Vittorio Bertocci, Principal Architect at Auth0, is to deliver a presentation entitled Browser Features vs. Identity Protocols: An Arms Race? on Tuesday, September 14 starting at 9:50 am. at EIC 2021.
To give you sneak preview of what to expect, we asked Vittorio some questions about his planned presentation.
Why are browser vendors introducing changes in their products that impact how we do identity today?
Browser vendors really mean well. What they are doing is looking out for the users and we know that today, one of the big engines of the economy is the ability of advertisers to profile people. Even without their knowledge or consent so that they can serve high-performing ads. And a lot of these tracking occurs by using low-level primitives in the browser, such as cookies, redirects, decorated links. And so, browser vendors are trying to put a stop to it by inhibiting some of those functionalities in particular scenarios, or sometimes, we have had a lot of discrimination, eliminating entire categories or features.
Unfortunately, identity, and in particular, federated identity is built on the same building blocks that are used by the advertisers. And so, the outcome is that any actions against tracking, that do not really understand the difference between ad tracking and federated identity will affect the federated identity scenarios. And so that is basically what is going on right now.
What are the short-term consequences people need to consider, if any?
The short-term impact of this can be quite painful for a number of customers. Let's say that some changes already went [into] production, so, the famous intelligent tracking protection in Safari and, on the SameSite different defaults in Chrome. The plans that Chrome had to [completely] eliminate third party cookies, which now luckily has been delayed by a couple of years.
And the outcome of those is that entire scenarios can just stop working. So, if, for example, you have a web application which runs mostly in JavaScript and executes code in the browser, and it relies on the ability to access third-party cookies, to get the tokens out of band, instead of actually showing redirects to the user, then, applications might actually be unable to get to those tokens in the background. And so, the experience of the user would be disrupted and the same goes for distributed log out.
You log out from one app expecting that you would be logged out from all the apps that are using the same identity provider, but it might not happen. You might end up being logged out only from one app, but still be logged in[to] the other apps. And those are short-term consequences. There are medium-term consequences, which can be far more severe. There are talks about introducing features that limit the way in which your browsers redirect, and that will potentially break SAML, which is extraordinarily adopted.
A lot of critical infrastructure relies on SAML. And the moment in which those changes will occur, again, with SAML, is basically done - it is not dead, because people are using it, but it is done. There is a longer innovation. If it imposes changes that would require products to change the way in which we do SAML, we would be in big trouble because a lot of websites, institutions, [and] universities would just stop working.
What are the long-term consequences people need to consider, if any?
The long-term consequences are more nuanced. One of the things that we as industry are trying to do with browser vendors and identity providers, and identity vendors and similar, is to devise a new class of primitives that allow the browser to do identity explicitly instead of using low level primitives, like cookies and redirects. We could offer APIs that do identity. The challenge with that is that if you go too high in the abstraction layers, you end up with something which is very inflexible. And as we know, from a history of how identity came to be on the internet, we need what we call permissionless innovation, as in, the ability to devise new scenarios, starting from flexible primitives.
If your primitives are not very flexible because they address specific scenarios – you can address today's scenarios, but there is no guarantee you would be able to address tomorrow’s scenarios. And so, we need to strike this balance and if we fail to do so, we might actually significantly hamper innovation.
What is the best way for people in the identity industry to help move things forward?
The absolute best way is to get involved. We have been talking with the browser vendors for a couple of years at this point, all as separate entities, like separate companies, and this is not very efficient. It is not very exhaustive because we all, all identity operators in the industry, have a different perspective and different use cases. So, we have been working in collaboration with the W3C to create a tent, a forum where we can all come together [to] the table and discuss our scenarios and contribute all our points of view. And it is a community group in the W3C called the fed ID (The Federated Identity). And the best way is really to participate. So, to join the group, join the calls, participate in the discussion so that we can move these aspects of identity and browsers forward together.