While the end state gives us guidance of where to aim, an equally hard problem is to find a plausible path to that state.
While much of the environment is changing and evolving, there are concrete flows that are inviable right now and enough signals about the principles and challenges ahead of us.
Much of this is evolving quickly and we are adapting as we learn, but here is our best representation of how we expect features to be developed:
| Stage | Timeline | Description |
|---|---|---|
| Stage 0 | 2020 | Understanding of the problem and properties of the end state |
| Stage 1 | 2021 | dev trials in Q1/Q2 (instructions) and origin trials in Q3/Q4 of alternatives to third-party cookies |
| Stage 2 | 2021+ | origin trials of alternatives to top level navigation |
| Stage 3 | 2021++ | other related problems and opportunities |
The more urgent problem that clearly has already affected federation is the blocking of third-party cookies. We plan to tackle this first:
- Why, What and When? Today, third-party cookies are blocked on Safari and Firefox. They are in the process of becoming obsolete in Chrome in the foreseeable future.
- So What? Logging out, social buttons and widget personalization breaks.
- Ok ... Now What? Early proposals on how to preserve these use cases.
- Who and Where?: Browser vendors, identity providers, relying parties and standard bodies are involved. The discussions so far have happened at the WICG and at the OpenID foundation.
Bounce tracking comes next. It is a more evolving situation, but has much more profound implications to federation:
- Why, What and When? Safari's periodic storage purging and SameSite=Strict jail, Firefox's periodic storage purging and Chrome's stated privacy model for the Web.
- So What? Purging or partitioning storage across redirects/posts forces users to re-authenticate at each transition of federation flows, at best defeating the convenience that federation provides and at worst making it less secure.
- OK ... Now What? Early proposals on how to preserve these use cases.
- Who and Where?: Browser vendors, identity providers, relying parties and standards bodies are involved. The discussions so far have happened at the WICG and at the OpenID Foundation.
There is a series of related problems that affect federation. We believe we have a unique opportunity to tackle these as a consequence of the choices made in stages 1 and 2.
These are key and important problems, but a lot less urgent, so we are being very deliberate about when and how much to focus on them.