FedCM: LoginHint, UserInfo, and RPContext

[npm1]

こんにちは TAG-さん!

I'm requesting a TAG review of LoginHint, UserInfo, and RPContext. These are small additions to the FedCM API, so I'm filing a review to cover all three.

• With LoginHint, the RP can specify a hint about the user account they want displayed in the FedCM UI. Accounts which do not match the hint are not displayed. This is mainly used to provide a better UX for returning users.

• The UserInfo extension allows the IDP to personalize the login experience for returning users, for instance via personalized buttons. After the user has used FedCM with a given IDP on some RP site, this API provides some information about the user accounts to the IDP on subsequent visits to the RP.

• With the context parameter, the IDP can request for the FedCM dialog to show a different title than “Sign in”, to improve the message being displayed to the user in the FedCM UI.

  • Explainers¹ (minimally containing user needs and example code): we publish explainers as issues per request from Mozilla. See the first and second comments of https://github.com/fedidcg/FedCM/issues/382 https://github.com/fedidcg/FedCM/issues/426 https://github.com/fedidcg/FedCM/issues/456
  • Security and Privacy self-review²: url
  • GitHub repo (if you prefer feedback filed there): url
  • Primary contacts (and their relationship to the specification):
    • Nicolas Pena Moreno (@npm1, Google Chrome)
    • Sam Goto (@samuelgoto, Google Chrome)
  • Organization/project driving the design: Google Chrome
  • External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5166718178033664

Further details:

• [X] #847
• The group where the incubation/design work on this is being done (or is intended to be done in the future): FedID CG
• The group where standardization of this work is intended to be done ("unknown" if not known): unknown
• Existing major pieces of multi-stakeholder review or discussion of this design: N/A
• Major unresolved issues with or opposition to this design: N/A
• This work is being funded by: Google Chrome

You should also know that our current goal is to ship on Chrome 116, which branches on June 20, 2023. I plan to send a PR to the FedCM repo shortly.

We'd prefer the TAG provide feedback as (please delete all but the desired option): 💬 leave review feedback as a comment in this issue and @-notify @npm1

[plinss]

@rhiaro and I took a look at this today (apologies for the long delay), LoginHint and the RPContext seem fine by us, but we have a question about UserInfo.

The explainer mentions that the UA would retain user information even after the user signs out of the IDP. Considering a shared computer, e.g. I sign in to a service at a computer in my library, then sign out, it seems that the next person using that computer gets to see information about my identity, which I would not expect after having signed out. Are we understanding that correctly or are we missing something?

[npm1]

Hello, I can clarify. The UA does not retain the user info, but instead performs an accounts fetch to determine which IDP accounts are still available at the time in which the UserInfo API is requested. So in the example mentioned, after you log out of the IDP in a shared computer, the next person would not see your identity since the accounts fetch will not return your account.

[plinss]

Understood, thanks for the clarification. This then raises the question of log out flow, if the user logs out of the RP, are they always logging out of the IDP? If not, is that clear to them that they are still logged in to the IDP?

[npm1]

If the user logs out of the RP, they are still logged in to the IDP. They would have had to manually log in to the IDP, though, so that should not be surprising to a user.

[plinss]

Given people's experience with SAML/OIDC single-sign-out (and it's lack of consistent implementations) I expect most users don't really understand the difference. Having a normal logout flow not sign the user out of the IDP is reasonable, but I feel it's important for the distinction to be made clear to the user. Especially in a shared-use scenario.

[npm1]

Sorry, how is this relevant to the features in this review? If this was about the login status API or some other feature that lets you login to the IDP, then I can see the concern. With the UserInfo API, the information is only available to the IDP iframe within the RP website. So if the user logs out of the RP, the user may see personalized info in the RP website because they are still logged in to the IDP. I don't see how this is unexpected.

[plinss]

The feedback is about UserInfo potentially leaking personal information in a shared computer environment. It's not about making the previous user's identity available to an iframe, but displaying it to the next user of the computer if the previous user didn't log out of what they thought they were logging out of.

Think of a public computer in a library, person A logs into a site via FedCM, then when finished, logs out of the RP, but doesn't realize they haven't logged out of the IDP, and closes the tab/window. The next person using the computer, potentially someone who was stalking person A, recognizes the site Person A was visiting, visits that site and gets to see person A's name and possibly email address.

(There's also the issue of the next user leveraging the status of still being logged in to the IDP and using that to access the RP as the previous user.)

[npm1]

Hmm ok. But how did the user log in to the site via FedCM? They must have had to login to the IDP. So I suppose the steps are:

• Login to IDP
• Visit RP and login to RP by using FedCM
• Log out of RP only.
• Leave the computer for next person to use.

So in this case, the next person seeing person A's name and email on the RP can just as easily instead visit the IDP site, where the person A is still logged in(!!!). So UserInfo API is the least of person A's problems, and does not introduce any new information that the stalker cannot learn otherwise. In fact, the stalker has complete access to person A's IDP at this point since they forgot to log out of the IDP, regardless of the UserInfo API.

[samuelgoto]

Think of a public computer in a library, person A logs into a site via FedCM, then when finished, logs out of the RP, but doesn't realize they haven't logged out of the IDP, and closes the tab/window. The next person using the computer, potentially someone who was stalking person A, recognizes the site Person A was visiting, visits that site and gets to see person A's name and possibly email address.

From a security threat model perspective, we don't handle physically-local attacks, which includes the use of public computers. More information on the topic here:

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

doesn't realize they haven't logged out of the IDP

If the user doesn't realize they haven't logged out of the IdP and leaves a valid session in the cookie jar that another user can have access to (e.g. in a public computer), there are much bigger problems that the user would have before the User Info API becomes a problem: the attacker has access to the full IdP session, which is orders of magnitude richer (e.g. access to the user's email, social profile, payment instruments, etc) than the data provided by the User Info API.

Much of the position regarding challenging related to physical attacks are inspired some of the lessons from past OS designs (example, example).