yi-gu
commented
1 year ago Thanks for opening the issue! We are in the process of deprecating the explainer you linked and using issue #429 as the new "explainer".
The mitigation has been added to the proposal in issue #429.
The re-auth privacy considerations sections doesn't mention any mitigations for aligning user expectations of whether they are logged into an RP, with re-auth behavior.
For example, if a user deletes any storage associated with the RP (or all UA provided storage), there is a strong expectation that they will not be logged into the RP. In this case, future re-auth flows should fail until another standard flow has completed.
IIUC Chrome will ship to OT with a mitigation for this, so it would be good to at least highlight the importance in the explainer. I appreciate that the exact shape of the mitigation will be browser dependent, and may change over time, so a general statement about aligning with user expectations + example seems appropriate.