Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow RPs to selectively request attributes of the user's profile #4

Open
cbiesinger opened this issue Apr 15, 2024 · 9 comments
Open

Comments

@cbiesinger
Copy link

cbiesinger commented Apr 15, 2024

(this has been split out of w3c-fedid/FedCM#477 / #2)

Currently, the FedCM dialog is composed of two parts: (a) account choosing and (b) a selective disclosure prompt. The latter, is used to disclose to the user which attributes of the their profile are being requested by the RP (currently hardcoded to name/email/picture).

Sometimes, however, the RP needs more than the user's basic profile (e.g. the user's phone number), less (e.g. not requiring email addresses, e.g. w3c-fedid/FedCM#317 and w3c-fedid/FedCM#242 ), or not at all (e.g. access to the user's storage access, but not their profile), so the current UI doesn't represent the permission that the IdP needs to gather.

Currently, there is no way that the RP can use FedCM and have control over what they actually need from the IdP.

(https://fedidcg.github.io/FedCM/#request-permission-signup)

@cbiesinger
Copy link
Author

cbiesinger commented Apr 15, 2024

Proposal

This is a proposal to allow an RP to specify an additional request parameter to select which standard attributes of the user's account are used in the selective disclosure dialog. For example, it allows RPs to skip the permission dialog altogether (but not the account chooser) to use a pop-up window instead, as well as, in the future, selectively request attributes (e.g. skipping email addresses, or asking for language preferences or phone numbers).

partial dictionary IdentityProviderConfig {
  // A list of strings that represent what prompt the browser should show
  // For now "email", "name" and "picture" are supported as described below.
  sequence<USVString> fields;
};

An RP could use them like this:

let {token} = await navigator.credentials.get({
  identity: {
    providers: [{
      // A newly introduced "fields" attribute, a list of strings
      // Defaults to ["name", "email", "picture"], which is what
      // currently is asked of the user.
      // When [] is used, the selective disclosure prompt is 
      // skipped altogether.
      fields: [],

      clientId: "1234",
      nonce: "234234",
      configURL: "https://idp.example/fedcm.json",
    },
  }
});

This parameter is sent to the ID assertion endpoint as follows (that is, they will only be shared with the IdP after user permission):

  • All RP specified fields are sent in a fields parameter
  • Fields that the browser disclosed to the user are sent in a disclosure_shown_for parameter.

The browser uses it to disclose to the user the fields that are being requested by the RP. If an empty array is specified, the browser skips the disclosure dialog, since nothing is being requested out of the user's standard profile. It is the IdP's responsibility to only share the requested pieces of information, rely on previously gathered permissions or gather additional permission through the Params API and the Continuation API.

Because permissions are not requested for returning users, this new parameter has no impact on the UI for such users, and disclosure_shown_for will be sent with an empty string.

For example, the ID assertion request body might look like this:

POST /fedcm_assertion_endpoint HTTP/1.1
Host: idp.example
Origin: https://rp.example/
Content-Type: application/x-www-form-urlencoded
Cookie: 0x23223
Sec-Fetch-Dest: webidentity

account_id=123&client_id=client1234&nonce=234234&disclosure_text_shown=true&fields=email,name,picture&disclosure_shown_for=email,name,picture

If necessary, the IdP can use the Params API and the Continuation API to gather the user's permission for additional fields.

Forwards Compatibility

While we expect the Continuation API to cover most extensibility needs, we also expect that there is a subset of well-known attributes that the user agent would be able to mediate constructively (e.g. lower friction than pop-up windows, UX consistency across IdPs). Beyond name/email/picture which is currently supported, some of the most commonly asked extensions are allowing RPs to request for the user's phone number (as opposed to email addresses) or the user's language preferences. It is not clear where we could go from there, but we expect a subset of the OIDC's Standard Claims or HTML's autocomplete to be things that the browser could potentially mediate in a constructive way (e.g. organization, country, websites).

In order not to break older browsers when new fields are added to the spec, we suggest the following semantics:

  • The browser ignores fields that it does not understand
  • The browser sends only the fields that it did understand and prompted for to the IDP in the fields parameter
  • If, based on the fields that were sent, the IdP needs to gather additional permission, it can do so using the continue_on parameter

For now, we expect that browsers only support prompting for ["name", "email", "picture"]. That is, if the array contains one or two of, but not all three of "name", "email", and "picture", we expect the promise to be rejected immediately. RPs/IdPs which want to prompt for a subset of these "standard" fields will have to use an empty array and prompt using the Continuation API. In the future, we may support other sets of fields, such as only name and picture, or name, picture and phone number. We expect to add an IdP-side opt-in mechanism to specific supported fields to the configURL at that point in time.

A future version of the spec might allow a user to selectively permit sharing some but not all of the requested fields. If this happens, we expect to add another parameter that would contain the fields that the user has disallowed.

@cbiesinger cbiesinger changed the title Passing custom scopes to the ID assertion endpoint Suppressing user disclosure text in FedCM UI for custom scopes Apr 15, 2024
@cbiesinger cbiesinger changed the title Suppressing user disclosure text in FedCM UI for custom scopes Suppressing permission prompt in FedCM UI for custom scopes Apr 15, 2024
@samuelgoto samuelgoto changed the title Suppressing permission prompt in FedCM UI for custom scopes Allow RP's some control over the Disclosure Prompt May 9, 2024
@samuelgoto samuelgoto changed the title Allow RP's some control over the Disclosure Prompt Allow RPs some control over the Disclosure Prompt May 9, 2024
@cbiesinger
Copy link
Author

We have now substantially reworked the proposal, with the primary goal of making it less OAuth-scope specific and the secondary goal of allowing future customizations of the UI such as not asking for email or asking for a phone number instead.

I would love to hear thoughts on the new proposal! It is in the updated comment above.

chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 9, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 10, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 10, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 10, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 10, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 13, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526, 340194462
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 13, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526, 340194462
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5529071
Reviewed-by: Yi Gu <yigu@chromium.org>
Reviewed-by: Brendon Tiszka <tiszka@chromium.org>
Commit-Queue: Christian Biesinger <cbiesinger@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1300264}
chromium-wpt-export-bot referenced this issue in web-platform-tests/wpt May 13, 2024
This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526, 340194462
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5529071
Reviewed-by: Yi Gu <yigu@chromium.org>
Reviewed-by: Brendon Tiszka <tiszka@chromium.org>
Commit-Queue: Christian Biesinger <cbiesinger@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1300264}
@elf-pavlik
Copy link

Beyond name/email/picture which is currently supported, some of the most commonly asked extensions are allowing RPs to request for the user's phone number (w3c-fedid/FedCM#435) or the user's language preferences. It is not clear where we could go from there, but we expect a subset of the OIDC's Standard Claims or HTML's autocomplete to be things that the browser could potentially mediate in a constructive way (e.g. organization, country, websites).

I see that the Contact Picker API is already on the REC track: https://www.w3.org/TR/contact-picker/

Isn't some alignment between user information and contact information helpful? Offering similar UX for disclosing common properties and consistent DX for handling that information would be a plus.

moz-v2v-gh referenced this issue in mozilla/gecko-dev May 21, 2024
…fields API, a=testonly

Automatic update from web-platform-tests
[FedCM] Replace the scopes API with the fields API

This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526, 340194462
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5529071
Reviewed-by: Yi Gu <yigu@chromium.org>
Reviewed-by: Brendon Tiszka <tiszka@chromium.org>
Commit-Queue: Christian Biesinger <cbiesinger@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1300264}

--

wpt-commits: e40e7e0043824d384d9fd0a71cc6000ca75e1236
wpt-pr: 46192
jamienicol referenced this issue in jamienicol/gecko May 23, 2024
…fields API, a=testonly

Automatic update from web-platform-tests
[FedCM] Replace the scopes API with the fields API

This implements the new proposal here:
https://github.com/fedidcg/FedCM/issues/559

If one or two but not all of ["name", "email", "picture"] are requested,
we reject the promise. Otherwise, we show the disclosure text if
either field is not specified or contains the three default fields.
All specified fields are passed to the server in the "fields" parameter;
if fields was unspecified we pass the default fields here.

All this is for forwards compatibility.

Bug: 40262526, 340194462
Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5529071
Reviewed-by: Yi Gu <yigu@chromium.org>
Reviewed-by: Brendon Tiszka <tiszka@chromium.org>
Commit-Queue: Christian Biesinger <cbiesinger@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1300264}

--

wpt-commits: e40e7e0043824d384d9fd0a71cc6000ca75e1236
wpt-pr: 46192
@samuelgoto samuelgoto changed the title Allow RPs some control over the Disclosure Prompt Allow RPs to selectively request attributes of the user's profile Jun 19, 2024
@chad-cole
Copy link

chad-cole commented Jul 26, 2024

I am interested in the Fields API, as is my team at Shopify. Is there anything we can do to help move this forward?


I am new to the FedCM community, apologies if this is not the right place to register interest. If not a pointer would be greatly appreciated!

@npm1
Copy link

npm1 commented Jul 26, 2024

Hey Chad, actually there is! This API is currently on Origin Trials in Chrome. See https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-126-updates. So you can try it out yourself but you can also test it out on real users if you deploy FedCM and use the OT, and provide feedback that way. We also have https://groups.google.com/g/fedcm-developer-newsletter for people interested in FedCM updates in Chrome. Feel free to comment here with questions.

@samuelgoto
Copy link
Collaborator

Just cross posting from a related discussion that's happening in a different repo, to introduce a username field:

privacysandbox/privacy-sandbox-dev-support#379 (comment)

@samuelgoto
Copy link
Collaborator

Here are a few fields that we heard in the past that may be useful to start from:

  • name
  • email
  • picture
  • username (based on this)
  • phoneNumber (based on this)

And allow any combination of these values, e.g. ["name", "email"] or ["name", "picture", "username"].

@TallTed
Copy link

TallTed commented Aug 15, 2024

Any time fields like these are being considered, it's worth another review of the Awesome Falsehoods lists.

Many of the potential downfalls reavealed there would be avoided by the "any combination of n fields" idea, but these can still be helpful in making each field less problematic in itself.

@gioele-antoci
Copy link

Joel from Shopify here! phoneNumber in particular would be HUGE for us! +1

cbiesinger added a commit to cbiesinger/WebID that referenced this issue Oct 28, 2024
cbiesinger added a commit to cbiesinger/WebID that referenced this issue Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants