-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax the number of providers in the .well-known file to 5-10 #333
Comments
In additional to development environments there are also different regions that might need to be listed like |
Hello @samuelgoto.
Do you have plans to move forward with this issue? |
Can you point me to your production environment? What's a configURL that I could use? |
I'm sorry. |
If this is for testing purposes only, you can turn on chrome://flags/#fedcm-without-well-known-enforcement |
There are a couple more things that we are actively working on that may help here:
@solatsuta any chance (1) or (2) or the chrome://flag that @cbiesinger mentioned above would help you with your problem? |
@samuelgoto @cbiesinger (1): it is difficult to make the RP belong to the same eTLD+1 as the IdP. (2): IdPs are separated by subdomains. Therefore, it is not possible to have account_endpoints with the same URL. chrome://flag: It is obvious that this method solves this problem as a behavior. However, as mentioned in (1), there are so many RPs, which are completely different companies/organizations. As an IdP, I provide multiple environments to RPs. |
So to clarify, you have multiple IDPs under the same eTLD+1? Or just multiple environments of the same IDP? |
We have corrected the mistake. |
Oh ok. So why do those environments have different account endpoints? I would imagine a user only has to sign in once to be able to access two of these environments? |
Here is an example of how to get the accounts_endpoint from idp's config.json.
I have multiple environments that I want to get config in 2. Here is an example.
Since the DB that manages the user is different in each environment, this cannot be resolved with a single sign-in.
As you can see, the DBs are separated by domain, so it is important for users to be aware of their domain when they sign in. |
@npm1
This is the correct understanding. |
Ok, thanks for clarifying! I don't have any good idea other than relaxing the number per the title of the issue. But that is going to be a tradeoff with privacy as it allows IDPs to add some entropy before the user has gone through the FedCM flow. |
It sounds like dev and sandbox could probably use chrome://flags, but yes, if there's multiple production IDPs that's problematic. We are hesitant to increase the number of providers due to privacy concerns, as npm says... |
I feel you are right. I agree with the issue, if the IdP is malicious, they could track the same user information in multiple environments. However, I think the fact that only one provider_urls can be registered may be a bottleneck for developers like me who release features after verifying them in multiple environments. Of course, I understand that the above case can be avoided by using chrome://flags, but it is not realistic to tell RPs who use my IdP to set flags every time. |
I'd like to explore this option bit further.
You say:
And then:
These are all test environments, right? Are they publicly accessible? Why would they be exposed externally to external RPs? Are you saying that there are RPs, outside of the IdP's eTLD+1, that you'd like to be able to test against your test environments? |
No. idp.example.com is a production environment. It is open to the public. We also provide a sandbox environment for RPs. For example, chat API, image API, etc. The sandbox environment is not open to the public, but allows RPs to achieve the same level of verification as production. |
What does it mean to not be "open to the public" but "open to RP"? Aren't external RPs "public"? Do you mean "open to the public but there is an RP allowlist"? |
The sandbox environment can only be accessed by a limited number of people through means such as IP restrictions or basic authentication. The environment is open to the public on the Internet, but only developers registered on my platform can access it. |
Got it. So, yeah, at this moment, I think the only solution that would work for you is asking all of your RPs to turn on this flag Would that work? Or would that be too painful? |
Very painful in my personal opinion; I can easily foresee a large number of inquiries about FedCM not working. A good number of RPs exist. As an operation, we anticipate that it will be difficult to enforce this rule on all RPs. However, it is my understanding that this is the only realistic way to do this. |
Another option that occurred to me was to having the IdP opt-inot "caching" the accounts endpoint value by using the IdP Sign-in Status API. That way, FedCM wouldn't have to hit the Caching the "accounts_endpoint" has some problems (e.g. fresheness), but I bet it would like do for, at least, testing purposes. WDYT? |
That probably does not work, even for testing. The devs could test the sandbox env but then the prod environment (or really any other) would be broken. |
The RPs would be pointing to either the dev/prod environment in the |
Sorry, I'm not sure what to do. My understanding at this point is that doing so would mix up the login status for each environment. |
Even if the Sign-in Status API were a solution to my issue, it would be difficult to adopt at this time. For personal reasons, the default 3rd party cookie block that will take effect in 2024/1 will be very critical for my service. To solve this problem, all RPs must bear FedCM compliant development. We will consider this as a future alternative, but at least it will not be in time for 2024/1. |
Not sure I follow, but I guess you mean caching the accounts (on a per-origin basis also?), not caching the accounts endpoint. |
Yes. |
? We have previously concluded that caching the account list is not workable. |
I'm now sure that was concluded. I certainly don't think it is true for every IdPs or for every test environments. |
IMO that will be a very complicated system to build purely for test environments |
See #552 for a proposal that helps for use cases that can reuse the accounts endpoint |
I feel that issue is now resolved with the latest proposal #552 , which would allow us to have an arbitrary number of Closing, feel free to reopen if you fee like there is something else that we need to address. |
We kept it at 1 to avoid a tracking attack, and we've always assumed that we would be able to extend it to a handful of URLs (but not arbitrarily).
We got feedback from Identity Providers that it would be constructive to relax it to 5-10 to allow them to represent different development servers, like qa, staging, canaries, etc.
The text was updated successfully, but these errors were encountered: