Is using the OAuth front channel navigation tracking?

[martinthomson]

I'm going to say that it is. It expressly involves taking some user-related information (an identifier in the case of OIDC) and passing that between two sites, using navigation (and link decoration) to carry out the exchange.

(Of course, in the majority of cases, this information transfer is exactly what users want. That doesn't make it any less of a case of navigation tracking.)

[jyasskin]

<ulterior-motive>I'd like to preserve a term for "things we think are bad", and so far that's been "navigational tracking."</ulterior-motive>

I think "tracking" implies that it's without the intent of the person being tracked. If the track-ee wants to be followed, you generally don't have to track them, they just tell you where they're going. The definition that's currently in the document does include the OAuth front channel, so I filed #8 to make this issue's answer "no".

[martinthomson]

A laudable goal, but I might have a different view on this. I was thinking that we might instead focus on unsanctioned navigation tracking? Or maybe a different arrangement of words: "unsanctioned tracking that uses navigation"?

I don't think that you ever get past the fact that navigation generates information. If you are attempting to align the content of that information with user expectation, you have some fairly high hurdles to clear. (I hope to be able to share more complete thinking on the subject shortly.)

[johannhof]

I'm not sure how the current definition of unsanctioned tracking would help us judge passing information via OAuth, since the definition (at least in the document) seems to be made at an API level (= all URL based tracking/re-identification is bad). Would you suggest that we give up on trying to find an acceptable group of use cases for identifying URL parameters and instead declare them harmful altogether?

[samuelgoto]

Does it matter "who" does the tracking in the definition of navigational tracking?

That is, does it matter if an OAuth Provider (doesn't do the tracking in its own, but) releases the user's (global) email address to two different websites (which can then join the user's identities with each other)?