-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[VK Company Feedback] Domain limitations in FPS #67
Comments
There are several existing issues that cover how a "common owner" requirement is impractical, considering the many different real-world ownership structures that could affect domains. PR #56 suggests a simpler alternative that should be more practical to enforce. Besides the problem you mention, there are several other related ones, including
More Q&A in minutes from the 9 Sep meeting (2nd item). Comments and suggestions on #56 welcome, thank you. |
@NekR Thanks for the question! Could you say a little bit more about the types of services that may be hosted on |
We're mainly looking in SSO scenario here, so that There are other cases, when |
@NekR - Sorry, it's not entirely clear to me whether this establishes that First-Party Sets is not needed in this scenario or not? Can we close this issue if you think that partitioned cookies are sufficient? FYI, another related proposal is the Federated Credentials Management API (formerly known as WebID), which is intended for federated login use-cases. This may be appropriate if you intend for a service in either A on x.example to act as an identity provider. |
It isn't sufficient for seamless authentication, which is main use case we expect from FPS. Other cases, yes, somehow could be used with partitioned cookie.
Do you mean that use case described in the first comment isn't considered by FPS and won't be supported? In our understanding, x.example supposed to have the same seamless authentication experience as any other website in A's FPS. We're trying to understand if that would be possible with FPS or maybe FPS isn't the right tool for seamless authentication, as you mentioned WebID and we should look into that instead. |
@NekR - Could you expand on what you mean by "seamless authentication"? For example, do you mean that if the user has logged in to x.example as |
@krgovind if
This probably would be strange I guess :) But I guess if user is logged both into A and B ecosystem, then At least, this is how it can work right now with third-party cookie. |
Thanks for the details, @NekR! It does sound like Alternatively, you might consider allowing |
Hello!
We're looking into all the docs and specs related to FPS to understand if it fits our business requirements.
Current spec says FPS should contains domains which are controlled only by "common owner" and it isn't clear how exactly this would be verified and what is exactly "common owner". How and when this is planned to be defined?
Here is an example which we worry about:
Site x.example is owned by company X. X company is a joint venture of some other companies: A and B.
If company A has a First Party Set, would it be able to contain x.example?
Another example on top of the last one -- what if both companies, A and B, would want to include x.example into their First Party Sets? Right now documentations says that a website could be only in one FPS, but it doesn't solve business use case from above, when one product/company is part of 2 ecosystems.
Thanks
The text was updated successfully, but these errors were encountered: