Contact emails [email protected]
Explainers https://github.com/fedidcg/FedCM/issues/382 https://github.com/fedidcg/FedCM/issues/426 https://github.com/fedidcg/FedCM/issues/456 Specification https://github.com/fedidcg/FedCM/pull/470 Design docs (Google internal <https://docs.google.com/document/d/1vDXzFArpxbbjfZ9yLXazNs6Kc12g6S7_hTq3udYIh8U/edit?resourcekey=0-3Trh4Xld6cKGNBcO9p6JJg>. See tracking bug for implementation and GitHub PR for specification) Summary This entry covers a few incremental extensions to the FedCM API: - With LoginHint, the RP can specify a hint about the user account they want displayed in the FedCM UI. Accounts which do not match the hint are not displayed. This is mainly used to provide a better UX for returning users and is a feature supported <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest> by OpenID. - The UserInfo extension allows the IdP to personalize the login experience for returning users, for instance via personalized sign-in buttons. After the user has used FedCM with a given IdP on some RP site, this API fetches the user accounts from the IdP and returns basic information like name, email, and picture from the response to an IdP iframe on subsequent visits to the RP. - With the context parameter, the IdP can request for the FedCM dialog to show a different title than “Sign in”, to improve the message being displayed to the user in the FedCM UI (alternatives currently include “Sign up”, “Continue” and “Use”). Blink component Blink>Identity>FedCM <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> TAG review https://github.com/w3ctag/design-reviews/issues/839 TAG review status Pending Risks Interoperability and Compatibility These are extensions to the FedCM API. Apple and Mozilla have both expressed a positive opinion on the initial FedCM API <https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/bzghj9N3AQAJ>. They have not yet been implemented but Mozilla is prototyping <https://bugzilla.mozilla.org/buglist.cgi?quicksearch=fedcm>. If a user agent chooses not to implement these extensions, it will limit the quality of the UI that it can provide to users, but should not break the FedCM flow. LoginHint not being implemented means that all available accounts are shown, not just the one that the RP wants to display. Context not being implemented means that the user agent shows the default UI. And UserInfo not being implemented means that the IDP cannot show personalized buttons, but they would fallback to the generic ones. Given that Mozilla has also expressed a positive position for the extensions in this Intent (see below), we do not anticipate interop issues. Gecko: Positive <https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> For incremental improvements to FedCM, Firefox has asked us not to file standards position, and they will instead provide feedback in the GitHub PR. Their LGTM on the PR <https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> is thus considered as a positive signal. WebKit: No signal <https://github.com/WebKit/standards-positions/issues/175> Web developers: Positive These features are being developed to address existing use-cases which will not be possible once third-party cookies are phased out. Ergonomics No new ergonomics risks. Activation No new activation risks. Security Context API has no security risks. For LoginHint API, it is important that the user agent treats no-match the same way as receiving an empty accounts list. For UserInfo API, it can only be called from within the IdP’s same-origin <iframes>, but still our developer documentation will point out to identity providers that they need to be careful when using this API in order to not accidentally leak information to relying parties through postMessage. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? N/A as this feature is not available on WebView. Debuggability We added console errors <https://bugs.chromium.org/p/chromium/issues/detail?id=1440181> Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? No: all except WebView Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? UserInfo <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-userinfo.https.html> LoginHint <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-loginhint.https.html> Context <https://chromium-review.googlesource.com/c/chromium/src/+/4605035> (while we implemented webdriver and chromedriver support for FedCM, we are still missing additional automation <https://bugs.chromium.org/p/chromium/issues/detail?id=1453691> for this test to run successfully in Chrome) DevTrial instructions https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md Flag name #fedcm-login-hint, #fedcm-rp-context, and #fedcm-user-info Requires code in //chrome? True Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1412893 Launch bug https://launch.corp.google.com/launch/4249829 Estimated milestones Shipping on desktop 116 Shipping on Android 116 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). N/A Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5166718178033664 Links to previous Intent discussions N/A This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9c3a5afe-98cb-4df2-84c1-4eebb25615d4n%40chromium.org.
