Hi Will,
At 05:03 PM 06-04-2026, Will Bartlett wrote:
The W3C Federated Identity CG/WG is working on
FedCM (Federated Credential Management), a
browser API for federated authentication. The
spec currently requires Identity Providers to
host a .well-known/web-identity file at the
registrable domain (apex). This requirement is
privacy driven - in order to ensure Identity
Providers are unaware of Relying Parties until
user consent is granted, Identity Providers must
not be permitted to use per-Relying Party
configuration files. In other words, each
registrable domain must have a single
configuration file. Hosting a file at the apex
is operationally problematic when the apex is
operated by a different service than the
authentication service a common setup where
login.example.com CNAMEs to a white-label auth
provider while the apex serves a marketing site, storefront, etc.
We're considering using DNS to let IDPs indicate
where the well-known data lives. We have four
candidate approaches and would appreciate
guidance on which is most appropriate, or if another pattern is appropriate:
I took a quick look at the web API. It uses
"well-known locations" (RFC 8615). I suggest starting from that RFC.
Regards,
S. Moonesamy
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
