You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the SRC flow, a persistent user identifier is used to fetch card metadata for display and selection by the user. As browser behavior changes around 3p cookies, implementations are likely suffer.
I was chatting with @adrianhopebailie today about how we might address this (e.g., in a credential management API sort of way). We convered on a particular user experience that we liked and thought we could achieve this by building on top of the (still-being-designed) SPC payment credential data. Imagine for a moment that a payment credential can optionally include an identifier that means "This payment credential is part of a user profile that the RP identifies with this identifier."
We are very conscious of tracking, so this idea endeavors to only provide information with user consent.
Here's how it might work (all from a 3p context)
The user clicks a button in a 3p context, which calls Payment Request with payment method identifier "PMI"
In the API, the 3p requests that the browser prompt the user to select an identity for from the list
of payment credentials associated with "PMI"
Results:
0: silently return null
otherwise: the browser prompts the user to choose an identity. The browser returns (only) the identifier
associated with the payment credential. (For future discussion: optimizations)
Thus, the identifier is shared with the 3p after two user gestures:
Click a "buy" button
Select an identity to make a payment.
The identifier can be used to fetch more payment instruments associated with that user identity, and those can be displayed to the user for selection, followed by SPC authentication.
Thus we have parallel behaviors:
For identity: ask the browser to have the user pick an identity from stored payment credentials, otherwise silently return null.
For authentication: ask the browser to authenticate the user for a list of payment credential identifiers, otherwise silently return null.
The text was updated successfully, but these errors were encountered:
ianbjacobs
changed the title
Add identifier to payment credential structure to support credential fetching?
Add profile identifier to payment credential structure to support credential fetching?
May 17, 2021
Hi all,
In the SRC flow, a persistent user identifier is used to fetch card metadata for display and selection by the user. As browser behavior changes around 3p cookies, implementations are likely suffer.
I was chatting with @adrianhopebailie today about how we might address this (e.g., in a credential management API sort of way). We convered on a particular user experience that we liked and thought we could achieve this by building on top of the (still-being-designed) SPC payment credential data. Imagine for a moment that a payment credential can optionally include an identifier that means "This payment credential is part of a user profile that the RP identifies with this identifier."
We are very conscious of tracking, so this idea endeavors to only provide information with user consent.
Here's how it might work (all from a 3p context)
of payment credentials associated with "PMI"
0: silently return null
otherwise: the browser prompts the user to choose an identity. The browser returns (only) the identifier
associated with the payment credential. (For future discussion: optimizations)
Thus, the identifier is shared with the 3p after two user gestures:
The identifier can be used to fetch more payment instruments associated with that user identity, and those can be displayed to the user for selection, followed by SPC authentication.
Thus we have parallel behaviors:
For identity: ask the browser to have the user pick an identity from stored payment credentials, otherwise silently return null.
For authentication: ask the browser to authenticate the user for a list of payment credential identifiers, otherwise silently return null.
The text was updated successfully, but these errors were encountered: