-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client authentication and consent creation #598
Comments
These requests originate from the browser so client (in the OAuth/OIDC sense) authentication isn't really appropriate. |
It would probably be better to split the two concerns into separate issues Anyway, for now you can only use origin+client_id for client authentication, as you observed. With w3c-fedid/custom-requests#2 you can send more data to the ID assertion endpoint. Regarding login_url, we intentionally do not allow sending identifiable data to that URL currently, for privacy reasons. With regards to consent creation:
|
I'm thinking about a confidential OAuth client. Requests technically originate from the browser but could employ a secure backend for request preparation. |
What privacy considerations? Keeping in mind that login url is called after user clicks to proceed with chosen IDP
Seems unnecessarily cumbersome user experience (2 interactions instead of 1), and not best privacy since IDP has to share all accounts data and cannot filter based on consent.
|
Technically that would not be a confidential OAuth client. |
Are you saying a web client cannot be confidential? Or did I not explain the architecture accurately? |
You can add client authentication to this flow if you do the slight variation of the flow that I did for IndieAuth. Basically you don't expect the ID token back from the assertion endpoint, you expect an authorization code which is exchanged for an ID token. This lets you start the flow from the backend, where you can do whatever client authentication you want, or any OAuth extensions like PAR/RAR/JAR/whatever. The authorization code is sent back from the assertion endpoint to the browser, the browser then sends the authorization code back to the server, where the server makes the request for the tokens and can use its client credentials again. This is basically analogous to treating the FedCM assertion endpoint as an OIDC authorization endpoint and using |
I like it |
No, it is also called directly in case of the button mode used with an IDP that's logged out. |
If you expect that the user logs in ~every time anyway, I am not sure that FedCM offers much value? Partitioned cookies should work just fine. |
I just wrote up some notes on how you could add client authentication when using OAuth. Notes are still rough, but you can read them here: https://github.com/aaronpk/oauth-fedcm-profile |
What I was trying to say is that architectural approach is not actually inline with the spirit or letter of being a confidential OAuth client. And almost certainly isn't giving you the security properties thereby bestowed. And very certainly shouldn't be something that's propagated into new contexts like FedCM's identity assertion endpoint. |
These are 2 related issues.
Client authentication:
Consent Creation
The text was updated successfully, but these errors were encountered: