On Wed, Oct 22, 2025 at 11:28 AM Rick Byers <[email protected]> wrote:
> On Mon, Oct 20, 2025 at 2:19 PM 'Nicolás Peña Moreno' via blink-dev < > [email protected]> wrote: > >> Responding for Suresh since he's OOO this week. We have UKM metrics that >> tell us which IDPs would break today due to this change. We plan to >> document this change through our public devrel outreach and also reach out >> to IDPs that we detected through our metrics. While the number of sites >> that would break today due to this is relatively high, the number of IDPs >> is fairly small, so we are confident we can deploy once we know it would >> cause no breakage. >> > > Except we've now had at least one web compat incident due to a major RP > who doesn't depend on an IDP-served SDK, right? > This change does not depend on an SDK, it is purely server-side (requires certain fields in the well-known file) > > On Friday, October 17, 2025 at 1:04:59 PM UTC-4 [email protected] >> wrote: >> >>> >>> On 10/17/25 10:41 a.m., suresh potti wrote: >>> >>> Contact emails >>> >>> [email protected] Specification >>> >>> https://github.com/w3c-fedid/FedCM/pull/760 Summary To address >>> cross-site identity correlation risks in the FedCM API, Identity Providers >>> (IdPs) that utilize client_metadata within their FedCM configuration >>> are required to implement the direct endpoints format in the >>> .well-known/web-identity file. This mandate ensures that both >>> accounts_endpoint and login_url are explicitly defined whenever a >>> client_metadata_endpoint is present. This approach strengthens privacy >>> protections by preventing relying parties from exploiting metadata to >>> correlate user identities across multiple sites. For further details and >>> discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700. >>> >>> Migration Plan Chrome will enforce this rule in two phases: >>> >>> Chrome 143 (Warning Phase): If client_metadata_endpoint exists but >>> accounts_endpoint or login_url is missing, the browser will display >>> console warnings. This gives IdPs time to update configurations. >>> >>> Chrome 145 (Enforcement Phase): The requirement becomes mandatory. >>> FedCM configurations missing these endpoints will be blocked, preventing >>> authentication flows. >>> >>> Does this apply to both passive mode and active mode? "Preventing > authentication flows" for passive mode seems like a completely trivial > severity > of breakage > <https://docs.google.com/document/d/1RC-pBBvsazYfCNNUSkPqAVpSpNJ96U8trhNkfV0v9fk/edit?tab=t.0#heading=h.u5ya6jvru7dl> > since > it just means an optional extra UI doesn't show up. But any breakage for > active mode (where a user has just clicked on a "sign-in") button seems > very serious. So if the latter, I think we'd want to see UseCounter data > proving that the usage has been migrated before approving a breaking change. > It does apply to both, yeah. > Blink component >>> >>> Blink>Identity>FedCM >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> >>> >>> Web Feature ID >>> >>> fedcm <https://webstatus.dev/features/fedcm> >>> >>> TAG review >>> >>> None >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> IdPs failing to update .well-known/web-identity for FedCM client >>> metadata risk breaking authentication flows. Chrome 143 issues warnings, >>> but starting Chrome 145, missing accounts_endpoint or login_url will block >>> configurations entirely. Immediate migration is critical to maintain >>> compatibility and avoid service disruptions for relying parties and >>> end-users. >>> >>> Similar to the previous email, can you say something about expected >>> impact/usage here? And how confident are we that IdPs are going to be >>> paying attention to console warnings? >>> >>> Gecko: No signal (Firefox does not wish to support the client metadata >>> endpoint of the FedCM API so this would not be a change applicable to them) >>> WebKit: No signal Web developers: No signals Other signals: >>> >>> WebView application risks >>> >>> FedCM does not work in WebView. >>> >>> Ongoing technical constraints >>> >>> None >>> >>> Debuggability >>> >>> Same as other FedCM features. The network view in devtools would be >>> especially helpful for debugging this feature. >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)? >>> >>> No, FedCM in general is not supported on webview. Supported on all other >>> blink platforms. >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> Yes >>> https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master >>> >>> Flag name on about://flags >>> >>> fedcm-well-known-endpoint-validation >>> >>> Finch feature name >>> >>> FedCmWellKnownEndpointValidation >>> >>> Requires code in //chrome? >>> >>> False >>> >>> Estimated milestones >>> >>> Shipping on desktop >>> >>> 145 >>> >>> Shipping on Android >>> >>> 145 >>> >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/4614417052467200 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27918dd1-04ae-4e90-9daf-22fb8f27b6f4n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27918dd1-04ae-4e90-9daf-22fb8f27b6f4n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHhzabD%2BaWjaSSBc4jsWCtJFKWQVkd9P1AxWmJZRdZ00w%40mail.gmail.com.
