Contact emails

[email protected]

Explainers

https://github.com/fedidcg/FedCM/issues/382

https://github.com/fedidcg/FedCM/issues/426

https://github.com/fedidcg/FedCM/issues/456

Specification

https://github.com/fedidcg/FedCM/pull/470

Design docs

(Google internal 
<https://docs.google.com/document/d/1vDXzFArpxbbjfZ9yLXazNs6Kc12g6S7_hTq3udYIh8U/edit?resourcekey=0-3Trh4Xld6cKGNBcO9p6JJg>.
 
See tracking bug for implementation and GitHub PR for specification)

Summary

This entry covers a few incremental extensions to the FedCM API:


   - 
   
   With LoginHint, the RP can specify a hint about the user account they 
   want displayed in the FedCM UI. Accounts which do not match the hint are 
   not displayed. This is mainly used to provide a better UX for returning 
   users and is a feature supported 
   <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest> by 
   OpenID.
   - 
   
   The UserInfo extension allows the IdP to personalize the login 
   experience for returning users, for instance via personalized sign-in 
   buttons. After the user has used FedCM with a given IdP on some RP site, 
   this API fetches the user accounts from the IdP and returns basic 
   information like name, email, and picture from the response to an IdP 
   iframe on subsequent visits to the RP.
   - 
   
   With the context parameter, the IdP can request for the FedCM dialog to 
   show a different title than “Sign in”, to improve the message being 
   displayed to the user in the FedCM UI (alternatives currently include “Sign 
   up”, “Continue” and “Use”).
   


Blink component

Blink>Identity>FedCM 
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM>

TAG review

https://github.com/w3ctag/design-reviews/issues/839

TAG review status

Pending

Risks

Interoperability and Compatibility

These are extensions to the FedCM API. Apple and Mozilla have both 
expressed a positive opinion on the initial FedCM API 
<https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/bzghj9N3AQAJ>.
 
They have not yet been implemented but Mozilla is prototyping 
<https://bugzilla.mozilla.org/buglist.cgi?quicksearch=fedcm>. If a user 
agent chooses not to implement these extensions, it will limit the quality 
of the UI that it can provide to users, but should not break the FedCM 
flow. LoginHint not being implemented means that all available accounts are 
shown, not just the one that the RP wants to display. Context not being 
implemented means that the user agent shows the default UI. And UserInfo 
not being implemented means that the IDP cannot show personalized buttons, 
but they would fallback to the generic ones. Given that Mozilla has also 
expressed a positive position for the extensions in this Intent (see 
below), we do not anticipate interop issues.

Gecko: Positive 
<https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> For 
incremental improvements to FedCM, Firefox has asked us not to file 
standards position, and they will instead provide feedback in the GitHub 
PR. Their LGTM on the PR 
<https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> is thus 
considered as a positive signal.

WebKit: No signal <https://github.com/WebKit/standards-positions/issues/175>

Web developers: Positive These features are being developed to address 
existing use-cases which will not be possible once third-party cookies are 
phased out.

Ergonomics

No new ergonomics risks.

Activation

No new activation risks.

Security

Context API has no security risks. For LoginHint API, it is important that 
the user agent treats no-match the same way as receiving an empty accounts 
list. For UserInfo API, it can only be called from within the IdP’s 
same-origin <iframes>, but still our developer documentation will point out 
to identity providers that they need to be careful when using this API in 
order to not accidentally leak information to relying parties through 
postMessage.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that 
it has potentially high risk for Android WebView-based applications?

N/A as this feature is not available on WebView.

Debuggability

We added console errors 
<https://bugs.chromium.org/p/chromium/issues/detail?id=1440181> 

Will this feature be supported on all six Blink platforms (Windows, Mac, 
Linux, Chrome OS, Android, and Android WebView)?

No: all except WebView

Is this feature fully tested by web-platform-tests 
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
?

UserInfo 
<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-userinfo.https.html>

LoginHint 
<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-loginhint.https.html>

Context <https://chromium-review.googlesource.com/c/chromium/src/+/4605035> 
(while we implemented webdriver and chromedriver support  for FedCM, we are 
still missing additional automation 
<https://bugs.chromium.org/p/chromium/issues/detail?id=1453691> for this 
test to run successfully in Chrome)

DevTrial instructions

https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md

Flag name

#fedcm-login-hint, #fedcm-rp-context, and #fedcm-user-info

Requires code in //chrome?

True

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1412893

Launch bug

https://launch.corp.google.com/launch/4249829

Estimated milestones

Shipping on desktop 116

Shipping on Android 116
Anticipated spec changes

Open questions about a feature may be a source of future web compat or 
interop issues. Please list open issues (e.g. links to known github issues 
in the project for the feature specification) whose resolution may 
introduce web compat/interop risk (e.g., changing to naming or structure of 
the API in a non-backward-compatible way).

N/A

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5166718178033664

Links to previous Intent discussions

N/A

This intent message was generated by Chrome Platform Status 
<https://chromestatus.com/>.

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9c3a5afe-98cb-4df2-84c1-4eebb25615d4n%40chromium.org.

Reply via email to