Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing use cases #253

Open
gffletch opened this issue Apr 15, 2022 · 3 comments
Open

Missing use cases #253

gffletch opened this issue Apr 15, 2022 · 3 comments
Labels
documentation Improvements or additions to documentation editorial

Comments

@gffletch
Copy link

gffletch commented Apr 15, 2022
edited
Loading

In reading through the spec, I found the following use cases unclear or missing...

  1. IDP requires special registration elements based on the client_id of the RP. (This is very common in a First Party SSO scenario where multiple domains are in use and there is a common idp domain).
  • For this to work the IDP needs to be able to control the user and form requests shown to the user so that the special requirements can be obtained
  1. The IDP knows the identity of the user but the user must explicitly present credentials as the cookie is no longer sufficient (expired, the session context has deteriorated, etc)
  • In this case the IDP does NOT need a sign-up event but instead just needs an explicit authentication
  • this is similar to the use case Dick mentioned regarding the IDP needing the user to take additional steps before they can be set to a "signed in" state
  1. The RP wants to request that the IDP perform an authentication with specific requirements (e.g. the user much authenticate with a hardware based phishing resistant method, or must authenticate if they haven't presented credentials in the last X minutes).
@npm1
Copy link
Collaborator

npm1 commented Apr 21, 2022

Could this be addressed by adding more customization within the FedCM UI and/or adding support for full page redirect to the IDP so the IDP can control the requirements that way? This is something we're thinking about but do not have a clear design on yet. The third one is pretty interesting as it adds another level of authentication to the problem. Thanks for the examples!

@achimschloss
Copy link
Contributor

On 3 - please cf. to max_age, prompt=login, acr_values as an example within OIDC

@npm1 npm1 added the documentation Improvements or additions to documentation label Jul 20, 2022
@achimschloss
Copy link
Contributor

achimschloss commented Jul 27, 2022
edited
Loading

There seems to be related work happening in relation to the need for the IDP to directly communicate with the user as @gffletch rightfully points out (also relevant if users are not authenticated with the IDP at all).

In the context of the payment handler/method standardisation there is a similar requirement for a payment handler to be able to interact with the user, which is addressed by service workers which are able to open a dialogue where they can do whatever is needed to proceed with the payment request. Payment Request Handler

@achimschloss achimschloss mentioned this issue Jul 27, 2022
Closed
@achimschloss achimschloss mentioned this issue Aug 9, 2022
Open
@achimschloss achimschloss mentioned this issue Sep 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation editorial
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@samuelgoto @gffletch @npm1 @achimschloss