OAuth WG Interim Meeting

# OAuth WG Interim Meeting ## Date 19 April, 2021, 12:00pm EDT ## Topic - Identity Use Cases in Browser Catalog Presenters: Vittorio/George Draft: https://datatracker.ietf.org/doc/draft-bertocci-identity-in-browser/ Slides: [Slides](https://datatracker.ietf.org/meeting/interim-2021-oauth-06/materials/slides-interim-2021-oauth-06-sessa-ietf-browser-changes-and-identity-00) # Notes <b>Note taker: Heather Flanagan</b> Recap/Update - browsers are taking steps to prevent tracking by introducing new primitives. They will execute on this and kill some existing primitives regardless as to whether there are mitigations in place. Scenario template as described in the draft tries to help people tease out the important components that will be impacted by browser changes. Volunteers participated as much as volunteers usually do, and we don't have as many (hardly any) scenarios documented. OIDF has formed a special working group that is also working through this, and is including these scenarios and prioritized issues that will hopefully turn into scenarios. Third-party cookies (3p cookies) will die first, so that's the immediate target. There are upcoming meetings and workshops where these topics will be addressed: 15 minutes of fame at the OIDF meeting on April 29; forum (probably under W3C auspices) on May 25-26. There are different layers to this problem: Urgent = 3p cookies; mid-term = link decoration; long-term = general considerations for federated identity in the browser Some things that we know will break: logout, refrsh tokens in an iFrame Dick Hardt: the last time we talked, we should look at this sa an opportunity to ive fedback to the browsers on what features would be really useful to have, e.g., discovery mechanisms so the web page can say what providers does this user have. Tim Cappalli: Very important point. Early on, we talked about what do we see identity on the web look like in 2022, DIDs, WebAuthn, etc. If webID were to be implemented as it is today (which is not expected) the user would have 7 different prompts to have to respond to. Existing experiences to redirect to an IdP to do WebAuthn seems unnecessary. But browser vendors have specific priorities for themselves, and they're not interested in the big picture if it doesn't align to their goals. Vittorio: This would be really nice, but concerned about priorities. Having the chance to get browsers to expose what we need would be nice, but more cncerned about the code out there that can't be changed and which iwll break. e.g., SiteMinder, SAML global sign out George: Agree that it would be great if browser want to listen, but anything we do at that level is effectively a new protocol. We have huge amounts of deployments and we can't just look at what would be nice in a greenfield implementation. We need to look at what's deployed today and try to make sure it doesn't fall over. Solutions may be some indication that we can do $x and things will die in $y years. Dick: They are making changes, and things are going to break, but we're not proposing solutions. Why don't we propose solutions taht will address their problems, and will mitigate the downsides to existing things, and which will enhance existing experiences. Vittorio: Some of the browser goals are goals that might not be achievable. A proposal that would satisfy them would have to satisfy "browser is control of what information is exchanged between the RP and the IdP, would understand all the attributes, and be able to arbitrate the experience." We're tryign to document what we have so we have a more objective reality to work from. Tim: Worth having a parallel conversation as long as we don't lose the immediate issue. George: If you look through comments on issues, has made some but they are often ignored. Writing explainers seems to be the best method for explaining the issues. In the last Privacy CG meeting, even within an enterprise where you may have multiple domains and what seamless SSO, the browser did not want to enable that seamless SSO. They wanted the user to explicitly give consent to let the IdP access certain data, because they want to make sure they can't do these hidden redirect things that ad companies often do. Tim: They want to maintain SSO, but they are against the tracking experience that SSO provides. The default response of using the storage access API, there's little control over what the message to the user would be. Generic prompts for storage access API are fraught with peril. Mike: exactly what is meant by "decorated link" and where is it being used? Dick: it's a link that has other information in it. e.g., ad industry will link the user in one context to a user in another context. Anything with a query string is a decorated link. A URL that's carrying parameters is a decorated link. The browser may consider that as an attempt at tracking and block it in a way to make it look like a "new" browser every time. This is what Safari has already implemented. George: It's unclear what exactly is happening with the OIDC flow on iOS. If you're using universal links, then that should work in the mobile apps. Tim: There is a desire to break browser flows so the user has to download an app. George: For publishers on the web, it's more advantageous to get a user to download an app, but users don't want to. Rifaat: Regarding short vs long term, what do we want to do? Vittorio: Unless you're thinking about writing proposals, not sure we'll have hte ability to differentiate. We engage with the browser people whenever we can, and we steer the conversation as much as we can. Maybe the workshop in May will change thing. Heather: The workshop in May will attempt to bring the major browser vendors to the table to discuss what they're doing (which will take most of day 1) and then talk about major reference implementations (which will take most of day 2). Will also need to determine if this is the right format, the right people, etc, and if it is, will have more of these types of meetings. Action: Heather will send the registration info to the list when it is available URLs of Interest: * https://github.com/WICG/WebID/blob/main/cookies.md' * https://github.com/WICG/WebID/blob/main/README.md ## Attendees * Rifaat Shekh-Yusef (chair) * Hannes Tschofenig (chair) * Vittorio Bertocci (presenter) * Dick Hardt * Justin Richer * Aaron Parecki * Filip Skokan * Anthony Nadalin * Heather Flanagan (scribe) * Daniel Fett * George Fletcher * Mike Jones * Karsten Meyer zu Selhausen * Tyler Rasor * Brock Allen * Peter Yee * Brian Campbell * Cristofer Gonzales * Tim Cappalli * Torsten Lodderstedt ## Recording https://ietf.webex.com/recordingservice/sites/ietf/recording/6d64fd3c720b46f2a0c2e11a4f3814c5/playback ## Next Interim Meetings * April 26 TMI BFF – Vittorio/Brian https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/[](https://) * May 3 OAuth 2.1 - Aaron https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/