60d6fdfe53d

npm1 commented 3 weeks ago

That code implies to me that the rejection is being delayed...