Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#CredAPI Signing-Out: maybe user agent MUST provide UI for changing mediation? #530

Open
yackermann opened this issue May 30, 2017 · 1 comment
Open

#CredAPI Signing-Out: maybe user agent MUST provide UI for changing mediation? #530

yackermann opened this issue May 30, 2017 · 1 comment

Comments

@yackermann
Copy link

In section 6.6

The user MUST have some control over this behavior. As noted in §5.2 Requiring User Mediation, clearing cookies for an origin will also reset that origin’s prevent silent access flag the credential store to true. Additionally, the user agent SHOULD provide some UI affordance for disabling automatic sign-in for a particular origin. This could be tied to the notification that credentials have been provided to an origin, for example.

Current specs defines that control over user logout mediation is up to the relying party. If relying party enforce mediation through preventSilentAccess() then user will be forces to re-authenticate on next use. What if relying party, does not provide functionality to disable auto sign-in, and user agent does not have UI to enforce mediation(i.e. disable auto sign-in)? User will be forced to sign in every time he access the site, and his only option would be to remove credential entirely from storage to prevent that behavior.

This poses privacy and user experience issues, as user will be forced to login when he MAY not willing to do so, and it will be frustrating experience for him to manage such behavior.

User agents on their side can help to prevent both, by adding "auto sign-in" option, in auto sign-in prompt, and delaying auto sign-in by few second.

Based on my argument, I propose change "user agent SHOULD provide some UI affordance for disabling automatic sign-in for a particular origin." to "user agent MUST provide some UI affordance for disabling automatic sign-in for a particular origin."
@yackermann
Copy link
Author

Final change would look like:

The user MUST have some control over this behavior. As noted in §5.2 Requiring User Mediation, clearing cookies for an origin will also reset that origin’s prevent silent access flag the credential store to true. The user agent MUST provide some UI affordance for disabling automatic sign-in for a particular origin. This could be tied to the notification that credentials have been provided to an origin, for example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yackermann