<div dir="ltr">If you have a microsoft account, <a href="mailto:tom@live.com">tom@live.com</a>, and the RP is using FedCM against the Microsoft IdP <a href="http://login.microsoftonline.com">login.microsoftonline.com</a>, then the assumption is that you have a cookie for <a href="http://login.microsoftonline.com">login.microsoftonline.com</a> for your <a href="mailto:tom@live.com">tom@live.com</a> account. There is nothing special about the <a href="http://live.com">live.com</a> email address being a different domain. You can see this in action right now if you have a Google account with a different email address domain, your <a href="http://non-gmail.com">non-gmail.com</a> address will appear in the FedCM popup when you visit an RP that uses the Google IdP.<div><br></div><div>If you have accounts at <a href="http://foo.okta.com">foo.okta.com</a> and <a href="http://bar.okta.com">bar.okta.com</a>, they are entirely independent, not part of a federation, and share nothing in common, so there is no special behavior. If we're talking about a future version of FedCM that works with arbitrary enterprise IdPs, the browser could say "I need this user to sign in with an enterprise IdP", and if the user is signed in to both foo and bar, both accounts would appear in the list, but are entirely independent from each other.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2024 at 1:30 PM Tom Jones <<a href="mailto:thomasclinganjones@gmail.com">thomasclinganjones@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I thought I was very specific. (Note that <a href="http://live.com" target="_blank">live.com</a> IS NOT an IdP in the sense you mean, It just belongs to a federation that includes an IdP>)</span></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">1. What does the message from the verifier to the browser look like? Specifically, what labels does the list of known IdP (or should I say federations) contain?</span></div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2. How does that message get rendered by whatever browser the user has instantiated (assuming only that FedCM (and possibly a PM) is enabled by that browser)?</span></div><div><font color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, system-ui, Segoe UI, Roboto, Helvetica Neue, Fira Sans, Ubuntu, Oxygen, Oxygen Sans, Cantarell, Droid Sans, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Lucida Grande, Helvetica, Arial, sans-serif"><span style="font-size:14px;background-color:rgb(242,242,242)">-- I understand that the user state on that browser may impact the UX. Where "state" includes a variety of elements.</span></font></div><div><font color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, system-ui, Segoe UI, Roboto, Helvetica Neue, Fira Sans, Ubuntu, Oxygen, Oxygen Sans, Cantarell, Droid Sans, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Lucida Grande, Helvetica, Arial, sans-serif"><span style="font-size:14px;background-color:rgb(242,242,242)">I would be interested to know what the following might possibly mean (other than the user has logged into the browser's vendor site): </span></font> registered it as an IdP in your browser</div><div>Another thought. Suppose I have accounts at <a href="http://foo.okta.com" target="_blank">foo.okta.com</a> and <a href="http://bar.okta.com" target="_blank">bar.okta.com</a>, what is the federation identified to the browser by the verifier? (or is this out-of-scope?)</div><div>Another question: Does the verifier have different requests for login versus registration? Or is the FedCM / PM expected to be able to disambiguate the request?</div><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2024 at 10:10 AM Aaron Parecki <<a href="mailto:aaron@parecki.com" target="_blank">aaron@parecki.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Are you talking about the "configURL: any" version or the RP providing specific config URLs?<div><br></div><div>In the "any" world, if you're logged in as <a href="mailto:tom@live.com" target="_blank">tom@live.com</a>, *and* if you have visited the <a href="http://live.com" target="_blank">live.com</a> IdP and registered it as an IdP in your browser, then an RP that asks for "configURL: any" would get the <a href="mailto:tom@live.com" target="_blank">tom@live.com</a> account in the FedCM dialog.</div><div><br></div><div>I guess I don't understand the problem you're talking about.</div><div><br></div><div>Aaron</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2024 at 9:45 AM Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I question the statement Aaron made - quoted below.. What would a logon request from an RP look like that could enable a meaningful UX? - consider login with MS as an RP option. If I am currently logged on as <a href="mailto:tom@live.com" target="_blank">tom@live.com</a>, how can (EVERY BROWSER that the user might have) connect that with MS logon?<div><br></div><div><p class="MsoNormal"> Aaron said that FedCM can help make things better by only showing identities that you have<u></u><u></u></p><p class="MsoNormal"> As opposed to showing all the IdPs that it is possible to use<u></u><u></u></p><p class="MsoNormal"> Research & Education sites have ornate IdP pickers among thousands of sites</p><p class="MsoNormal"><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px"> </span>..tom<br></p><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 13, 2024 at 5:35 PM Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal">Spec Call Notes 13-May-24<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">Sam Goto<u></u><u></u></p>
<p class="MsoNormal">Aaron Parecki<u></u><u></u></p>
<p class="MsoNormal">Tom Jones<u></u><u></u></p>
<p class="MsoNormal">Dima Postnikov<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">IdP Discovery Discussion<u></u><u></u></p>
<p class="MsoNormal"> We had a free-ranging discussion of IdP discovery problems and solutions<u></u><u></u></p>
<p class="MsoNormal"> Also called Home Realm Discovery<u></u><u></u></p>
<p class="MsoNormal"> Motivated in part by problems that FedCM is trying to solve<u></u><u></u></p>
<p class="MsoNormal"> Both closed sets are open sets of IdPs are used in different contexts<u></u><u></u></p>
<p class="MsoNormal"> NASCAR screens are closed<u></u><u></u></p>
<p class="MsoNormal"> E-mail is an open space<u></u><u></u></p>
<p class="MsoNormal"> Federations are logically closed but may have thousands of participants<u></u><u></u></p>
<p class="MsoNormal"> Different kinds of ecosystems have different properties<u></u><u></u></p>
<p class="MsoNormal"> Open Banking systems are closed<u></u><u></u></p>
<p class="MsoNormal"> Research & Academic Federations are distinct from those<u></u><u></u></p>
<p class="MsoNormal"> SAAS apps are more open, accepting a large set of corporate identities<u></u><u></u></p>
<p class="MsoNormal"> You may have identities from one ecosystem that can't be used in another<u></u><u></u></p>
<p class="MsoNormal"> We discussed how blog commenting was the use case for OpenID 2.0<u></u><u></u></p>
<p class="MsoNormal"> Which was an open system<u></u><u></u></p>
<p class="MsoNormal"> Having claimed identifiers authenticated you and differentiated you from comment spam<u></u><u></u></p>
<p class="MsoNormal"> Bloggers knew they had URLs and were willing to type them<u></u><u></u></p>
<p class="MsoNormal"> Whereas NASCAR screens have better conversion rates than any UX where you have to type<u></u><u></u></p>
<p class="MsoNormal"> We talked about the need for incentives for ecosystem participants<u></u><u></u></p>
<p class="MsoNormal"> Particularly for RPs<u></u><u></u></p>
<p class="MsoNormal"> Tom asked about user identifiers and picking IdPs<u></u><u></u></p>
<p class="MsoNormal"> Aaron said that FedCM can help make things better by only showing identities that you have<u></u><u></u></p>
<p class="MsoNormal"> As opposed to showing all the IdPs that it is possible to use<u></u><u></u></p>
<p class="MsoNormal"> Research & Education sites have ornate IdP pickers among thousands of sites<u></u><u></u></p>
<p class="MsoNormal"> Mike said that one IdP discovery problem is people not remembering which IdP they used at an RP<u></u><u></u></p>
<p class="MsoNormal"> Aaron remarked on the prevalence of e-mail as an account recovery path<u></u><u></u></p>
<p class="MsoNormal"> Sam asked about the role of single-user OPs, such as <a href="http://self-issued.info" target="_blank">self-issued.info</a><u></u><u></u></p>
<p class="MsoNormal"> And about the cases where an e-mail domain is the same as the IdP's domain<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Pull Requests<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/" target="_blank">
https://bitbucket.org/openid/connect/pull-requests/</a><u></u><u></u></p>
<p class="MsoNormal"> PR #736: [Federation] listing endpoint parameters updated_since and updated_before<u></u><u></u></p>
<p class="MsoNormal"> Dima: In open banking, etc. regulator controls who is in and out<u></u><u></u></p>
<p class="MsoNormal"> Closed ecosystems<u></u><u></u></p>
<p class="MsoNormal"> Mike: Filtering on updated times requires superiors to track changes in subordinates<u></u><u></u></p>
<p class="MsoNormal"> Mike: What kinds of updates are you interested in knowing about?<u></u><u></u></p>
<p class="MsoNormal"> Dima: Added, key and metadata changes, disabled/deactivated<u></u><u></u></p>
<p class="MsoNormal"> PR #731: [Federation] the new federation_subordinate_events_endpoint<u></u><u></u></p>
<p class="MsoNormal"> Mike asked Dima to also look at this for ConnectID's use cases<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Next Call<u></u><u></u></p>
<p class="MsoNormal"> The next call is Thursday, May 16 at 7am Pacific Time<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>