Is there a way to maintain UI hint freshness without falling back to heavyweight FedCM #40
Comments
bvandersloot-mozilla
added
the
agenda+F2F
I think the answer is: "yes" with a "but". There are two solutions that I'm aware of:
Just as a data point in case it helps, we heard from IdPs that they have strict freshness requirements (e.g. in the order of hours, not days). |
That's my sense as well. |
|
From the meeting, an alternative would be to allow two new behaviors, depending on how many IDPs are present in the request.
(1) has the downside of maybe facilitating more "blinking" popups or redirects. |
|
Relatedly, from #42 we are talking about adding pull requests for the token endpoint. This is akin to option 2 above. |
|
I think (1)'s downside can be resolved by requiring sticky user activation to store a credential! I lean toward that direction, and allowing stores in workers to facilitate using the Push API. There was a comment in the meeting with the push API requiring notifications, and I think that is reasonable given the infrequency of user information updates. |
|
(1) would certainly lead to the best UX and Privacy properties, I believe. It is unclear to me whether that's too big of a lift to IdPs or not, but seems like a better place to start from. |
|
Just ran into this, and may help: https://developer.mozilla.org/en-US/docs/Web/API/Web_Periodic_Background_Synchronization_API |
That requires installing the app as a PWA, and exposes user activity & IP address to the IDP. (We considered that in https://github.com/w3c-fedid/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%202022-08-31.pdf) |
|
Discussed at TPAC 2024: https://github.com/fedidcg/meetings/blob/main/2024/2024-09-24-TPAC-notes.md#lightweight |
bvandersloot-mozilla
removed
the
agenda+F2F
Coming from the first comment on the TAG review request, this may be worth considering.
The text was updated successfully, but these errors were encountered: