Scopes and claims request parity in CredentialRequestOptions ? #154
Comments
|
We're in the process of updating the API which splits the return of the My plan was that the The rough, unverified plan in my head was to add a space separated {
"email": "Users email address",
"cal": "Users calendar"
}On the FedCM side, we'd verify all of the requested scopes are present in the list, display a popup to the user listing the scopes and their descriptions and, if the user consents, run the From a UX perspective, should the user be able to turn off individual scopes in the This all needs a bunch of thinking, spec an implementation work. If you see any glaring holes in the idea though, please let me know. |
|
The other question is, does the browser need to verify what's returned? If I ask for the If we do inspec the token, that means that the If the |
|
I would not feel comfortable having a by-design uncredentialed API that allows enumeration of customer created content (PrivateAPI.FooBars.read) - I don't think this would pass our GDPR review or security review.
Not all scopes can be shown to all users. It will be damaging to ask a consumer user for permission to access their directory, for instance - they do not have one. Moreover, not all apps exist in all tenants, so we'll get into a weird spot of showing consent for things that the user isn't allowed to know about due to client misconfigurations.
Will you be the arbiter of api://MyClientIdIs12345AndUserIsFromContoso.read being an acceptable scope name? If not, this is a data channel where the app can pack in a good amount of data that may not be too scary in the consent dialog.
This has the potential to break apps that aren't prepared for this. AAD doesn't offer this today, but Google does, and Facebook does in a limited way. This would certainly break our auth SDK cache. It's also not clear what you're protecting against - do you want a signal to the IdP of what to allow or not? Or are you preventing collusion between IdP and app? If the latter, can't work, but if the former, maybe it could be useful. It would break a lot of apps that just don't function if you don't grant access though.
One core issue is dynamic consent - the idea that you don't need to ask for everything up front. I think Fed CM would support this via repeat invocations, so just calling this out to keep in mind.
This just killed so many real privacy features and forced apps to go outside of your vision :) Here's an incomplete listing of what we put in an ID token, most of which are "optional" released under the |
With (Although, answering questions further down, we'd have to put more thought into the credentialed version of this. If it's credentialed, the IDP now knows all the scopes the RP wants for the user, so even if the user denied consent for some of them, the IDP could grant them anyway as we told the IDP which ones the RP wanted when getting the scope information. Doing the request uncredentialed would also have the same issue, just harder as it's a timing attack of the scope list being asked for, and then the token fetch and joining those two things in IP address.).
So, are you saying if the RP asks for scopes (a, b, c) you may not want to show any information for scope (b) to the user? Is it correct that this is an IDP decision which scopes are shown to the user? To clarify my statement, I was thinking we'd verify the scopes requested by the RP are returned by the IDP. So, if the RP requested (a, b, c) and the IDP returned (a == calendar, c == email) and (b) was missing, we'd ... something? I was originally thinking we'd need to make sure the user is consented for all the scopes, but it sounds like that isn't the case. In that world, if we don't verify, and we just display the IDP returned entries, that would solve the problem of scopes that don't make sense. Need to put more thought into if this opens up privacy issues or not.
We won't be the arbiter, I just want to make it clear that this channel is opened. It didn't exist before (in the FedCM API) and can be used to send arbitrary data from RP -> IDP. We need to make sure that is included in the privacy section of the spec.
Yea, I was originally thinking this would be something like the user say "you can share my email, but not my calendar". I realize the consent forms I've seen in the wild are all or nothing, but wanted to pose the question of, is this a good idea? I think if we skipped this completely now, it could be added in the future, we'd just remove the scope from the requested list before sending to the IDP.
Yup, that was my thinking, you'd make subsequent
I thought the spec had text around inspecting the This, I think, means FedCM is an API to allow the communication between the IDP and RP and controls how that communication happens but has no concept of what is being communicated. That probably also needs to get called out in the privacy part of the spec. |
Yup, the owner of the resource (b may be owned by a third party who only wants their API to be called by people in their organization, let's say) and the IDP acting on their behalf. It is often standard for the app to also pre-register what APIs it may want to have access to, so it could pass in "give me my default scopes" and have the IDP look those up. So you can also have cases where they provide "b.default" and you get back a, b, c. In general I'm not convinced this provides value to the user, the dev, or the IDP. If we decide suddenly that scope A also needs scope Q (it's happened), and so when we get a, b, c we return a, b, c, q, we should be allowed to do that to ensure that our legally important consent screen remains accurate.
It already exists though in the original FedCM prompt - these two sites are going to talk to each other about you. Generic consent text seems fine, we do it too, but I don't think I grok the connection to the scopes then. Seems ok though at end of day so can drop it.
Yeah, seems like a nice thing an IDP could opt into. Google does this nicely - their consent documentation indicates that users can pick and choose. Microsoft, on the other hand, indicates that what you request is what you'll get back (or a failure), modulo certain in applicable scopes. If we were to coordinate with our SDKs, update our docs, and then set a flag to enable this in Fed CM, that would be nice.
I think that's good from our perspective. There are flows that won't even return tokens, just an opaque authorization code, so having a hard dependency on tokens even being present would be hard. |
|
We think this is addressed by a combination of the parameters API (#556), continuation API (#555) and fields API (#559). |
Applications can request additional claims in their ID token using the "claims request" pattern in OIDC. This allows for runtime customization of the ID token. Requesting scopes also allows the app to indicate whether or not they need additional standard claims like the email address, phone number, address, or additional tracking elements.
Scopes and claims requests don't appear to fit into the FedCM API, but would be good for apps looking to request least access, or customize their runtime behavior.
Would the credential request options be the place for that?
https://www.connect2id.com/products/server/docs/guides/requesting-openid-claims#claims-parameter
The text was updated successfully, but these errors were encountered: