The Registration API: Remove the user gesture requirement behind `IdentityProvider.register()`

[samuelgoto]

Came up in the FedID CG call in a discussion @aaronpk.

@cbiesinger brought this up in the past, so FYI.

I don't think it is strictly necessary, as far as privacy and security is concerned, but it is also not clear to me how an IdP would provide a user experience without an explicit user action.

Anyway, seems like a valid feature request, so tracking it here.

[samuelgoto]

@npm1 says he is working on it! That was fast! :)

[cbiesinger]

FWIW, the reason I had previously brought it up was that I was thinking IdPs may want to register as soon as the user logs in successfully

[aaronpk]

I do think some/many IdPs would want to call register as soon as the user logs in, but I'm not actually sure that is the best idea. I can definitely see that getting abused by websites that aren't "actually" IdPs for example.

I don't think it's bad to require a user gesture first. Browser popups like the location and notification permission are already pretty noisy when you go to random websites, I'd hate to see this one get added to the noise too.

[samuelgoto]

Browser popups like the location and notification permission are already pretty noisy when you go to random websites, I'd hate to see this one get added to the noise too.

Yeah, that was my intention having it be behind a user gesture: abuse and permission blindness. Glad some of that matches your intuition too.

[npm1]

@npm1 says he is working on it! That was fast! :)

For the record, I was not talking about this issue 😆

[obfuscoder]

Is this user interaction/gesture also required for registering an IdP via the response header? One scenario I can think of right away is that an IdP would like to silently register while performing a SSO via OpenIdConnect/OAuth redirect flow which does not need an interaction if there is already a signed-in state.

[obfuscoder]

Oh wait, there is no FedCM IdP registration via response header. I mixed that one up with login status.