FedCM: July update on the efforts between the R&E community, the web community, and browser vendors
This is an update following continuous meet-ups and other gatherings between representatives of the Research & Education (R&E) community and the browser vendors – discussing what capabilities in and around FedCM are required for our community to continue to serve academic users and their use cases.
In a blog post titled “An emerging new technology for federated access: Federated Credential Management (FedCM)” and several later blog posts (most recent, previous), videos (one, two) and FAQs (for librarians and publishers), we discussed ongoing developments at the major browser vendors that are bound to have a significant impact on how users will experience the web in general, and on federated access in particular. To recap, these changes are driven by concerns around user privacy - including regulations such as GDPR - and meant to stop the unsanctioned tracking of users across the web.
“Why is that relevant to federated access?”, you might ask. Well, the complicating factor is that some browser functionalities that are used to track users, for example third-party cookies, are also used to support federated access - and the browser has no way to tell the difference! This means that, in an effort to improve user privacy, current access solutions for scholarly resources on the web may no longer work in the way they used to.
This is, in fact, already happening today with IP-based access: Apple has started to hide IP addresses by default for certain users, which means that these users may suddenly find themselves unable to access research publications or other scholarly resources if their library relies on IP authentication to provide access (see “Apple’s iCloud Private Relay impacting IP recognition” in our August 2021 newsletter). It also is affecting the implementations of SeamlessAccess as they exist today, with the experience of persistence (a remembered choice of institution) becoming dependent on which browser is being used – but it is yet to have an effect on the core functionality of discovery and authentication.
Recent developments at browser vendors
Google (Privacy Sandbox), Apple (one, “blocking known tracking query”) and Mozilla (one, two, three) have introduced either timelines for implementing, or already implemented, changes that affect third party cookies, IP-authentication and potentially the SAML-protocol.
In particular, Google has announced that they will disable third-party cookies for 1% of Chrome users in Q1 2024.
Mozilla has now included FedCM as part of their developer versions of the Firefox browser. And, in part through our efforts, Google is looking to put together an easy way for service providers to test how their service would work with the current FedCM profiles.
Help us test FedCM
In a lightning talk (starting at minute 27:30) at the TNC23 conference organized by GÉANT, Zacharias Törnblom (Product Manager for SeamlessAccess) issued a call to the community to help test the features in FedCM with their use case and report back to the GitHub repo for FedCM. This remains the best way for our community to help shape the browser changes to something that works for us.
New resources availableSeveral new resources have been created to you may find helpful to better understand the issues and their likely implications:
- “REFEDS Community Chat: Federated Identity and the Browser Update” - a new video by REFEDS that can be used as an introduction to the subject of how this affects the R&E community.
- Representatives from two National Research & Education Networks (NRENs), Canary (Canada) and JISC (UK), put together a test service with FedCM and explain it in this video.
We would suggest visiting and following the REFEDS group “Browser Changes and Federation”, specifically the page “State of browser privacy evolution” where the current known actions taken by browser vendors alongside their adverse affect on R&E technology is listed.
And, as always, you can read up more in the W3C group, and the REFEDS group (also mentioned above) that has been formed to keep the community informed and educated about what the new landscape looks like. If you would like to join in on the conversation then you can find more information on the W3C website. The resources for the proposals can be found in the project’s GitHub, and the discussions around it can be accessed through the mailing list of the W3C community group and the mailing list of the REFEDS group for browser changes.
We will continue to post updates, so please check our website regularly or subscribe to our mailing list.