1 of 25

TECHNICAL CONSIDERATIONS:

  • Turn on captions by:
    • selecting "More options" (the ellipsis) at the bottom right and then "Turn on captions"
  • Change the number of participants you see on your screen by:
    • selecting "More options" (the ellipsis) at the bottom right and then "Change layout"
  • Mute or pin participants by:
    • selecting "Mute" or "Pin" in a participant's thumbnail image
  • If you experience quality issues, change your send and receive resolutions to 360p by:
    • selecting "More options" (the ellipsis) at the bottom right and then "Settings" and "Video"
  • [G Suite Enterprise accounts] Toggle noise cancellation on by:
    • selecting "More options" (the ellipsis) at the bottom right and then "Settings" and "Audio"

ETIQUETTE & BEST PRACTICES:

  • If available, use a hard line Internet connection rather than wireless Internet
  • If available, use a headset for audio
  • Find a quiet location with a background that's not distracting
  • Have a light source in front of you to help bring the focus to you
  • Put your devices in "Do Not Disturb" mode to silence notifications on your computer, tablet, phone, etc.
  • Mute your mic when you are not speaking
  • Look directly into the camera as much as possible to establish eye contact with the viewers
  • When in doubt, just practice common courtesy. People want to be heard, seen, and respected during an online meeting—just like they do everywhere else.

IMPORTANT INFO - DO NOT DELETE

2 of 25

WebID

Privacy and Identity Federation on the Web

BlinkOn 13�Ken Buchanan (kenrb@chromium.org)

3 of 25

https://wicg.github.io/WebID

4 of 25

your@email.com

******

Sign-in with A

Sign-in with B

Sign Up

or

Create an account with

https://example.com

forgot password

Federation is Safer Than Usernames/Passwords

Browser

RP

IDP

phishing, credential stuffing, password reuse

Two factor authentication, password-less single sign-on

5 of 25

your@email.com

******

Sign-in with A

Sign-in with B

Sign Up

or

Create an account with

https://example.com

forgot password

your@email.com

******

Sign-in with A

Sign-in with B

Sign Up

or

Create an account with

https://example.com

forgot password

Pop up blocked

example.com wants to open a new window to a.com, but we blocked.

allow

Reliance on General-purpose Web Primitives

Browser

RP

IDP

6 of 25

Reliance on General-purpose Web Primitives

  • Cross-origin iframes
  • Third-party cookies
  • Decorated navigations/redirects
  • Pop-ups
  • Cross-origin postMessage

7 of 25

Third-Party Cookie Access

Browser

RP

IDP

your@email.com

******

Sign Up

https://example1.com

Sam Goto�samuelgoto@gmail.com

Sign-in to example.com with IDP

Continue as Sam

forgot password

your@email.com

******

Sign Up

https://example2.com

Sam Goto�samuelgoto@gmail.com

Sign-in to example.com with IDP

Continue as Sam

forgot password

8 of 25

Navigational/Bounce Tracking and Link Decoration

Browser

RP

Tracker

https://rings.com

Engagement Rings!

Buy

US$ 1000

https://shoes.com

Engagement Shoes!

Buy

US$ 32

https://tracker.com

Redirecting you ...

https://tracker.com

Redirecting you ...

User 123 viewed engagement rings

User 123 viewed engagement shoes

....

9 of 25

Sign-in with A

https://example1.com

Sign-in with B

Sign-in with A

https://example2.com

Sign-in with B

Yes

Welcome Sam!��Are you trying to create an account with example.com?

https://a.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

global identifiers

RP Consequences of Web Identity

Browser

RP

IDP

Tracker

10 of 25

IDP Consequences of Federated Sign-in

your@email.com

******

Sign-in with A

Sign-in with B

Sign Up

or

Create an account with

https://example.com

Yes

Welcome Sam!��Here are the sites you’ve logged in this week:

  • example.com
  • a.com
  • b.com
  • embarrassing.com
  • ugh.com
  • blargh.com

https://b.com

forgot password

Navigate��Referer:� https://example.com

Browser

RP

IDP

11 of 25

WebID Proposals for Sign-In / Sign-Up

12 of 25

Project Goal

Develop a web API that allows enables existing federation flows to continue working for users, RPs and IdPs while improving user privacy and control of their personal information.

Please note that this project is in very early stages and everything below is still considered exploratory.

13 of 25

Complex Trade-offs

Usability

Developer Control

Ease of Deployment

Privacy Properties

Use Case Coverage

14 of 25

Sign-in with A

https://example1.com

Sign-in with B

Sign-in with A

https://example2.com

Sign-in with B

Yes

Welcome Sam!��Are you trying to create an account with example.com?

https://idp.com

Sam Goto�samuelgoto@gmail.com

Sam Goto�samuelgoto@gmail.com

?

Sam Goto�samuelgoto@gmail.com

Sam G.�asjlkd234@gmail.com

Sam Goto�samuelgoto@gmail.com

Sam G.�32wer2343@gmail.com

Directed Identifiers

Browser

RP

IDP

Verifiably Directed Identifiers

SHA256(IDP_ID + RP + NONCE)

15 of 25

Precise API shape not settled

  • At a high level, we replace cross-origin redirect/popup with a JS API for the Relying Party to call:

async function signInWithIDP() {

navigator.id.get(

{

provider: [ ‘https://accounts.idp.example’ ],

request: { response_type: code,

client_id: 4e8sj09jj105,

state: 0ac879ed,

destination: https://rp.example }

})

.then(response => validateIDToken(response))

.catch(err => handleError(err));

}

16 of 25

How much intermediation?

  • Approaches for designing a new API fall into three general buckets:
    • The Permission-oriented Variation
    • The Mediation-oriented Variation
    • The Delegation-oriented Variation

17 of 25

UA

RP

your@email.com

******

IDP1

IDP2

Sign Up

or

Welcome!

https://example.com

forgot password

your@email.com

******

facebook

google

Sign Up!

or

Welcome!

https://example.com

Use your accounts.idp.com profile to sign into example.com and create an account with the information below:

EMAIL

Share my email

NAME

Sam Goto

Sign in with https://accounts.idp.com

continue

samuelgoto@gmail.com

IDP

Forward to:

samuelgoto@gmail.com

cancel

your@email.com

******

facebook

google

Sign Up!

or

Welcome!

https://example.com

Use your accounts.idp.com profile to sign into example.com and create an account with the information below:

Share my email

Sam Goto

Sign in with https://accounts.idp.com

continue

samuelgoto@gmail.com

Forward to:

samuelgoto@gmail.com

cancel

By signing-in to example.com with your email address, you can be tracked across sites.

samuelgoto@gmail.com

EMAIL

cancel

allow

Would you like to sign-in to example.com with accounts.idp.com?

No

Yes

#1 The Permission-oriented Variation

18 of 25

User Agent

Relying Party

your@email.com

******

IDP1

IDP2

Sign Up

or

Welcome!

https://example.com

forgot password

your@email.com

******

IDP1

IDP2

Sign Up!

or

Welcome!

https://example.com

Use your accounts.idp.com profile to sign into example.com and create an account with the information below:

EMAIL

samuelgoto@gmail.com

Share my email

NAME

Sam Goto

continue

samuelgoto@gmail.com

Forward to

cancel

#2 The Mediation-oriented Variation

19 of 25

IDP Tracking

  • Neither the permission-based nor mediation-based approach limits the ability of the IDP to know where the user has signed in using the IDP credentials.
  • Delegation-based approach redefines the role of an IDP to address that.

20 of 25

Email Proxy�(proxy.com)

Relying Party�(rp.com)

User Agent

Identity Provider�(idp.com)

[1] \Want to Sign-in with IDP.com?

[2a] What accounts does this user have?

[8] Welcome abc@proxy.com!

[6a] Check no one else has claimed id:abc�[6b] Verify email address (if included in claim)

[6c] Here is a nonce and a certificate.

[7] I am abc@proxy.com and SHA256(alice@email.com, RP, nonce). Prove this to me later with SIGNED(SHA256(alice@email, abc@proxy, RP, nonce), private key)

global email

directed email

keypair

certificate

nonce

recovery token

Email Provider�(email.com)

[4a] Does RP have an account for SHA256(alice@email.com, R, rp.com)?

[9] Welcome abc@proxy.com!

[4b] No..

[6] Can I sign IdTokens for {id:abc, email:abc@proxy.com}?

[5] Forward abc@proxy.com to alice@email.com and hand me back a certificate?

[2b] Sign-in user is alice@email.com.

#3 The Delegation-oriented Variation

21 of 25

Logout

Welcome Sam!��We got your verified email on record!�

https://example.com

If the user grants access, the id token is passed back to the application:��{

"alg": "HS256",

"typ": "JWT"

}�{

"iss": "https://accounts.a.com",

"sub": "110169484474386276334",

"aud": "https://example.com",

"name": "Sam",

"given_name": "Sam",

"family_name": "G.",

"email": "242423asf390@email.example",

"email_verified": "true",

}�HMACSHA256(

base64UrlEncode(header) + "." +

base64UrlEncode(payload),

SECRET

)

Browser

RP

IDP

Server-Side Relying Party Backwards Compatibility

22 of 25

Looking Forward

23 of 25

Challenges

  • Ecosystem design
    • Can RPs do their job well enough with directed identifiers? Customer support classic example.�
  • Technical questions
    • To what extent can we programmatically enforce directed identifiers?
    • How valuable are technical enforcement measures over policy requirements for IDP behaviour?
    • What about server-to-server communication that is in common use today?�
  • Accommodating other use cases
    • Should enterprise policies play a role in setting a different privacy bar for enterprise SSO? How would we handle “bring your own device” scenarios?

24 of 25

Engagement

  • Many stakeholders:
    • RPs
    • IDPs
    • Browsers
    • Other identity ecosystem participants�
  • Feedback is welcome on https://github.com/WICG/WebID

25 of 25

This deck is shared publicly.