@rhiaro and I took a look at this today (apologies for the long delay), LoginHint and the RPContext seem fine by us, but we have a question about UserInfo.

The explainer mentions that the UA would retain user information even after the user signs out of the IDP. Considering a shared computer, e.g. I sign in to a service at a computer in my library, then sign out, it seems that the next person using that computer gets to see information about my identity, which I would not expect after having signed out. Are we understanding that correctly or are we missing something?

Hello, I can clarify. The UA does not retain the user info, but instead performs an accounts fetch to determine which IDP accounts are still available at the time in which the UserInfo API is requested. So in the example mentioned, after you log out of the IDP in a shared computer, the next person would not see your identity since the accounts fetch will not return your account.

Understood, thanks for the clarification. This then raises the question of log out flow, if the user logs out of the RP, are they always logging out of the IDP? If not, is that clear to them that they are still logged in to the IDP?

If the user logs out of the RP, they are still logged in to the IDP. They would have had to manually log in to the IDP, though, so that should not be surprising to a user.

Given people's experience with SAML/OIDC single-sign-out (and it's lack of consistent implementations) I expect most users don't really understand the difference. Having a normal logout flow not sign the user out of the IDP is reasonable, but I feel it's important for the distinction to be made clear to the user. Especially in a shared-use scenario.

Sorry, how is this relevant to the features in this review? If this was about the login status API or some other feature that lets you login to the IDP, then I can see the concern. With the UserInfo API, the information is only available to the IDP iframe within the RP website. So if the user logs out of the RP, the user may see personalized info in the RP website because they are still logged in to the IDP. I don't see how this is unexpected.

The feedback is about UserInfo potentially leaking personal information in a shared computer environment. It's not about making the previous user's identity available to an iframe, but displaying it to the next user of the computer if the previous user didn't log out of what they thought they were logging out of.

Think of a public computer in a library, person A logs into a site via FedCM, then when finished, logs out of the RP, but doesn't realize they haven't logged out of the IDP, and closes the tab/window. The next person using the computer, potentially someone who was stalking person A, recognizes the site Person A was visiting, visits that site and gets to see person A's name and possibly email address.

(There's also the issue of the next user leveraging the status of still being logged in to the IDP and using that to access the RP as the previous user.)

Hmm ok. But how did the user log in to the site via FedCM? They must have had to login to the IDP. So I suppose the steps are:

• Login to IDP
• Visit RP and login to RP by using FedCM
• Log out of RP only.
• Leave the computer for next person to use.

So in this case, the next person seeing person A's name and email on the RP can just as easily instead visit the IDP site, where the person A is still logged in(!!!). So UserInfo API is the least of person A's problems, and does not introduce any new information that the stalker cannot learn otherwise. In fact, the stalker has complete access to person A's IDP at this point since they forgot to log out of the IDP, regardless of the UserInfo API.