Intent to Prototype: FedCM-Allow IDP interception of FedCM Request via Service Worker
123 views
Skip to first unread message
Chromestatus
Apr 2, 2026, 1:57:37 PM (14 days ago) Apr 2
to blin...@chromium.org, sures...@microsoft.com
Contact emails
sures...@microsoft.comExplainer
https://github.com/w3c-fedid/FedCM/pull/815Specification
No information provided
Summary
Implement the FedCM Identity Handler, which allows Identity Providers (IDPs) to declare a Service Worker in their config.json that intercepts credentialed FedCM requests (accounts, id_assertion, disconnect).
Currently, FedCM fetches to IDP endpoints (accounts, token, disconnect) are made directly by the browser with no opportunity for the IDP to augment the request. This prevents IDPs from:
- Adding DPoP (Demonstration of Proof-of-Possession) proof headers
- Performing client-side token enrichment or transformation
- Implementing custom caching strategies for account responses
- Adding attestation or other security headers to credentialed requests
The Identity Handler allows IDPs to register a Service Worker that receives an `identityrequest` event for each FedCM endpoint call, enabling request augmentation before it reaches the IDP server. On failure, the browser transparently falls back to normal network fetch.
Issue : https://github.com/w3c-fedid/FedCM/issues/80
Blink component
Blink>Identity>FedCMWeb Feature ID
fedcm
Motivation
https://github.com/w3c-fedid/FedCM/issues/80
Initial public proposal
No information providedGoals for experimentation
NoneRequires code in //chrome?
FalseEstimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5096917819326464?gate=6247307227037696
This intent message was generated by
Chrome Platform Status.
Chromestatus
Apr 2, 2026, 1:59:50 PM (14 days ago) Apr 2
to blin...@chromium.org, sures...@microsoft.com
Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69ceae01.050a0220.1c79a0.01ae.GAE%40google.com
Chris Thompson
Apr 13, 2026, 12:53:49 PM (3 days ago) Apr 13
to blink-dev, Chromestatus, sures...@microsoft.com
From a web platform security perspective, this seems reasonable but a couple of questions as you begin working on implementation:
- Is the FedCM SW only used for FedCM and not regular visits/requests to the IdP origin?
- Is the FedCM SW only used for FedCM-initiated requests, not all browser-initiated requests to the IdP origin?
If we could ensure those two points, that would help simplify how to reason about these SWs (and might mitigate some potential "cross-protocol" type vulnerabilities).
Cheers,
- Chris
suresh potti
Apr 15, 2026, 8:02:00 PM (16 hours ago) Apr 15
to blink-dev, Chris Thompson, Chromestatus, sures...@microsoft.com
Yes to both.
FedCM-only: The identity handler SW is only dispatched for FedCM credentialed endpoint requests (accounts, id_assertion, disconnect). Regular visits/requests to the IDP origin are unaffected — the SW is registered with a FedCM-specific association, so it doesn't intercept normal navigations or fetches. FedCM-initiated only: The SW only receives IdentityRequestEvents dispatched by the browser's FedCM flow. It does not intercept arbitrary browser-initiated requests (e.g., cookie-credentialed fetches, navigations) to the IDP origin.
FedCM-only: The identity handler SW is only dispatched for FedCM credentialed endpoint requests (accounts, id_assertion, disconnect). Regular visits/requests to the IDP origin are unaffected — the SW is registered with a FedCM-specific association, so it doesn't intercept normal navigations or fetches. FedCM-initiated only: The SW only receives IdentityRequestEvents dispatched by the browser's FedCM flow. It does not intercept arbitrary browser-initiated requests (e.g., cookie-credentialed fetches, navigations) to the IDP origin.
Reply all
Reply to author
Forward
0 new messages