Make explicit that there can be multiple state machine keys for a particular RP

[judielaine]

While this may be "obvious" i suggest an explicit statement that prevents differing interpretations in the future.

I suggest text along the lines of:

The state machine must allow multiple keys with a state of "registered" for a particular RP.

There are many usecases where an individual may use (register) multiple IdPs with a single RP:

• a contractor that needs to use an application like WorkDay or Service Now authenticating using enterprise IdPs for multiple contracts
• a doctor with assignments in multiple medical groups who needs to authenticate to a particular health care portals with the different professional relationships
• a researcher with affiliation to multiple libraries, where the libraries offer different resources at a particular journal publisher
• a scholar with multiple adjunct faculty appointments that give differing access to a learning portal.
• an individual may have different personas at a particular IdP and use more than one of those persona at an RP.

Note that this is not exactly like https://github.com/fedidcg/FedCM/issues/319 which appears to focus on the RP indicating multiple IdPs are acceptable. This follows on that issue by clarifying that given a set of IdPs accepted by an RP, a end user may use more than one and should NOT be required to "deregister" an IdP relationship with an RP before registering a second IdP with that RP.

[npm1]

The keys in the state machine are already a triple (rp, idp, account). I dont think this needs to be explicit? Is there a reason you think so? It is also up to the RP and IDP how/if they allow users to perform multiple logins at the same time, not up to the browser.

[judielaine]

I will admit my concern is informed with working with UX teams and assumptions that can be made. I felt the explicit part was more to communicate to a non-implementer that there should be more than one allowed IdP per RP (as well as more than one allowed account per IdP per RP). I am unfamiliar with W3C spec conventions: perhaps my concern is better supported in other documentation.

[npm1]

Oh ok! I think specs are mostly meant for implementers although they are also looked at by other people. For developers or other people, I'd recommend looking at developer docs instead. For FedCM one such example is https://developer.chrome.com/docs/privacy-sandbox/fedcm/#use-api. But perhaps we can add a note (doesn't hurt?)

[npm1]

After writing the PR for this issue, I'm not really convinced that we need a note. It should be clear that a user may have more than one 'registered' account from the shape of the state machine. So I think we should close this issue, is that reasonable to you?

[judielaine]

Yes, my regrets for causing churn.