WebID feedback

Mediation-oriented API

In this variation of the Provider API, we modify the Permission-oriented variation to:

  • Bundle the prompts to unify the case where the users opt-into using an undirected profile.
  • Allow the user agent to pick defaults (e.g opt-out vs opt-in) and control the use of directed profiles.

The fundamental modification to achieve these goals is allow the browser to mediate the sign-in flow:

In this formulation, we solve the cross-browser consistency by leveraging the IDP: specifically, the IDP tells the browser whether a given flow is a sign-up or sign-in. A consequence of this is that the IDP must learn at least the RP’s origin before the browser UI is painted. This flow is similar to Permission-oriented API in that it makes the assumption that IDPs can learn the RP’s origin after a user gesture on the RP page.

Benefits

  • Fewer prompts compared to the Permission-oriented variation
  • Prompts are “functional” (part of a decision the user has to make) rather than “informational” (speed bumps)
  • The browser has the ability to control the defaults

Challenges

  • Ossification: Browsers need to become opinionated about sign-in and the subset of flows that enables it.
  • User comprehension: the browser UI is displaying data (including T&Cs) provided by the IDP. Will users get confused and take it as browser provided data or that the browser has fully vetted the IDP?

Table of contents