DRAFT Federated Identity Working Group Charter
The mission of the Federated Identity Working Group is to develop specifications that allow a website to request an identity credential from an Identity Provider or credential container (i.e., a wallet) to authenticate a user and request a set of claims in a way that is compatible with other protocols like OIDC, SAML, and OpenID4VP.
This draft charter is available on GitHub. Feel free to raise issues or see the ones that are open.
| Charter Status | See the group status page and detailed change history. |
|---|---|
| Start date | TBD |
| End date | TBD + 2 years |
| Chairs |
Heather Flanagan (Spherical Cow Consulting)
Wendy Seltzer (Invited Expert) |
| Team Contacts | Simone Onofri (0.25 FTE) |
| Meeting Schedule |
Teleconferences: topic-specific calls may be held
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 1 per year. |
Motivation and Background
Identity on the Web is critical to online interaction, privacy, and security. W3C fosters an ecosystem where privacy, security, and user sovereignty are all considered. That includes developing new mechanisms for individuals to have the ability to select the identity information, such as assertions, specific credentials, or specific attributes, relevant to a given interaction. These mechanisms must also be viable for the issuers, verifiers, identity providers, and relying parties to exchange information in a secure and privacy-preserving manner.
The user agent is the coordinator for these transactions. So, while the request and response protocols are being developed elsewhere (e.g., ISO, IETF, OpenID, and other W3C groups), the web platform layer must also be standardized to provide the privacy and security API framework in a protocol-agnostic and formats-agnostic fashion in a manner that is compatible with identity request/response protocols and different formats.
The group would like to:
- Enable federated identity while adhering to privacy principles despite the third-party cookies, a cornerstone of such operations, with the FedCM API.
- Enable privacy-preserving invocation of a wallet without custom schemes, which have security, privacy, and user experience implications and cannot reliably or securely work in cross-device scenarios, with the Digital Credentials API.
Scope
The Working Group will specify new web platform features intended to be implemented in user agents like browsers. The purpose of these features is to support privacy-preserving authentication, authorization flows, and requesting federated identities without compromising security principles for Identity Providers (IdPs) or Relying Parties (RPs) (in a ‘traditional’ federation model) or Issuers, Verifiers, and Holders (in a digital identity wallet architecture), and User Agents. Here, “privacy” minimally refers to the appropriate processing of personal information and preventing third parties from gleaming anything about the end-user’s environment (e.g., which wallets are available and their capabilities). This work results in developing new mechanisms that define how information is passed by the browser between the different entities and authentication intermediaries to facilitate federated authentication; these mechanisms are not authentication methods.
If any mechanisms developed to support authentication and authorization flows would cause breaking changes for existing protocols, work on that mechanism must include a well-documented transition period.
Out of Scope
The identity space is much larger than that of federated authentication and digital credential wallets. While several topics related to identity may be of interest, they are out of the scope for our work.
Specific topics out of scope:
- Designing new authentication methods.
- Designing individual credential and assertion formats
- Performing any security or confidence assessment (e.g. checking signatures, audience, encoding, etc) of the token that encodes the identity assertions.
- Ad-tech tools or APIs specifically focused on advertising as opposed to authentication.
Deliverables
Updated document status is available on the group publication status page.
Draft state indicates the state of the deliverable at the time of the charter approval. Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state.
Normative Specifications
The Working Group will deliver the following W3C normative specifications:
- Federated Credential Management (FedCM) API
-
This specification defines an API that allows users to login to websites with their federated accounts in a privacy-preserving manner.
Draft state: Adopted from the Federated Identity Community Group
Expected completion: CR in Q2 2025
- Login Status API
-
This specification defines an API to inform the Web Application of their user's login status, so that other Web APIs can operate with this additional signal. Currently a separate chapter in the FedCM specification, the goal is to publish it as a separate deliverable to be used by FedCM.
Draft state: Adopted from the Federated Identity Community Group
Expected completion: CR in Q2 2025
Tentative Deliverables
Depending on the incubation progress, interest from multiple implementers, and the consensus of the Group participants, the Group may also produce Recommendation-track specifications for the following document:
- Digital Credentials API
-
This specification specifies an API to enable user agents to mediate access to, and presentation of, digital credentials such as a driver's license, government-issued identification card, and/or other types of digital credentials.
Draft state: Draft in the Web Incubator Community Group
Other Deliverables
A test suite, available from web-platform-tests as possible, must be created.
Other non-normative documents may be created such as:
- Use case and requirement documents.
- Implementation report for the specification.
- Primer or Best Practice documents to support web developers when designing applications.
- Harm Model or other documents to identify the impact of the technology (API and also Digital Identities in general) on people and their security and privacy.
Timeline
- Q4 2024: FPWD for Federated Credential Management API
- Q1 2025: CR for Federated Credential Management API
Success Criteria
In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites, and two or more implementations (distinct browser engines) interoperating with each other. In order to advance to Proposed Recommendation, each normative specification must have an open test suite of every feature defined in the specification.
There should be testing plans for each specification, starting from the earliest drafts.
To promote interoperability, all changes made to specifications in Candidate Recommendation or to features that have deployed implementations should have tests. Testing efforts should be conducted via the Web Platform Tests project.
Each specification should contain a Security Considerations section that must include a Threat Model with threats, attacks, mitigations, and residual risks and a Privacy Consideration section as specified in Self-Review Questionnaire: Security and Privacy and RFC 3552, detailing all known security and privacy implications for implementers, Web authors, and end users.
Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them and recommendations for maximising accessibility in implementations.
This Working Group expects to follow the TAG Web Platform Design Principles, Ethical Web Principles, and Privacy Principles.
Coordination
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
Additional technical coordination with the following Groups will be made, per the W3C Process Document:
W3C Groups
- Federated Identity Community Group
- This Working Group will work closely with FedIDCG. The expectation is that FedIDCG will incubate proposals which it then hands off to this Working Group for standardization. Most proposals in this Working Group should start in FedIDCG.
- Privacy Interest Group (PING)
- This Working Group will coordinate with PING on the development of principles that will guide the development of privacy-preserving capabilities while still supporting federated authentication and authorization flows.
- Web Application Security Working Group (WebAppSec)
- WebAppSec is both a potential venue for standardization of security-related capabilities and a source of expertise on web privacy.
- Privacy Community Group
- The Privacy Community Group is developing privacy-focused features. This working group is expected to regularly coordinate with the Privacy CG to ensure that the work of the two groups is not in conflict.
- Web Authentication (WebAuthn) Working Group
- While we are not developing an authentication mechanism, this work must operate in conjunction with existing authentication mechanisms. The WebAuthn Working Group may provide input and guidance for this requirement.
- Accessible Platform Architectures (APA) Working Group
- The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.
- Verifiable Credentials Working Group
- The VC WG is a likely venue for standardization of Data Model for Verifiable Credentials and they are an important stakeholder in the identity space to coordinate with.
External Organizations
- IETF
- To coordinate with the IETF research groups and working groups, such as oauth, for protocol components that authentication and authorization features depend on.
- OIDF
- To coordinate with the OpenID Foundation (OIDF) for authorization and credentials used in the flows (i.e., OIDC and OpenID4VC specs).
- OASIS
- To coordinate with OASIS for authorization flows used in the flows (i.e., SAML).
- REFEDS
- To coordinate with REFEDS for multi-lateral federation best practices and a representative of the complex use cases of the research and education communities around the world.
- European Telecommunications Standards Institute - Electronic Signatures and Infrastructure Technical Committee
- To coordinate with ETSI for eIDAS, which can use the deliverables of the Group.
- National Institute of Standards and Technology, U.S. Department of Commerce
- To coordinate with NIST for their guidelines of Digital Identity and implementations.
- ISO/IEC JTC 1 SC17 WG4 and WG10
- To coordinate with ISO for their work on interfaces and protocols for security devices and vehicle driver licence and related digital identities (i.e., mdocs).
Participation
To be successful, this Working Group should have participation from large-scale Identity Provider (IdP) operators, large-scale Relying Parties (RPs), federation operators, and browser vendors. In addition, there must be active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Federated Identity Working Group home page.
Most Federated Identity Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
This group primarily conducts its technical work on GitHub issues. The public is invited to review, discuss and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Working Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | 28 March 2024 | 28 March 2026 | (initial) |
| Rechartered | TBD |
Revised in-scope/out-of-scope section Added Digital Credentials API |
Change log
Changes to this document are documented in this section.