Comments (5)
If there is both a unique-id and display name then the unique-id may not even need to be a "username" but could be any unique identifier the site wants to use to identify the user at the next login.
I'm also curious how sites should implement the "Account Chooser" UX and whether this proposal puts any limits on those implementations.
from is-logged-in.
If there is both a unique-id and display name then the unique-id may not even need to be a "username" but could be any unique identifier the site wants to use to identify the user at the next login.
Right, we'd just have to name the parameters in a way that maximizes the chances of developers getting them right.
I'm also curious how sites should implement the "Account Chooser" UX and whether this proposal puts any limits on those implementations.
I don't see this proposal affecting or instructing websites how to implement account switching. Do you think it needs to? Sure, it would be nice to have browsers offer account switching which would require a defined way to switch state. That would likely have to be switching website data sessions completely. But what I'm thinking is that the site merely tells the browser which user is currently logged in and the browser accepts that as an account switch.
from is-logged-in.
In most cases today... if the browser is not currently logged in but has been in the past, when the browser visits the login service instead of being shown an username/password page, they are shown a page of all the identities that have logged in from that browser. This is usually stored in local storage on the fully qualified domain of the identity provider. As long as the local storage will persist across login/logout flows then existing behavior should work fine. Some identity providers use a persistent cookie for this data instead of local storage.
from is-logged-in.
In most cases today... if the browser is not currently logged in but has been in the past, when the browser visits the login service instead of being shown an username/password page, they are shown a page of all the identities that have logged in from that browser. This is usually stored in local storage on the fully qualified domain of the identity provider. As long as the local storage will persist across login/logout flows then existing behavior should work fine. Some identity providers use a persistent cookie for this data instead of local storage.
The exact policies browsers might apply based on the IsLoggedIn signal is outside the scope of this proposal (although #15 will be discussed at the F2F). If a browser decides to delete or hide website data after N days of no logged in state, the list of previously used identities will not be there on page load after N days. That is the same thing as the user deleting website data or the user using an ephemeral session and restarting their browser.
from is-logged-in.
So, browsers that implement that behavior will cause the users of those browsers to have a more challenging login experience because it won't be possible for the IDP to distinguish between a browser the user has used in the past and a brand new one possibly driven by an attacker. So the IDP will likely require the user to pass multiple challenges to ensure it's the correct user even though they logged into the site say M days in the past.
from is-logged-in.
Related Issues (20)
- Could Site Engagement Serve the Same Purpose?
- Privileges that come with IsLoggedIn may push sites to mandate login HOT 1
- Can we cater for link-based logins, e.g. tap link in email => logged in HOT 5
- Use the term bucket for storage HOT 1
- Support for logins to sites requiring 2FA login
- What does logout mean in a federated context? HOT 5
- Browser rules for a 'proper' login flow
- Support for federated logins, or the ability to transfer IsLoggedIn HOT 10
- Supporting display name and avoiding misuse of them HOT 1
- Logging-in does not necessarily mean giving tracking consent
- Safari implementation of setLoggedIn API HOT 1
- Concurrent logins support for `navigator.isLoggedIn` method.
- Would it be possible to have it isomorphic?
- Potential use of First Party Sets for Single Sign-On
- Integration with FedCM (formerly WebID) HOT 9
- Potential requirement to have JS turned on to log in users to a site
- Consider changing the name of the spec to better convey purpose, align with conventions HOT 1
- Consider renaming API entry points to align with conventions, better convey purpose
- Use Case: Updating OS-integrated surfaces HOT 3
- advice/hooks for other login helper APIs to change login status
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from is-logged-in.