Open hpsin opened 2 years ago
Use case to consider: RPs hosting multiple TLDs and trying to sign users in once with persistent a user session as a user-agent visits multiple TLDs in the managed group.
Discussed during the 12 November 2021 fedidcg call
I personally feel like it isn't safe to include credentials authentication inline with
But with in new system and User Agent's UI it could be "verifiable" somehow, e.g. when use clicks "Auth with Google" and it shows inline authentication with some verification from User Agent that yes, it's from Google.
User story
When users visit my app and I ask them to sign in, I don't want to navigate away from my app. Instead, I want to embed the login experience in an iframe inside my app.
Context of the story
Some IdPs support embedding of their UX in an iframe, allowing "inline" authentication experiences that still benefit from SSO,
Should this be considered sanctioned or unsanctioned tracking?
Sanctioned
Explicit list of parties involved
IDP User Application
Complicating characteristics
This is a zero-navigation, iframe-based authentication that is nevertheless interactive. It does not have a full-page redirect that can be intercepted. When the iframe is loaded, the IdP will have no access to existing sessions, potentially causing the user to need to authenticate multiple times across apps that use this pattern.
Additional information
This is a prime candidate for the initial implementation of the Storage Access API, wherein an IdP would trigger the prompt and regain access to its 1st party cookies.