In this variation of the Provider API, we modify the Permission-oriented variation to:

• Bundle the prompts to unify the case where the users opt-into using an undirected profile.
• Allow the user agent to pick defaults (e.g opt-out vs opt-in) and control the use of directed profiles.

The fundamental modification to achieve these goals is allow the browser to mediate the sign-in flow:

In this formulation, we solve the cross-browser consistency by leveraging the IDP: specifically, the IDP tells the browser whether a given flow is a sign-up or sign-in. A consequence of this is that the IDP must learn at least the RP’s origin before the browser UI is painted. This flow is similar to Permission-oriented API in that it makes the assumption that IDPs can learn the RP’s origin after a user gesture on the RP page.

Benefits

• Fewer prompts compared to the Permission-oriented variation
• Prompts are “functional” (part of a decision the user has to make) rather than “informational” (speed bumps)
• The browser has the ability to control the defaults

Challenges

• Ossification: Browsers need to become opinionated about sign-in and the subset of flows that enables it.
• User comprehension: the browser UI is displaying data (including T&Cs) provided by the IDP. Will users get confused and take it as browser provided data or that the browser has fully vetted the IDP?