Intent to Ship: FedCM—Support Structured JSON Responses from IdPs

263 views
Skip to first unread message

Chromestatus

unread,
Sep 5, 2025, 11:51:39 PMSep 5
to blin...@chromium.org, sures...@microsoft.com

Contact emails

sures...@microsoft.com

Explainer

https://github.com/w3c-fedid/idp-registration/issues/13#issuecomment-3254858070

Specification

https://github.com/w3c-fedid/FedCM/pull/771

Summary

Allows Identity Providers (IdPs) to return structured JSON objects instead of plain strings to Relying Parties (RPs) via the id_assertion_endpoint. This change simplifies integration for developers by eliminating the need to manually serialize and parse JSON strings. It enables more dynamic and flexible authentication flows, allowing RPs to interpret complex responses directly and support varied protocols like OAuth2, OIDC, or IndieAuth without out-of-band agreements.



Blink component

Blink>Identity>FedCM

Web Feature ID

fedcm

TAG review

https://github.com/w3ctag/design-reviews/issues/1147

TAG review status

Issues open

Risks



Interoperability and Compatibility

None



Gecko: No signal comments from Ben Vandersloot in https://github.com/w3c-fedid/meetings/blob/main/2025/2025-07-29-FedCM-notes.md#status-of-cr-blockers, No strong opinions

WebKit: No signal

Web developers: Positive

Other signals: This was requested by Identity providers.

Ergonomics

n/a



Activation

n/a



Security

n/a



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

n/a, FedCM not supported in WebView



Debuggability

Same as other FedCM features. The network view in devtools would be especially helpful for debugging this feature.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

FedCM in general is not supported on webview. Supported on all other blink platforms.



Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/fedcm/fedcm-flexible-token?label=experimental&label=master



Flag name on about://flags

None

Finch feature name

FedCmNonStringToken

Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/346567168

Estimated milestones

Shipping on desktop 143
Shipping on Android 143


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

none

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5153509557272576?gate=5128781719273472

This intent message was generated by Chrome Platform Status.

Yoav Weiss (@Shopify)

unread,
Sep 9, 2025, 8:33:34 AMSep 9
to Chromestatus, blin...@chromium.org, sures...@microsoft.com
LGTM1

This seems like a small yet useful addition.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com.

Alex Russell

unread,
Sep 10, 2025, 11:13:46 AMSep 10
to blink-dev, Yoav Weiss, blin...@chromium.org, sures...@microsoft.com, Chromestatus
I like the change, but the linked "explainer" doesn't cover the ground we expect to see. Can you please draft a separate document for this feature and address questions raised in the GH thread in that doc?

Thanks,

Alex

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

suresh potti

unread,
Sep 22, 2025, 2:03:08 PM (3 days ago) Sep 22
to blink-dev, Alex Russell, Yoav Weiss, blin...@chromium.org, sures...@microsoft.com, Chromestatus
explainer updated : FedCM/explorations/structured_data_support.md at main · w3c-fedid/FedCM

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

suresh potti

unread,
Sep 22, 2025, 2:03:15 PM (3 days ago) Sep 22
to blink-dev, Alex Russell, Yoav Weiss, blin...@chromium.org, sures...@microsoft.com, Chromestatus
Explainer updated and answered queries : FedCM/explorations/structured_data_support.md at main · w3c-fedid/FedCM

On Wednesday, September 10, 2025 at 8:43:46 PM UTC+5:30 Alex Russell wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Alex Russell

unread,
Sep 22, 2025, 2:40:02 PM (3 days ago) Sep 22
to blink-dev, suresh potti, Alex Russell, Yoav Weiss, blin...@chromium.org, Chromestatus
Thanks for breaking this out.

Generally, explainers are meant to foreground the code that users of APIs will encounter, and explain how changes in API surface solve the problems we are trying to handle. This explainer has WebIDL instead, which isn't how we normally do things. I also don't see any considered alternative designs.

Let's dot our "i"s and cross our "t"s here.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

suresh potti

unread,
Sep 23, 2025, 8:36:39 AM (2 days ago) Sep 23
to blink-dev, Alex Russell, suresh potti, Yoav Weiss, blin...@chromium.org, Chromestatus
Since alternative designs are addressed in the ‘Rejected Alternatives Summary’ section and API usage is covered in the ‘Examples’ section, is the intent to remove the ‘Proposed Solution / Changes’ section entirely to make it more dev focussed ?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Nicolás Peña Moreno

unread,
Sep 23, 2025, 10:10:59 AM (2 days ago) Sep 23
to blink-dev, suresh potti, sligh...@chromium.org, suresh potti, Yoav Weiss, blin...@chromium.org, Chromestatus
IDL is not required in explainers, but surely it is not banned from explainers? Also, the entire "Design Decisions and Alternatives Considered" section discusses the alternatives. In my opinion, the explainer Suresh wrote is more than enough for this fairly small addition.

Alex Russell

unread,
Sep 24, 2025, 11:04:28 AM (24 hours ago) Sep 24
to blink-dev, n...@google.com, suresh potti, Alex Russell, suresh potti, Yoav Weiss, blin...@chromium.org, Chromestatus
IDL is strongly discouraged in Explainers. It belongs in a spec document unless it's the only way to show the API surface.

On the considered alternatives, I don't see any example code for them. Why not?

Best,

Alex

Reply all
Reply to author
Forward
0 new messages