Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make explicit that there can be multiple state machine keys for a particular RP #388

Closed
judielaine opened this issue Dec 30, 2022 · 5 comments
Closed

Make explicit that there can be multiple state machine keys for a particular RP #388

judielaine opened this issue Dec 30, 2022 · 5 comments
Labels
editorial

Comments

@judielaine
Copy link

While this may be "obvious" i suggest an explicit statement that prevents differing interpretations in the future.

I suggest text along the lines of:

The state machine must allow multiple keys with a state of "registered" for a particular RP.

There are many usecases where an individual may use (register) multiple IdPs with a single RP:

  • a contractor that needs to use an application like WorkDay or Service Now authenticating using enterprise IdPs for multiple contracts
  • a doctor with assignments in multiple medical groups who needs to authenticate to a particular health care portals with the different professional relationships
  • a researcher with affiliation to multiple libraries, where the libraries offer different resources at a particular journal publisher
  • a scholar with multiple adjunct faculty appointments that give differing access to a learning portal.
  • an individual may have different personas at a particular IdP and use more than one of those persona at an RP.

Note that this is not exactly like https://github.com/fedidcg/FedCM/issues/319 which appears to focus on the RP indicating multiple IdPs are acceptable. This follows on that issue by clarifying that given a set of IdPs accepted by an RP, a end user may use more than one and should NOT be required to "deregister" an IdP relationship with an RP before registering a second IdP with that RP.
@npm1
Copy link
Collaborator

npm1 commented Jan 3, 2023

The keys in the state machine are already a triple (rp, idp, account). I dont think this needs to be explicit? Is there a reason you think so? It is also up to the RP and IDP how/if they allow users to perform multiple logins at the same time, not up to the browser.

@judielaine
Copy link
Author

I will admit my concern is informed with working with UX teams and assumptions that can be made. I felt the explicit part was more to communicate to a non-implementer that there should be more than one allowed IdP per RP (as well as more than one allowed account per IdP per RP). I am unfamiliar with W3C spec conventions: perhaps my concern is better supported in other documentation.

@npm1
Copy link
Collaborator

npm1 commented Jan 30, 2023

Oh ok! I think specs are mostly meant for implementers although they are also looked at by other people. For developers or other people, I'd recommend looking at developer docs instead. For FedCM one such example is https://developer.chrome.com/docs/privacy-sandbox/fedcm/#use-api. But perhaps we can add a note (doesn't hurt?)

@npm1 npm1 mentioned this issue Feb 7, 2023
Closed
@npm1
Copy link
Collaborator

npm1 commented Feb 14, 2023

After writing the PR for this issue, I'm not really convinced that we need a note. It should be clear that a user may have more than one 'registered' account from the shape of the state machine. So I think we should close this issue, is that reasonable to you?

@judielaine
Copy link
Author

Yes, my regrets for causing churn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
editorial
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add clarification about state machine npm1/FedCM
3 participants
@samuelgoto @judielaine @npm1