<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I thought I was very specific. (Note that <a href="http://live.com">live.com</a> IS NOT an IdP in the sense you mean, It just belongs to a federation that includes an IdP>)</span></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">1. What does the message from the verifier to the browser look like? Specifically, what labels does the list of known IdP (or should I say federations) contain?</span></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2. How does that message get rendered by whatever browser the user has instantiated (assuming only that FedCM (and possibly a PM) is enabled by that browser)?</span></div><div><font color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, system-ui, Segoe UI, Roboto, Helvetica Neue, Fira Sans, Ubuntu, Oxygen, Oxygen Sans, Cantarell, Droid Sans, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Lucida Grande, Helvetica, Arial, sans-serif"><span style="font-size:14px;background-color:rgb(242,242,242)">-- I understand that the user state on that browser may impact the UX. Where "state" includes a variety of elements.</span></font></div><div><font color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, system-ui, Segoe UI, Roboto, Helvetica Neue, Fira Sans, Ubuntu, Oxygen, Oxygen Sans, Cantarell, Droid Sans, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Lucida Grande, Helvetica, Arial, sans-serif"><span style="font-size:14px;background-color:rgb(242,242,242)">I would be interested to know what the following might possibly mean (other than the user has logged into the browser's vendor site): </span></font> registered it as an IdP in your browser</div><div>Another thought. Suppose I have accounts at <a href="http://foo.okta.com">foo.okta.com</a> and <a href="http://bar.okta.com">bar.okta.com</a>, what is the federation identified to the browser by the verifier? (or is this out-of-scope?)</div><div>Another question: Does the verifier have different requests for login versus registration? Or is the FedCM / PM expected to be able to disambiguate the request?</div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2024 at 10:10 AM Aaron Parecki <<a href="mailto:aaron@parecki.com">aaron@parecki.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Are you talking about the "configURL: any" version or the RP providing specific config URLs?<div><br></div><div>In the "any" world, if you're logged in as <a href="mailto:tom@live.com" target="_blank">tom@live.com</a>, *and* if you have visited the <a href="http://live.com" target="_blank">live.com</a> IdP and registered it as an IdP in your browser, then an RP that asks for "configURL: any" would get the <a href="mailto:tom@live.com" target="_blank">tom@live.com</a> account in the FedCM dialog.</div><div><br></div><div>I guess I don't understand the problem you're talking about.</div><div><br></div><div>Aaron</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2024 at 9:45 AM Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I question the statement Aaron made - quoted below.. What would a logon request from an RP look like that could enable a meaningful UX? - consider login with MS as an RP option. If I am currently logged on as <a href="mailto:tom@live.com" target="_blank">tom@live.com</a>, how can (EVERY BROWSER that the user might have) connect that with MS logon?<div><br></div><div><p class="MsoNormal"> Aaron said that FedCM can help make things better by only showing identities that you have<u></u><u></u></p><p class="MsoNormal"> As opposed to showing all the IdPs that it is possible to use<u></u><u></u></p><p class="MsoNormal"> Research & Education sites have ornate IdP pickers among thousands of sites</p><p class="MsoNormal"><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px"> </span>..tom<br></p><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 13, 2024 at 5:35 PM Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal">Spec Call Notes 13-May-24<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">Sam Goto<u></u><u></u></p>
<p class="MsoNormal">Aaron Parecki<u></u><u></u></p>
<p class="MsoNormal">Tom Jones<u></u><u></u></p>
<p class="MsoNormal">Dima Postnikov<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">IdP Discovery Discussion<u></u><u></u></p>
<p class="MsoNormal"> We had a free-ranging discussion of IdP discovery problems and solutions<u></u><u></u></p>
<p class="MsoNormal"> Also called Home Realm Discovery<u></u><u></u></p>
<p class="MsoNormal"> Motivated in part by problems that FedCM is trying to solve<u></u><u></u></p>
<p class="MsoNormal"> Both closed sets are open sets of IdPs are used in different contexts<u></u><u></u></p>
<p class="MsoNormal"> NASCAR screens are closed<u></u><u></u></p>
<p class="MsoNormal"> E-mail is an open space<u></u><u></u></p>
<p class="MsoNormal"> Federations are logically closed but may have thousands of participants<u></u><u></u></p>
<p class="MsoNormal"> Different kinds of ecosystems have different properties<u></u><u></u></p>
<p class="MsoNormal"> Open Banking systems are closed<u></u><u></u></p>
<p class="MsoNormal"> Research & Academic Federations are distinct from those<u></u><u></u></p>
<p class="MsoNormal"> SAAS apps are more open, accepting a large set of corporate identities<u></u><u></u></p>
<p class="MsoNormal"> You may have identities from one ecosystem that can't be used in another<u></u><u></u></p>
<p class="MsoNormal"> We discussed how blog commenting was the use case for OpenID 2.0<u></u><u></u></p>
<p class="MsoNormal"> Which was an open system<u></u><u></u></p>
<p class="MsoNormal"> Having claimed identifiers authenticated you and differentiated you from comment spam<u></u><u></u></p>
<p class="MsoNormal"> Bloggers knew they had URLs and were willing to type them<u></u><u></u></p>
<p class="MsoNormal"> Whereas NASCAR screens have better conversion rates than any UX where you have to type<u></u><u></u></p>
<p class="MsoNormal"> We talked about the need for incentives for ecosystem participants<u></u><u></u></p>
<p class="MsoNormal"> Particularly for RPs<u></u><u></u></p>
<p class="MsoNormal"> Tom asked about user identifiers and picking IdPs<u></u><u></u></p>
<p class="MsoNormal"> Aaron said that FedCM can help make things better by only showing identities that you have<u></u><u></u></p>
<p class="MsoNormal"> As opposed to showing all the IdPs that it is possible to use<u></u><u></u></p>
<p class="MsoNormal"> Research & Education sites have ornate IdP pickers among thousands of sites<u></u><u></u></p>
<p class="MsoNormal"> Mike said that one IdP discovery problem is people not remembering which IdP they used at an RP<u></u><u></u></p>
<p class="MsoNormal"> Aaron remarked on the prevalence of e-mail as an account recovery path<u></u><u></u></p>
<p class="MsoNormal"> Sam asked about the role of single-user OPs, such as <a href="http://self-issued.info" target="_blank">self-issued.info</a><u></u><u></u></p>
<p class="MsoNormal"> And about the cases where an e-mail domain is the same as the IdP's domain<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Pull Requests<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/" target="_blank">
https://bitbucket.org/openid/connect/pull-requests/</a><u></u><u></u></p>
<p class="MsoNormal"> PR #736: [Federation] listing endpoint parameters updated_since and updated_before<u></u><u></u></p>
<p class="MsoNormal"> Dima: In open banking, etc. regulator controls who is in and out<u></u><u></u></p>
<p class="MsoNormal"> Closed ecosystems<u></u><u></u></p>
<p class="MsoNormal"> Mike: Filtering on updated times requires superiors to track changes in subordinates<u></u><u></u></p>
<p class="MsoNormal"> Mike: What kinds of updates are you interested in knowing about?<u></u><u></u></p>
<p class="MsoNormal"> Dima: Added, key and metadata changes, disabled/deactivated<u></u><u></u></p>
<p class="MsoNormal"> PR #731: [Federation] the new federation_subordinate_events_endpoint<u></u><u></u></p>
<p class="MsoNormal"> Mike asked Dima to also look at this for ConnectID's use cases<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Next Call<u></u><u></u></p>
<p class="MsoNormal"> The next call is Thursday, May 16 at 7am Pacific Time<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
</blockquote></div>