Federated Identity Working Group Charter
The mission of the Federated Identity Working Group is to develop specifications to allow a website to request a federated identity credential or assertion with the purpose of authenticating a user and/or requesting a set of claims in a compatible way to OIDC or SAML.
| Charter Status | See the group status page and detailed change history. |
|---|---|
| Start date | 28 March 2024 |
| End date | 28 March 2026 |
| Chairs |
Heather Flanagan (Spherical Cow Consulting)
Wendy Seltzer (Invited Expert) |
| Team Contacts | Simone Onofri (0.25 FTE) |
| Meeting Schedule |
Teleconferences: topic-specific calls may be held
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 1 per year. |
Motivation and Background
With changes to the support for underlying privacy principles, fundamental assumptions of the web platform are being redefined or removed. While overall good for the web, the third-party cookie deprecation removes a building block used by certain designs of federated identity. This Group aims to bridge the gap for the federated identity designs which relied on third-party cookies.
Scope
The Working Group will specify new web platform features intended to be implemented in browsers or similar user agents. The purpose of these features is to support authentication and authorization flows without compromising security principles for Identity Providers (IdPs), Relying Parties (RPs), and User Agents as well as protecting user privacy. Here "privacy" minimally refers to the appropriate processing of personal information. The result of this work is the development of new mechanisms that define how information is passed by the browser between the RP, the IdP, and authentication intermediaries to facilitate federated authentication; these mechanisms are not an authentication method.
If any of the mechanisms developed to support authentication and authorization flows would cause breaking changes for existing protocols, work on that mechanism must include a well-documented transition period.
Out of Scope
The identity space is much larger than federated authentication. While several topics related to identity may be of interest, they are out of scope for our work.
Specific topics out of scope:
- New authentication methods
- Design and discussion regarding individual credential and assertion formats
- Performing any security or confidence assessment (e.g. checking signatures, audience, encoding, etc) of the token that encodes the identity assertions.
- Ad-tech tools or APIs
- Interactions with identity wallets
Deliverables
Updated document status is available on the group publication status page.
Draft state indicates the state of the deliverable at the time of the charter approval. Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state.
Normative Specifications
The Working Group will deliver the following W3C normative specifications:
- Federated Credential Management (FedCM) API
-
This specification defines an API that allows users to login to websites with their federated accounts in a privacy-preserving manner.
Draft state: Adopted from the Federated Identity Community Group
Expected completion: CR in Q1 2025
- Login Status API
-
This specification defines an API to inform the Web Application of their user's login status, so that other Web APIs can operate with this additional signal. Currently a separate chapter in the FedCM specification, the goal is to publish it as a separate deliverable to be used by FedCM.
Draft state: Adopted from the Federated Identity Community Group
Expected completion: CR in Q1 2025
Other Deliverables
A test suite, available from web-platform-tests as possible, must be created.
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Implementation report for the specification;
- Primer or Best Practice documents to support web developers when designing applications.
Timeline
- Q1 2024: FPWD for Federated Credential Management API
- Q1 2025: CR for Federated Credential Management API
Success Criteria
In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites, and two or more implementations interoperating with each other. In order to advance to Proposed Recommendation, each normative specification must have an open test suite of every feature defined in the specification.
There should be testing plans for each specification, starting from the earliest drafts.
To promote interoperability, all changes made to specifications in Candidate Recommendation or to features that have deployed implementations should have tests. Testing efforts should be conducted via the Web Platform Tests project.
Each specification should contain sections detailing all known security and privacy implications for implementers, Web authors, and end users.
Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximising accessibility in implementations.
This Working Group expects to follow the TAG Web Platform Design Principles.
Coordination
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
Additional technical coordination with the following Groups will be made, per the W3C Process Document:
W3C Groups
- Federated Identity Community Group
- This Working Group will work closely with FedIDCG. The expectation is that FedIDCG will incubate proposals which it then hands off to this Working Group for standardization. Most proposals in this Working Group should start in FedIDCG.
- Privacy Interest Group (PING)
- This Working Group will coordinate with PING on the development of principles that will guide the development of privacy-preserving capabilities while still supporting federated authentication and authorization flows.
- Web Application Security Working Group (WebAppSec)
- WebAppSec is both a potential venue for standardization of security-related capabilities and a source of expertise on web privacy.
- Privacy Community Group
- The Privacy Community Group is developing privacy-focused features. This working group is expected to regularly coordinate with the Privacy CG to ensure that the work of the two groups is not in conflict.
- Web Authentication (WebAuthn) Working Group
- While we are not developing an authentication mechanism, this work must operate in conjunction with existing authentication mechanisms. The WebAuthn Working Group may provide input and guidance for this requirement.
- Accessible Platform Architectures (APA) WG
- The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.
External Organizations
- IETF
- A number of IETF working groups, such as oauth, are likely venues for standardization of protocol components that authentication and authorization features depend on and research groups are investigating issues that will feed into the designs this group will consider.
- OIDF
- The OpenID Foundation (OIDF) is a likely venue for standardization of components that certain authorization flows depend on (i.e., OIDC specs).
- OASIS
- OASIS is a likely venue for standardization of components that certain authorization flows depend on (i.e., SAML specs).
- REFEDS
- REFEDS is a likely venue for multi-lateral federation best practices and a representative of the complex use cases of the research and education communities around the world.
Participation
To be successful, this Working Group should have participation from large-scale Identity Provider (IdP) operators, large-scale Relying Parties (RPs), federation operators, and browser vendors. In addition, there must be active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Federated Identity Working Group home page.
Most Federated Identity Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
This group primarily conducts its technical work on GitHub issues. The public is invited to review, discuss and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Working Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | 28 March 2024 | 28 March 2026 | (initial) |
Change log
Changes to this document are documented in this section.