On Thu, Nov 7, 2024 at 2:37 PM Zachary Tan <tanzach...@chromium.org> wrote:
> Contact emails > > y...@chromium.org, tanzach...@chromium.org, cbiesin...@chromium.org > > Explainer > > https://github.com/w3c-fedid/active-mode > > Specification > > Spec PR for the Mode API: https://github.com/w3c-fedid/FedCM/pull/660 > > Spec PR for the Use Another Account API: > https://github.com/w3c-fedid/FedCM/pull/678 > These spec PRs are still open, is there something blocking finishing and landing them? > Summary > > We intend to ship two new extensions for FedCM to address two issue that > were collectively identified as CR blockers > <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> > by > the FedID WG: “A not-yet logged in IDP has no route to success” > <https://github.com/w3c-fedid/active-mode/issues/2> and “Allow signing in > to additional account(s) <https://github.com/w3c-fedid/FedCM/issues/511>”. > > To address this issue, we intend to introduce the following extensions to > FedCM: > > - Mode: The “active” mode allows websites to call FedCM inside a button > click (e.g. clicking on a “Sign-in to IdP” button), which requires FedCM to > guarantee it will always respond with a visible user interface (as opposed > to in “passive” mode, which doesn’t show any UI when users are logged out). > So, calling the FedCM API in “active mode” takes users to login to the > Identity Provider (IdP) when users are logged-out. Also, because the active > mode is called within an explicit user gesture, the UI is also more > prominent (e.g. centered and modal) compared to the UI from the passive > mode (which doesn’t require a user gesture requirement and can be called on > page load). > > - Use Other Account: With this extension, an IdP can allow users to sign > in to other accounts. > > In addition, the APIs are solving two related CR blockers > <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> > identified > <https://lists.w3.org/Archives/Public/public-fedid-wg/2024Jul/0006.html> by > the FedID WG. > > Feedback from Origin Trial: > > We ran the Origin Trial > <https://developer.chrome.com/origintrials/#/view_trial/2288391560657633281> > with > 30+ registrants. The feedback we got was positive. > > From the extension’s perspective, this proposal is sufficient > <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> > to assist the users who are not signed in to their IdP when FedCM > extension is invoked. We also renamed the extension from “button” mode to > “active” mode to untie from certain UI affordances which was well received > <https://github.com/w3c-fedid/FedCM/pull/660#issuecomment-2414525421> by > partners as well. > > From UX’s perspective, we have been iterating on the Chrome implementation > based on feedback to address potential usability issues and provide users > better context about their login. > > Blink component > > Blink>Identity>FedCM > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> > > Search tags > > fedcm <https://chromestatus.com/features#tags:fedcm> > > TAG review > > https://github.com/w3ctag/design-reviews/issues/935 > > TAG review status > > Pending > > Chromium Trial Name > > FedCmButtonMode, FedCmUseOtherAccount > > Origin Trial documentation link > > > https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-125-updates#button-mode-api > > WebFeature UseCounter name > > kFedCmButtonMode, kFedCmUseOtherAccount > > Risks > Interoperability and Compatibility > > Gecko: Not filing a standards position request for small additions at the > explicit request from Firefox (they prefer PRs). Positive on the “active” > mode based on TPAC discussions and GitHub issues > <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> > . > > WebKit: No signal on the particular FedCM extensions. Positive > <https://github.com/WebKit/standards-positions/issues/309#issuecomment-2008324563> > on > the initial FedCM API. Standards position requests for FedCM extensions > have been merged > <https://github.com/WebKit/standards-positions/issues/309> so not filing > a new one. > > Web developers: Positive <https://github.com/fedidcg/FedCM/issues/442> These > features are being developed to address existing feedback for the FedCM API. > > Other signals: N/A > > Activation > Similar to the FedCM API, we deliberately leave the bulk of the work to > the IdP to ensure that minimal RP change is needed. > > This feature, specifically, is one that can be currently controlled by JS > SDKs, so we expect activation to have a similar profile as FedCM: > immediately enabled to websites (without redeployment) by IdPs making use > of it (by redeploying their JS SDKs). > > Security > > The active mode shares all of the security properties from the passive > mode. e.g. honoring CSP, CORS, using security headers, not asking users to > type in the browser UI etc. > > It’s worth noting that the pop-up window has the same web platform > properties as what one would get with > window.open(url,””,”popup,noopener,noreferrer”)) that loads the login_url. > There's no communication between the website and this pop-up is allowed > (e.g. no postMessage, no window.opener). > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > Debuggability > > Same as FedCM in general – console messages in devtools and general JS > debugging. e.g. we show messages when transient activation is missing when > invoking an active mode, or when a passive flow is terminated in favor of > an active flow etc. > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? > > No, FedCM API is not available in WebView > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes > <https://wpt.fyi/results/fedcm/fedcm-button-and-other-account?label=master&label=experimental&aligned&q=fedcm%2Ffedcm-button-and-other-account%2F> > > Flag name on chrome://flags > > FedCmButtonMode, FedCmUseOtherAccount > > Finch feature name > > FedCmButtonMode, FedCmUseOtherAccount > > Requires code in //chrome? > > True > > Tracking bug > > https://crbug.com/1490588, https://crbug.com/40939658 > > Launch bug > > https://launch.corp.google.com/launch/4348674 > > Sample links > > https://fedcm-button.glitch.me > > Estimated milestones > > Shipping on desktop > > 132 > > Origin trial desktop first > > 125 > > Origin trial desktop last > > 133 > > Origin trial extension 1 end milestone > > 130 > > Origin trial extension 2 end milestone > > 133 > > DevTrial on desktop > > 124 > > Shipping on Android > > 132 > > Origin trial Android first > > 128 > > Origin trial Android last > > 133 > > DevTrial on Android > > 125 > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > None > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/4689551782313984?gate=4942283999019008 > > Links to previous Intent discussions > > Intent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPzJ1beiSbsmQqvu9x24zmf6LkGuup%3DgPVyXEx%2Bux9%3Dyg%40mail.gmail.com > > Intent to Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1745ebe7-6c98-49c7-9d98-94b25d39b409n%40chromium.org > > Intent to Extend Experiment 1: > https://groups.google.com/a/chromium.org/g/blink-dev/c/bQqXXv2S9q0/m/yHvhuFL3AQAJ > Intent to Extend Experiment 2: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCMPQ9s2hUR2UYuTTkRDra0qfjxBXA0bOme2baQGbPE6NA%40mail.gmail.com > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com.
