On Monday, October 23, 2023 at 3:03:59 PM UTC+2 blink-dev wrote:
Contact emails y...@chromium.org Explainer https://github.com/fedidcg/FedCM/issues/488 It'd be useful to write a short (inline?) explainer here outlining what this does and how it'd look like. Specifically, would we start throwing on errors in scenarios that silently failed before? https://github.com/fedidcg/FedCM/issues/497 Similarly a short explainer outlining what this does and how would help reviewing this intent. Specification https://github.com/fedidcg/FedCM/pull/498 https://github.com/fedidcg/FedCM/pull/500 What's preventing these PRs from landing? Design docs https://docs.google.com/document/d/1DEjbFSAMmmT47_ n8JBLmcleCNPz_WS5a24WDrglSQMo/edit?usp=sharing Summary Dedicated APIs to help developers and users to better understand the authentication flow. Both APIs are triggered post user permission to sign in to an RP with an IdP. i.e. after the user clicks the "Continue as" button. - With Error API, if a user's sign-in attempt fails, the IdP can share the reasons with the browser to keep both users and RP developers updated. - With AutoSelectedFlag API, both IdP and RP developers could have a better understanding about the sign-in UX, evaluate performance and segment metrics accordingly. Blink component Blink>Identity>FedCM <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> Search tags fedcm <https://chromestatus.com/features#tags:fedcm> TAG review https://github.com/w3ctag/design-reviews/issues/893 TAG review status Issues addressed Risks Interoperability and Compatibility These are extensions to the FedCM API. Apple and Mozilla have both expressed a positive opinion on the initial FedCM API <https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/bzghj9N3AQAJ>[1] and Mozilla is currently prototyping <https://groups.google.com/a/mozilla.org/g/dev-platform/c/ncmUwK1uO98/m/COhPA4ZrAAAJ> the FedCM API. If a user agent chooses to not implement these extensions, it may hurt the quality of the UI that they can provide to users, but should not break the FedCM flow. Gecko: Under consideration (https://github.com/fedidcg/FedCM/pull/498 https://github.com/fedidcg/FedCM/pull/500) Firefox has asked us not to file standard position, and they provided feedback in the GitHub PR. WebKit: No signal (https://github.com/WebKit/standards-positions/issues/249) Web developers: Positive These features are being developed to address existing use-cases which will not be possible once third-party cookies are phased out. Other signals: Security For the Error API, the browser may open a pop-up window with a URL provided by the IdP when an error happens. It has the same web platform properties as what one would get with window.open(url,””,”popup,noopener,noreferrer”)) that loads the error.url. There's no communication between the website and this pop-up is allowed (e.g. no postMessage, no window.opener). We have also considered the potential phishing risk and had the mitigations in place (see the explainer for more details). WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? FedCM is not supported in WebView Debuggability The two new APIs are extensions of the FedCM API which has proper devtools support. For the Error API, the browser takes an error returned by the IdP (if any) and rejects the promise with an error exception. For RP developers, the only thing that they need to take care of is handling the exception which may not need DevTools support. For IdP developers, the only potentially useful information that we could add to the console is when the error URL is cross-site to the IdP in which case we won't use the error URL in the flow. For AutoSelectedFlag API, it just introduces a new boolean for both IdP and RP developers to parse. We believe that in this case we don't need to provide extra information in DevTools. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? FedCM is available in all Blink platforms except for WebView. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes. Testing on wpt.fyi is blocked on https://github.com/web- platform-tests/wpt/pull/40709 getting reviewed and merged. Otherwise, we are adding tests that will be in the credential-management directory as shown on the WPT dashboard here: https://wpt.fyi/results/ credential-management?label=experimental&label=master&aligned DevTrial instructions https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md Flag name on chrome://flags chrome://flags/#fedcm-error chrome://flags/#fedcm-auto-selected-flag Finch feature name FedCmError FedCmAutoSelectedFlag Requires code in //chrome? True Tracking bug https://crbug.com/1477253 Launch bug https://launch.corp.google.com/launch/4273845 Sample links https://drive.google.com/file/d/1Z8r4OkQMmKulGv-vf-XTfwqh6VUyGZF9/view?usp= sharing Estimated milestones Shipping on desktop 120 Shipping on Android 120 Anticipated spec changes None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5384360374566912 Links to previous Intent discussions Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/ YfaGM8v-Ocs/m/4E0RHMhJAwAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c9024b94-ae7d-42e5-87f5-386343132ce4n%40chromium.org.
