LGTM3 I think the API is fine as-is. Rick made a good point as well that the spec as defined allows backward compatibility during site upgrades.
On Wed, Oct 1, 2025 at 8:08 AM Mike Taylor <[email protected]> wrote: > LGTM2 > On 9/29/25 11:55 a.m., Rick Byers wrote: > > On Mon, Sep 29, 2025 at 2:15 PM Alex Russell <[email protected]> > wrote: > >> Thanks so much for making this easier to understand. Helps a lot, and as >> a result, I now understand that the design has a problem: >> >> JSON allows a single string value as a valid payload; >> e.g. JSON.parse(`"foo"`). This seems to be a problem for the design, which >> relies on authors sending objects instead of strings as a reliable >> discriminator. How can you validate that this isn't going to create issues >> in the wild? >> > > The explainer suggests conditioning RP behavior on the type, I think this > works right? the IDP has to continue to know that tokens are always objects > (just optionally encoded as JSON serialized strings), never just bare > strings. But that's not a new requirement. > > Now of course there's the RP/IDP compatibility problem that comes from any > new RP-exposed FedCM feature an IDP can opt-into and I assume that would > be on IDPs to manage like they manage any other change in their protocol > with their RPs. Eg. Google Sign-in would presumably update their SDK to > support both token formats but wait for some period before actually sending > the new token formats to all RPs (probably trialing only with RPs they know > have updated). Whether it actually is worth the effort for any IDP to > migrate is unclear to me. But if an IDP new to FedCM wanted this then I > don't see a problem, right? > > >> Best, >> >> Alex >> >> On Friday, September 26, 2025 at 1:41:51 PM UTC-7 Suresh Potti wrote: >> >>> Updated the explainer. Pls review. >>> >>> Thanks, >>> >>> Suresh >>> >>> >>> >>> *From:* Alex Russell <[email protected]> >>> *Sent:* Wednesday, September 10, 2025 8:44 PM >>> *To:* blink-dev <[email protected]> >>> *Cc:* Yoav Weiss <[email protected]>; [email protected] < >>> [email protected]>; Suresh Potti <[email protected]>; >>> Chromestatus <[email protected]> >>> *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: FedCM—Support >>> Structured JSON Responses from IdPs >>> >>> >>> >>> You don't often get email from [email protected]. Learn why this >>> is important <https://aka.ms/LearnAboutSenderIdentification> >>> >>> I like the change, but the linked "explainer" doesn't cover the ground >>> we expect to see. Can you please draft a separate document for this feature >>> and address questions raised in the GH thread in that doc? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Alex >>> >>> On Tuesday, September 9, 2025 at 5:33:34 AM UTC-7 Yoav Weiss wrote: >>> >>> LGTM1 >>> >>> This seems like a small yet useful addition. >>> >>> >>> >>> On Sat, Sep 6, 2025 at 5:51 AM Chromestatus < >>> [email protected]> wrote: >>> >>> Contact emails >>> >>> [email protected] >>> Explainer >>> >>> >>> https://github.com/w3c-fedid/idp-registration/issues/13#issuecomment-3254858070 >>> Specification >>> >>> https://github.com/w3c-fedid/FedCM/pull/771 >>> Summary >>> >>> Allows Identity Providers (IdPs) to return structured JSON objects >>> instead of plain strings to Relying Parties (RPs) via the >>> id_assertion_endpoint. This change simplifies integration for developers by >>> eliminating the need to manually serialize and parse JSON strings. It >>> enables more dynamic and flexible authentication flows, allowing RPs to >>> interpret complex responses directly and support varied protocols like >>> OAuth2, OIDC, or IndieAuth without out-of-band agreements. >>> >>> >>> Blink component >>> >>> Blink>Identity>FedCM >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> >>> Web Feature ID >>> >>> fedcm <https://webstatus.dev/features/fedcm> >>> TAG review >>> >>> https://github.com/w3ctag/design-reviews/issues/1147 >>> TAG review status >>> >>> Issues open >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >>> >>> >>> *Gecko*: No signal comments from Ben Vandersloot in >>> https://github.com/w3c-fedid/meetings/blob/main/2025/2025-07-29-FedCM-notes.md#status-of-cr-blockers, >>> No strong opinions >>> >>> *WebKit*: No signal >>> >>> *Web developers*: Positive >>> >>> *Other signals*: This was requested by Identity providers. >>> Ergonomics >>> >>> n/a >>> >>> >>> Activation >>> >>> n/a >>> >>> >>> Security >>> >>> n/a >>> >>> >>> WebView application risks >>> >>> *Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications?* >>> >>> n/a, FedCM not supported in WebView >>> >>> >>> Debuggability >>> >>> Same as other FedCM features. The network view in devtools would be >>> especially helpful for debugging this feature. >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)? >>> >>> No >>> >>> FedCM in general is not supported on webview. Supported on all other >>> blink platforms. >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> Yes >>> >>> >>> https://wpt.fyi/results/fedcm/fedcm-flexible-token?label=experimental&label=master >>> >>> >>> Flag name on about://flags >>> >>> None >>> Finch feature name >>> >>> FedCmNonStringToken >>> Rollout plan >>> >>> Will ship enabled for all users >>> Requires code in //chrome? >>> >>> False >>> Tracking bug >>> >>> https://issues.chromium.org/346567168 >>> Estimated milestones >>> >>> Shipping on desktop >>> >>> 143 >>> >>> Shipping on Android >>> >>> 143 >>> >>> >>> Anticipated spec changes >>> >>> *Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way).* >>> >>> none >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/5153509557272576?gate=5128781719273472 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY94pO%3DosTP2Y9FoKwtHL%3DwYoCfXHfyLycfX_qQNZQ54ww%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY94pO%3DosTP2Y9FoKwtHL%3DwYoCfXHfyLycfX_qQNZQ54ww%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7aee7c7b-7159-4829-979c-14e4e93314af%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7aee7c7b-7159-4829-979c-14e4e93314af%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw98-zFO5HoQH80%3DmqvYv5UPzLkk4vMqRDcAA3Vm4_g2Ww%40mail.gmail.com.
