Open berilee opened 3 years ago
@berilee @hlflanagan if helpful, here are a couple of prior art examples of a one-tap widget to help anchor use cases. Ideally, a traditional "Sign In With IdP" button, manual sign-in method (user/pass), and/or other sign-in methods are surfaced on an account management page/popup with a one-tap dialog being deployed on individual pages across websites -- enabling low-friction direct access to individual pages by authenticated users without first requiring a visit to a sign-in page or dialog.
Google is in the middle of a migration from an old sign-in library that is heavily reliant on third-party cookies to manage user sessions: 1) between a website and the users, 2) between the user and Google. The new library described in this migration guide does not rely on cookies for basic functionality... assuming FedCM is successful.
Sign In With Google cookie usage describes both cookie and session behaviors in-depth.
The RP should not know the user accessed the one-tap flow until the user provides consent
Should the RP be able to know the user is signed in with a Google account? It's not much entropy, but I imagine "did the iframe pop up" is an easy check to make.
The RP should not know the user accessed the one-tap flow until the user provides consent
Should the RP be able to know the user is signed in with a Google account? It's not much entropy, but I imagine "did the iframe pop up" is an easy check to make.
With FedCM, the RP won't know that fact until after the user has created an account with the IDP.
Discussed during the 12 November 2021 fedidcg call
The user sees the sign-up button in a new popup
Is it in User Agent's UI or in website's UI?
I believe this things should be clearly defined. What UI is supposed to be on which end, how it's customizable if it's UA's, what it displays in general, etc.
As far as I understand, this use cases covers only "popup OneTap" which displays over a website. Also, AFAIK, current FedCM API also suggests such case. I would like to point out that there are other cases for OneTap, such as "inline OneTap UI". It can be a button or a whole block of UI. Here is an example: https://youtu.be/sbCU12GrMP8
The FedCM popup UI is browser UI, it is not controlled by the IDP. The name, email and profile picture come from the IDPs account list. There is minimal branding of the button and logo that can be done by the IDP to differentiate the display.
The current FedCM work is around handling the popup UI case and not the inline case. that doesn't preclude it from being provided in the future. We have just been focusing on the popup case as a starting point. The security and privacy considerations of the inline variation would need to be considered.
I believe inline case should be resolved before third-party cookie are removed, otherwise it's going to break products.
User story
As a user I want to sign up to rp.example.com using the one-tap widget flow. The user is already signed into the IDP.
Alternative, user cancels sign-up
Context of the story
Assumptions
Scenario
Should this be considered sanctioned or unsanctioned tracking?
Explicit list of parties involved
Privacy Implications
Complicating characteristics
[TBD]
Additional Information
[N/A]