LGTM2
On 9/29/25 11:55 a.m., Rick Byers wrote:
On Mon, Sep 29, 2025 at 2:15 PM Alex Russell
<[email protected]> wrote:
Thanks so much for making this easier to understand. Helps a lot,
and as a result, I now understand that the design has a problem:
JSON allows a single string value as a valid payload;
e.g. JSON.parse(`"foo"`). This seems to be a problem for the
design, which relies on authors sending objects instead of strings
as a reliable discriminator. How can you validate that this isn't
going to create issues in the wild?
The explainer suggests conditioning RP behavior on the type, I think
this works right? the IDP has to continue to know that tokens are
always objects (just optionally encoded as JSON serialized strings),
never just bare strings. But that's not a new requirement.
Now of course there's the RP/IDP compatibility problem that comes from
any new RP-exposed FedCM feature an IDP can opt-into and I assume
that would be on IDPs to manage like they manage any other change in
their protocol with their RPs. Eg. Google Sign-in would presumably
update their SDK to support both token formats but wait for some
period before actually sending the new token formats to all RPs
(probably trialing only with RPs they know have updated). Whether it
actually is worth the effort for any IDP to migrate is unclear to me.
But if an IDP new to FedCM wanted this then I don't see a problem, right?
Best,
Alex
On Friday, September 26, 2025 at 1:41:51 PM UTC-7 Suresh Potti wrote:
Updated the explainer. Pls review.
Thanks,
Suresh
*From:*Alex Russell <[email protected]>
*Sent:* Wednesday, September 10, 2025 8:44 PM
*To:* blink-dev <[email protected]>
*Cc:* Yoav Weiss <[email protected]>;
[email protected] <[email protected]>; Suresh Potti
<[email protected]>; Chromestatus
<[email protected]>
*Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship:
FedCM—Support Structured JSON Responses from IdPs
You don't often get email from [email protected]. Learn
why this is important
<https://aka.ms/LearnAboutSenderIdentification>
I like the change, but the linked "explainer" doesn't cover
the ground we expect to see. Can you please draft a separate
document for this feature and address questions raised in the
GH thread in that doc?
Thanks,
Alex
On Tuesday, September 9, 2025 at 5:33:34 AM UTC-7 Yoav Weiss
wrote:
LGTM1
This seems like a small yet useful addition.
On Sat, Sep 6, 2025 at 5:51 AM Chromestatus
<[email protected]> wrote:
Contact emails
[email protected]
Explainer
https://github.com/w3c-fedid/idp-registration/issues/13#issuecomment-3254858070
Specification
https://github.com/w3c-fedid/FedCM/pull/771
Summary
Allows Identity Providers (IdPs) to return structured
JSON objects instead of plain strings to Relying
Parties (RPs) via the id_assertion_endpoint. This
change simplifies integration for developers by
eliminating the need to manually serialize and parse
JSON strings. It enables more dynamic and flexible
authentication flows, allowing RPs to interpret
complex responses directly and support varied
protocols like OAuth2, OIDC, or IndieAuth without
out-of-band agreements.
Blink component
Blink>Identity>FedCM
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22>
Web Feature ID
fedcm <https://webstatus.dev/features/fedcm>
TAG review
https://github.com/w3ctag/design-reviews/issues/1147
TAG review status
Issues open
Risks
Interoperability and Compatibility
None
/Gecko/: No signal comments from Ben Vandersloot in
https://github.com/w3c-fedid/meetings/blob/main/2025/2025-07-29-FedCM-notes.md#status-of-cr-blockers,
No strong opinions
/WebKit/: No signal
/Web developers/: Positive
/Other signals/: This was requested by Identity
providers.
Ergonomics
n/a
Activation
n/a
Security
n/a
WebView application risks
/Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?/
n/a, FedCM not supported in WebView
Debuggability
Same as other FedCM features. The network view in
devtools would be especially helpful for debugging
this feature.
Will this feature be supported on all six
Blink platforms (Windows, Mac, Linux,
ChromeOS, Android, and Android WebView)?
No
FedCM in general is not supported on webview.
Supported on all other blink platforms.
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/fedcm/fedcm-flexible-token?label=experimental&label=master
<https://wpt.fyi/results/fedcm/fedcm-flexible-token?label=experimental&label=master>
Flag name on about://flags
None
Finch feature name
FedCmNonStringToken
Rollout plan
Will ship enabled for all users
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/346567168
Estimated milestones
Shipping on desktop
143
Shipping on Android
143
Anticipated spec changes
/Open questions about a feature may be a source of
future web compat or interop issues. Please list open
issues (e.g. links to known github issues in the
project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API in a
non-backward-compatible way)./
none
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5153509557272576?gate=5128781719273472
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY94pO%3DosTP2Y9FoKwtHL%3DwYoCfXHfyLycfX_qQNZQ54ww%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY94pO%3DosTP2Y9FoKwtHL%3DwYoCfXHfyLycfX_qQNZQ54ww%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7aee7c7b-7159-4829-979c-14e4e93314af%40chromium.org.
