1 of 27

WebID

FedCM

dsinclair@chromium.org

2021.11.17

PUBLIC

BlinkOn 15

2 of 27

The why, when, what, and how

BlinkOn 15

3 of 27

Why

BlinkOn 15

4 of 27

Privacy Sandbox

Develop new privacy-preserving technologies

Phase out third-party cookies

Continue to mediate covert tracking

+

https://privacysandbox.com/

BlinkOn 15

5 of 27

Wait, federated identity?

BlinkOn 15

6 of 27

BlinkOn 15

7 of 27

And cookies are involved?

BlinkOn 15

8 of 27

******

Sign Up

https://example1.com

John Doe�johndoe@email.com

Sign-in to example1.com with IDP

Continue as John

forgot password

your@email.com

Browser

RP

IDP

BlinkOn 15

9 of 27

https://idp.com

Signing-out of RP1

Signing out of your apps

Signing-out of RP2

Signing-out of RPn

...

Browser

RP

IDP

BlinkOn 15

10 of 27

Cookies sound nutritious and delicious?

BlinkOn 15

11 of 27

BlinkOn 15

12 of 27

To preserve and elevate federated identity�for a more private web.

BlinkOn 15

13 of 27

When

BlinkOn 15

14 of 27

2023

2020

2021

2022

Here are 3 options�I2P

Oops, we have a problem

Hi there

today

Prototyping

Devtrial 1

Hello WICG, OIDF

Is this even a problem?

Would these even work?

This could work. How can I try?

Stable

Devtrial n

This works!

I2E?

Origin Trial(s)

No, it doesn’t.

I2S?

It more or less does.

3PCD

BlinkOn 15

We’ve been at this for a while
There has been a lot of investigation, prototyping and analysis of other possible solutions
This has involved looking at:

A more restrictive delegation model
Our proposed mediation solution
A less restrictive permission model

Each of those three models has pros and cons. We’ve been trying to strike a balance between privacy, trackability and ease of adoption.
https://privacysandbox.com/timeline/ currently points to 2023 as the target to turn off third-party cookies
FedCM needs to be done before then to give people time to transition.
We’re currently working through some devtrials, plans for more devtrials
Origin trials early next year
Hopefully we don’t have to course correct too much

Plan is to move the spec to the FedID CG sooner rather than later

More IDP and RP feedback
Will be looking for expanded browser feedback as well

15 of 27

What

BlinkOn 15

16 of 27

BlinkOn 15

17 of 27

BlinkOn 15

18 of 27

BlinkOn 15

Let’s look at this from a network perspective. Assume the user has multiple accounts with the IDP and visits the RP sign in page.
Note that all the communication between the RP and IDP all happens through the browser, there is no direct communication between the two

FedCM attempts to load previous stored credentials in step 4, assume there are non
A promise is sent to the RP
In 6 FedCM retrieves the .well-known/fedcm file from the IDP providing various IDP endpoint URLs

Sent without cookies, Referrer or client_id from the RP
account_endpoint

List of user accounts with IDP

Client_id_metadata_endpoint

Provides Terms of Service and Privacy Policy links for the RP

Revocation_endpoint

Provides endpoint to revoke the users tokens with the RP

Id_token_endpoint

Provides endpoint to retrieve an id token for the RP

From the result of 6, we can query the accounts_endpoint in 8

Sent with IDP cookies, no referrer or client_id

Step 10 is where we prompt the user to choose their account
Step 12 we request the client_id_metadata information from the IDP

Sent with no cookies, but the RP client_id is provided

Step 14, prompt the user to accept terms and conditions of sign-up
Step 16, resolve the promise and provide the credential to the PR.

19 of 27

How

BlinkOn 15

20 of 27

https://github.com/fedidcg/use-case-library/issues

BlinkOn 15

21 of 27

https://wicg.github.io/FedCM

BlinkOn 15

From those use cases we’re building a Federated Credential Management API
The FedCM API is built on top of the Credential Management Level 1 API
(Well, it’s in the process of moving to be built on top of that API)

Currently under the WICG, we’re planning on bringing to the FedID CG in the near future as the planned official home for the specification
We’re working on updating the API in the spec (https://github.com/WICG/FedCM/issues/145) to a closer match with credential management API.

We’re purposely building a high level API. Our goal is to not require the unrestricted access to third-party cookies in order to facility federated identity.
We don’t know if this is actually possible at this point. Are there things that are just not mediatable?
How do we do all of this without getting in the way of innovation?

22 of 27

Accounts API

Metadata API

IdToken API

.well-known

Identity Provider

State Machine

Relying

Party

State Machine

User

Agent

State Machine

Logout API

Sign-in

Sign-out

Revoke

Sign-out

Revocation API

BlinkOn 15

23 of 27

O(B) > O(M) > O(100s)

Users

Relying Parties

Identity Providers

BlinkOn 15

24 of 27

Session Management

BlinkOn 15

25 of 27

Curious? chrome://flags/#webid

(mobile only for now)

BlinkOn 15

26 of 27

TL;DR;

Third party cookies are being deprecated
Targeted at sometime in 2023
We think browser meditation will work to keep federated identity working
https://github.com/fedidcg/use-case-library/issues
Federated Credential Management API spec
chrome://flags/#webid

BlinkOn 15

27 of 27

Questions

dsinclair@chromium.org

BlinkOn 15