Federated Identity and

Browsers (Updated for Q12024)�

Heather Flanagan,

Wearer of All The Hats

Playlist for Today

[ 2 ]

Problem Statement for the Web

​

Non-transparent, uncontrollable tracking of users across the web needs to be addressed and prevented.

​

(Thank you, GDPR)

[ 3 ]

Federated Authentication Addendum

Many applications and services need to work through the browser to support SSO/federated login, and yet federated login and tracking tools use the same features and are indistinguishable from the browser’s perspective.

[ 4 ]

Government, Academia, Enterprise, etc, are important, but…

[ 5 ]

Competing Assumptions, All Valid

• Of course the IdP needs to know what RP is asking for an authentication request! Our IdPs don’t talk to just anyone!
• Of course the IdP shouldn’t know anything about the RP! The IdP might track the sites the user visits!

​

• There are only 5-7 IdPs that really matter in the world.
• There are 5000+ IdPs that really matter in the world.

​

All these statements are true. Browsers have to figure out how to support them all in the most privacy-preserving fashion possible.

[ 6 ]

It’s About More Than Just Federated Authentication

Sites use features like cookies for more than just authentication and authorization

​

• Storing user preferences
• Session information across frames
• Demographic info for targeted advertising / content

​

​

[ 7 ]

LEARNING ABOUT TRACKING

How Does Tracking Happen

[ 9 ]

Cookies

HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user’s web browser.

​

• First-Party Cookies
• Accessible only by the domain that created it

​

• Third-Party Cookies
• Accessible to any site at any domain

​

​

[ 10 ]

IP Addresses

Used to identify machines and/or services

​

• Tracking mitigations for Browser Fingerprinting often impact IP address information
• Often used to make authorization decisions in:
• Libraries
• Enterprise Resource Planning (ERP) systems

​

• All major browser vendors are offering built-in VPN services that block IP addresses, etc

​

[ 11 ]

Browser Fingerprints

Information collected about the software and hardware of a remote computing device for the purpose of identification

​

Includes capture of information such as

• Browser used
• Fonts used
• Add-ons used
• Browser security configuration
• IP address
• …

​

Have you seen “Mitigating Browser Fingerprinting in Web Specifications”?

​

​

[ 12 ]

Link Decoration

A method of adding extra information to the URL. Also known as “navigation-based tracking”

​

Used for:

• Query strings
• Some authentication tokens (i.e., “Front-channel”)
• Tracking information

​

https://customer.sspnet.org/SSP/Events/2022-Annual-Meeting/ssp/AM22/Home.aspx?hkey=25db5ee4-3ea6-4a35-8f4a-a6229e9c194a

​

[ 13 ]

Bounces / Redirects

Used by trackers to get around third-party limitations, also known as redirect tracking

​

• Website A sends the browser to the tracker to get a first-party cookie.
• The tracker then sends the browser on to the user's destination with additional information stored in the browser that will allow the tracker to ’follow’ the user around the web.

​

• The end-user does not see this transition; they only see Website A and then the destination page.

​

​

[ 14 ]

WHAT’S CHANGING NOW?

Timelines

• Apple’s timeline:
• Intelligent Tracking Protection saw the start of blocking third-party cookies in 2017 for all Safari users
• Mozilla’s timeline:
• Total Cookie Protection is on by default for all Firefox desktop users since April 2023
• Google’s timeline:
• https://privacysandbox.com/timeline
• “On January 4, [2024] we'll begin testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. We'll roll this out to 1% of Chrome users globally, a key milestone in our Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024, subject to addressing any remaining competition concerns from the UK’s Competition and Markets Authority.”

​

[ 16 ]

What Happens When You Change the Primitives

There’s more. See

https://github.com/fedidcg/

use-case-library/

wiki/

Primitives-by-Use-Case

[ 17 ]

Desktop Browser Market Share Worldwide

Source: https://gs.statcounter.com/browser-market-share/desktop/worldwide

Chrome

Safari

Edge

Firefox

Opera

[ 18 ]

API Under Development: FedCM

“Federated Credentials Management API aims to fill the specific hole left by the removal of third-party cookies on federated login.” https://github.com/fedidcg/FedCM/blob/main/README.md

• What this looks like in current version of Chrome (v120)
• Login Status API – an IdP informs the browser its user's login status, reducing unnecessary requests to the IdP
• Error API – notifying the user by showing a native UI with the error information provided by the IdP

​

​

[ 19 ]

Did we say “under development”?

FedCM is still working on how to tackle a few key areas

• Scale (number of IdPs)
• Origin (browser) vs endpoints (SAML/OIDC)
• Proxy services
• Interferes with at least the SAML protocol on a level outside of 3pc
• Session timing (i.e., sessions may be very short-lived)
• SAML and OIDC have similar but not the same behavior, esp. when it comes to circles of trust

​

​

​

​

[ 20 ]

In Scope, Out of Scope, Goals, and Non-Goals

FedCM is about third-party cookie deprecation

• It is not (yet?) about navigation-based tracking
• It is not (yet?) about bounce/redirect tracking

​

See the Explainer for more detail:

https://github.com/fedidcg/FedCM/blob/main/explainer.md

[ 21 ]

Google Identity Services

GIS is rolling out FedCM in their IdP

• April 2024: GIS developers will be automatically migrated to the FedCM API
• Long-tail adoption will be at least 5-10 years (or more!)

See the the Privacy Sandbox blog for more detail:

https://developers.googleblog.com/2024/02/federated-credential-management-migration-for-google-identity-services.html

[ 22 ]

Prototyping and Testing

Feedback through testing is the BEST

Example:

• https://github.com/asr-enid/fedcm-rp-node

​

​

​

​

[ 23 ]

BUT WHAT ABOUT ADVERTISING?

Disclaimer

​

​

While my expertise is more aligned with authentication and authorization, there have been a LOT of questions about what the browser changes mean to advertising, so here’s what I know so far.

​

[ 25 ]

If not cookies, then what?

• Authenticated IDs
• The individual has logged in and provided consent to be tracked
• Inferred IDs
• device-level info that allows an advertiser to associate consumers with the sites they visit (aka, fingerprinting)
• Google Privacy Sandbox APIs^**
• Protected Audience API (an API formerly known as FLEDGE)
• Topics API (an API formerly known as FLoC)
• Attribution Reporting API (just wait, I’m sure the name will change eventually)

​

** These are not standard across all browsers (yet?)

[ 26 ]

A Place for Everything, and Everything in its Place

• W3C’s Private Advertising Technology Community Group
• The mission of the Private Advertising Technology Community Group is to incubate web features and APIs that support advertising while acting in the interests of users, in particular providing strong privacy assurances.
• W3C’s PROPOSED Private Advertising Technology Working Group
• A work-in-progress; the initial proposal is supported, but there were formal objections that need to be addressed. Stay tuned!
• W3C’s Web Incubator Community Group (WICG)
• Home for several of the Privacy Sandbox APIs that don’t live anywhere else (e.g., Protected Audience, Attribution Reporting)
• W3C’s Privacy Community Group
• Home for several other of the Privacy Sandbox APIs (e.g., Topics)

[ 27 ]

THERE’S ALWAYS MORE

Standardization

Incubation first, Standardization second

​

• FedID Community Group
• Formed in June 2021 to incubate and iterate on the problems and possible solutions

​

• PROPOSED Federated Identity Working Group
• Expected formation in Q1 2024 with a goal to specify new web platform features intended to be implemented in browsers or similar user agents

​

​

[ 29 ]

Continuing the Conversations

To be a part of developing the solutions

​

• Federated Identity Community Group
• https://www.w3.org/community/fed-id/

​

• Private Advertising Technology Community Group
• https://www.w3.org/community/patcg/

​

• Privacy Community Group
• https://privacycg.github.io/

​

• REFEDS Browser Changes and Federation
• https://wiki.refeds.org/display/GROUPS/Browser+Changes+and+Federation

​

​

​

​

[ 30 ]

Lurking Like a Lurker

• The FedCM Developer Newsletter - https://groups.google.com/g/fedcm-developer-newsletter

​

• The Privacy Sandbox Blog & Developer Documentation - https://developers.google.com/privacy-sandbox

​

• The Mozilla Developers Network Blog - https://developer.mozilla.org/en-US/blog/

​

• Apple Developer Forums - https://developer.apple.com/forums/

[ 31 ]

Q&A

[ 32 ]