Auto-populating account chooser with Google account

[Manger, James]

Does Chrome automatically populate AccountChooser (AC) with your Google account?

Or automatically preserve any Google account that gets added?

 

If I visit https://www.accountchooser.com/, delete my account records, browser to an RP, then start a login that includes ac.js... AC shows my Google account record!

 

If I delete the Google account record, but leave some others, the Google account does NOT reappear.

But if I then delete all accounts, the Google account reappears.

The resurrection occurs even when I am not logged in to Google (though I guess I still have various cookies and channel ids so they probably do still know who I am).

 

I’m confused.

At first I thought this could be some strange caching behaviour, but it doesn’t quite feel like that.

So I thought I would ask if this behaviour is actually a deliberate feature?

 

--

James Manger

[Adam Dawes]

Hi James,

In July, Account Chooser made an enhancement that lets trusted IDPs (currently only Google and Ping Identity at this time) seed values into the account chooser. This makes AC much more useful to users and we're working to get other IDPs to do the same thing. The behavior you experienced actually works across browsers and not just Chrome. 

thanks,

AD

--

---
You received this message because you are subscribed to the Google Groups "OIDF Account Chooser list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oidf-account-choos...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Manger, James]

Thanks Adam,

 

Bootstrapping account records if AccountChooser (AC) hasn’t been used before is a great idea.

Automatically re-establishing an account after it has been deliberately removed is less nice. How about we make AC disable bootstrapping from a domain if a user explicitly removes an account record for that domain?

 

 

FYI: It looks like bootstrapping a Google account works if you have a ACCOUNT_CHOOSER cookie for account.google.com, regardless of whether or not you are currently logged in to Google.

 

P.S. IntegralCurve.com is a trusted domain for bootstrapping (in addition to Google and Ping). Is IntegralCurve just a domain used to test/develop the bootstrap functionality?

 

--

James Manger

[Adam Dawes]

Hi James,

Thanks for the question. This is actually kind of complicated. Google actually has it's own Account Chooser. This is built up in a cookie from sessions you create when you log into Google. There is some additional logic that when you sign-in to Google, there is an option to "stay signed in" on this browser. If that option is checked, we take that as a signal that the user wants to trust the machine and it is reasonable to add that account to the Google Account Chooser cookie. 

When accountchooser.com is empty and checks with Google to see if there are any accounts to slurp in, it pulls accounts from the Google Account Chooser cookie. We made a product decision (for a variety of reasons) that we wanted to try to keep the two account choosers in sync. These include: better performance and the fact that Google intends to migrate to accountchooser.com for our own account chooser in the future and we want the behavior to be the same for our users.

So, in effect to opt-out of accountchooser.com, the user should decide that they don't want to stay signed in on that machine when they log in to Google.

thanks,

AD

--

[Pamela Dingle]

IntegralCurve.com is a domain associated with Ping Identity -- it is indeed one of our test domains.

--

Pamela Dingle Sr. Technical Architect @ pdi...@pingidentity.com +1 303.999.5890 Connect with us…