Re-auth explainer missing mention of privacy mitigations to align user's expectations with re-auth behavior #434
Comments
|
Thanks for opening the issue! We are in the process of deprecating the explainer you linked and using issue #429 as the new "explainer". The mitigation has been added to the proposal in issue #429. |
|
Close as fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The re-auth privacy considerations sections doesn't mention any mitigations for aligning user expectations of whether they are logged into an RP, with re-auth behavior.
For example, if a user deletes any storage associated with the RP (or all UA provided storage), there is a strong expectation that they will not be logged into the RP. In this case, future re-auth flows should fail until another standard flow has completed.
IIUC Chrome will ship to OT with a mitigation for this, so it would be good to at least highlight the importance in the explainer. I appreciate that the exact shape of the mitigation will be browser dependent, and may change over time, so a general statement about aligning with user expectations + example seems appropriate.
The text was updated successfully, but these errors were encountered: