Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebID should help IdPs and RPs handle multiple identities #46

Closed
timcappalli opened this issue Dec 7, 2020 · 7 comments
Closed

WebID should help IdPs and RPs handle multiple identities #46

timcappalli opened this issue Dec 7, 2020 · 7 comments

Comments

@timcappalli
Copy link

Immediate concern

In the Mediation API, there’s a "magic moment" where the browser knows which identity should be used for the sign in. Expanding the detail there to explain how the browser knows that identity helps us understand the implications there and what role and information the IdP plays in helping with that discovery.

Room for improvement

With the expanded detail above, it gives a jumping off point to discuss handling multiple identities that an IdP may have in session at the same time. Browsers could offer an account selector for IdPs, potentially replacing some of the IdP sign in functionality that relies on 3p cookies today (issue #34). Partitioning identities by session, such that there is only 0 or 1 identity for a given IdP in session, is not desirable as multi-account scenarios do exist (usually in the form of IdPs serving both consumer and enterprise users, example: offering a merged calendar or task view).

Suggested addition

On top of the active session discovery suggestion, support the ability to pass multiple identities from an IdP to the application in a single sign-in flow. This presents improvement over the single-user limitations of OIDC, and paves the road towards more fragmented, user-owned identity stories.

Related issues: #13

@samuelgoto
Copy link
Collaborator

Yep, I think this is aligned with how we have been thinking about the mediated flows.

Expanding the detail there to explain how the browser knows that identity helps us understand the implications there and what role and information the IdP plays in helping with that discovery.

This is super poorly written and maintained and we need to do a better job at exposing this, but this is the best public explanation that we have about that mechanism right now:

https://github.com/samuelgoto/WebID/blob/master/mediation_oriented_api.md

@samuelgoto
Copy link
Collaborator

It has been years since this was filled, but I think this is a duplicate of a more recent issue to allow multiple IdPs to co-exist in the account chooser UI here.

I'm going to close as a duplicate, but feel free to reopen if you feel that issue https://github.com/fedidcg/FedCM/issues/319 isn't representative of this one and there is something else actionable you'd like to see taken into account.

@mitar
Copy link

mitar commented Mar 28, 2024

Isn't this issue about one IdP having multiple identities? w3c-fedid/multi-idp#2 seems to me about multiple IdPs?

@samuelgoto samuelgoto reopened this Mar 28, 2024
@samuelgoto
Copy link
Collaborator

samuelgoto commented Mar 28, 2024

Isn't this issue about one IdP having multiple identities? https://github.com/fedidcg/FedCM/issues/319 seems to me about multiple IdPs?

Ah, yes, I think you are right, re-opening it. Thanks!

support the ability to pass multiple identities from an IdP to the application in a single sign-in flow.

I think this is already supported, isn't it?

Anything else you think we need to act on?

@mitar
Copy link

mitar commented Mar 28, 2024

I think this is already supported, isn't it?

I think so, yes. So it can be closed. :-) I just wanted to make sure we all agree what this issue is about.

Anything else you think we need to act on?

For me, I think not in the scope of this issue, but I made #527 for the point I still have.

@samuelgoto
Copy link
Collaborator

I think so, yes. So it can be closed. :-) I just wanted to make sure we all agree what this issue is about.

Ah, ok, so re-closing it then :) @timcappalli feel free to re-open if you still feel like there is something better that we could be doing!

For me, I think not in the scope of this issue, but I made #527 for the point I still have.

SGTM, will follow up there!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants