[Proposal] WebID: Privacy-Preserving Federated Sign-In API

Hey all,

Cross-site tracking on the Web has recently spurred a series of browser interventions to protect user’s privacy.

Unfortunately, the same low level primitives that are being tightened up are also the primitives that federated sign-in relies on, namely cookies, top level redirects and cross origin iframe communication (postMessage).

In many ways, identity federation has unquestionably played a central role in raising the bar for authentication on the web, in terms of ease-of-use (e.g. passwordless single sign-on), security (e.g. improved resistance to phishing and credential stuffing attacks) and trustworthiness compared to its preceding pattern: per-site usernames and passwords.

We think it is key to expose new privacy-oriented affordances that allows federation to be preserved and to do that as thoughtfully as we can in terms of deployment and backwards compatibility.

We don’t know yet what those look like, but we are starting to explore them here:

Any chance anyone else around here would be interested in collaborating and helping us figure this out? If you are interested, reply here and I’d be happy to move my repo into the WICG so that we can collaborate.

Sam

Hi!

As CTO of a service (scroll.com) that provides something a bit like federated login across a range of major news sites, I agree completely with the problem statement. By making cookies and cross-site communication unreliable without offering a reasonable new path, current anti-tracking efforts are breaking both regular and federated authentication.

Developers and users are frustrated, and in many cases are being pushed to less secure tools to keep users logged in like per-site passwords, weak passwords, browser extensions and native apps, privileged first-party cookies and other leaky credentials, and domain cloaking. Not to mention that this makes it harder for content providers to experiment with subscriptions or other ways to reduce the reliance on advertising that got us here in the first place.

We’re very excited to see this (and similar efforts like isLoggedIn) move forward and would love to collaborate however we can. Although our needs are not precisely those of federated login, we think the right solution can help a range of cases. We consider this problem both urgent and important to the future of the web.

Kushal

Hey Sam,

Definitely interested.

Heather Flanagan

Given the level of expressed support, transferred to WICG: https://github.com/WICG/WebID/

HI Sam & all, great to see this important initiative moving forward. I am glad to bring whatever contribution I can offer. Cheers, Vittorio Bertocci

Awesome, would love to contribute to this!

Abhinav

I work with global R&E federations where O(millions) of researchers are impacted by browser choices in this space (every day). Definitely interested.