Mediation requirements <https://w3c.github.io/webappsec-credential-management/#mediation-requirements> are part of the Credential Management API. One of the goals of mediation requirements is to automatically share credentials with the API caller whenever appropriate in order to provide a consistent way for auto re-authentication among the various credential types defined in the Credential Management API. We plan to support mediation requirements in FedCM starting from M115 - for more context about why browsers (e.g. Firefox <https://github.com/fedidcg/FedCM/pull/458#issuecomment-1539631816> besides Chrome) believe this is a reasonable use case to support please refer to this GitHub issue <https://github.com/fedidcg/FedCM/issues/429>.
While this new functionality does not introduce any backwards incompatible API changes, the default user experience with our FedCM implementation will change as follows: - Before: the browser will not hand over credentials without user mediation even if the user has granted permission explicitly in the past to hand over the credential to the API caller. - After: If credentials can be handed over without user mediation (e.g. a user has explicitly granted permission to hand over the credential in the past AND the browser has not received a `preventSilentAccess <https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-preventsilentaccess>` signal), they will be. If not, the browser will prompt users to ask for their permission to proceed. This is because by default the current FedCM API acts as if `mediation: required` is specified but with this change the default mediation requirements become `mediation: optional` as defined in the Credential Management API. API callers (Identity Providers with SDK embedded on Relying Party sites as we suggested; or Relying Parties calling FedCM directly) can keep the existing user experience by changing the default mediation requirements value to `mediation: required`. It’s worth noting that we originally had a different proposal to support auto re-authentication and are running an origin trial <https://developer.chrome.com/origintrials/#/view_trial/2426314299245854721> between M112 and M114 inclusive (the intent to experiment email can be found here <https://groups.google.com/a/chromium.org/g/blink-dev/c/JM-ILfXvqXs/m/JFYemoxQBgAJ?utm_medium=email&utm_source=footer>). Since the work in this PSA implements an existing mechanism in the Credential Management API, and no longer introduces a new web-exposed boolean, we plan to proceed with this PSA instead of an intent to ship. To ensure users will maintain a consistent experience with FedCM, we reached out to existing partners and they have updated their implementation accordingly. e.g. for partners who are participating in the auto re-authentication origin trial, they have switched to `mediation: optional' . For partners who are not, they have specified `mediation: required` in the API call to keep the existing UX. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCNiKJvmrAJZuxLXTEQo-5JCK8Ek8jrMN9Y2XqMO63Yw4g%40mail.gmail.com.
