Intent to ship: The Login Status API and its use in FedCM

[Christian Biesinger]

Contact emails

cbies...@chromium.org

Explainer

https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md

Specification

https://github.com/fedidcg/FedCM/pull/436

Summary

The Login Status API (formerly IdP Sign-in Status API) allows identity providers to signal to the browser when their users are logging-in/out. Our goal is to open this up to other websites in the future. 

This signal, in this intent, is used by FedCM to address a silent timing attack, and in doing so, allows FedCM to operate without third party cookies altogether. This update would address the last remaining backwards incompatible changes we had previously identified in the original I2S of FedCM as part of our scope of work.  

In the future, we expect that the Login Status API may also be used outside of FedCM (e.g. the Storage Access API) and may be useful for websites that are not identity providers (e.g. extending browser storage).

Blink component

Blink>Identity>FedCM

Search tags

fedcm, login

TAG review

https://github.com/w3ctag/design-reviews/issues/884

TAG review status

Pending

Chromium Trial Name

FedCmIdpSigninStatus

Link to origin trial feedback summary

https://github.com/fedidcg/FedCM/issues/

Origin Trial documentation link

https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md
https://developer.chrome.com/blog/fedcm-chrome-116-updates/#idp-signin-status

Risks

Interoperability and Compatibility

For interop:

This I2S is composed of two different (but interdependent) APIs: The Login Status API and FedCM.

With regards to the Login Status API, both Firefox and Safari are on board with the general API (breakout notes, follow up notes) . There is an overall agreement on starting from a self-declared status and also some general agreement on where the Login Status API may lead in the future, including having higher assurance levels and applications outside of FedCM.

With regards to its use in FedCM, Firefox is generally in agreement with the shape of the solution. Firefox is working on the implementation behind a flag. Safari isn’t shipping FedCM yet. 

For compat:

While this is a backwards incompatible change for FedCM, we are in active conversations with all IdPs that are currently using FedCM (as shown by our UKM metrics) and they are onboard with this change.

Gecko: Under consideration (https://github.com/fedidcg/FedCM/pull/436) We have been working with the Firefox team for the last year or so on this API (e.g. TPAC 2022). We generally agree on the shape of the solution and we are working with them to write the spec in a way that allows Chrome and Firefox to implement FedCM in an interoperable way. (Firefox has asked us (https://github.com/fedidcg/FedCM/issues/431#issuecomment-1425025469) to rely on PR comments instead of filing standards positions for these FedCM extensions)

WebKit:  Under consideration (https://github.com/WebKit/standards-positions/issues/250)
No signal. Safari has so far shown overall support for FedCM [1], but haven't yet formed a position on this specific extension of FedCM [2]. We are generally in agreement of the API shape using the Login Status API [3], but we haven't yet gotten signals from them on how FedCM, specifically, is going to be using this signal.
[1] https://lists.webkit.org/pipermail/webkit-dev/2022-March/032162.html
[2] https://github.com/WebKit/standards-positions/issues/250
[3] https://github.com/privacycg/is-logged-in/issues/53

Web developers: Positive (https://developers.google.com/identity/gsi/web/guides/supported-browsers#third-party_cookies) We have been working with the FedID CG to develop this API and running experiments with the Google Identity Services team.

Other signals:

Ergonomics

This is an API that is designed to be used by identity providers, when their users login in to their websites. We exposed an HTTP header, since we heard from them that logins are often made through 302 redirects. We are also exposing a JS API for IdPs who find it easier to use JS than HTTP headers. We show an error message in devtools when a FedCM request fails because the user is not signed in.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

n/a, FedCM not supported on Webview

Debuggability

We show errors in devtools to help with debugging.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No
FedCM in general is not supported on WebView, but we support this API on all other blink platforms.

Is this feature fully tested by web-platform-tests?
Yes
Testing on wpt.fyi is blocked on https://github.com/web-platform-tests/wpt/pull/40709 getting reviewed and merged. Otherwise, we are adding tests that will be in the credential-management/fedcm-login-status directory as shown on the WPT dashboard here: https://wpt.fyi/results/credential-management/fedcm-login-status?label=experimental&label=master&aligned 

DevTrial instructions

https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md#idp-sign-in-status-api

Flag name on chrome://flags

FedCmIdpSigninStatus

Finch feature name

FedCmIdpSigninStatus

Requires code in //chrome?

True

Tracking bug

https://crbug.com/1451396

Launch bug

https://launch.corp.google.com/launch/4280114

Estimated milestones

Shipping on desktop	120
OriginTrial desktop last	119
OriginTrial desktop first	116
DevTrial on desktop	115

Shipping on Android	120
OriginTrial Android last	119
OriginTrial Android first	117

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

n/a

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5177628008382464

Links to previous Intent discussions

Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHJ-LMsCa-PMf1Ft51DCJK1dkzRrFZmRZuzL_Qe2WK2iA%40mail.gmail.com

This intent message was generated by Chrome Platform Status.

[Daniel Bratell]

Hi, I just have a couple of questions without having read through the intent in detail.

You say "Our goal is to open this up to other websites in the future.", but what does that mean? Is there some kind of web site restriction today?

Not creating a https://github.com/mozilla/standards-positions/issues entry seems a bit wrong even if someone at Mozilla has said it is not needed. They have in the past specifically wanted us to explicitly use the standards-positions repo rather than relying on negative or positive statements elsewhere. Would it be best to post one just in case?

/Daniel

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHZQ7dzGGrY%2BNznzTLA3ap1W8EbLJuMGVxV4sk4oFxvHQ%40mail.gmail.com.

[Christian Biesinger]

+Ben and Martin from Mozilla -- could you weigh in on whether we should create a Mozilla standards position request for this?

Daniel: there is no technical limitation that prevents a non-IDP from calling this API, apologies for the unclear phrasing. However, a non-IDP (or indeed an IDP that does not use FedCM) will get no benefit from calling this API.

Christian

[Philip Jägenstedt]

Hi Christian,

Do you have a reviewer for https://github.com/web-platform-tests/wpt/pull/40709 so you can get it merged? Just like spec changes, tests are ideally merged and showing results on wpt.fyi before we ship, so that any issues are apparent and can be addressed.

Best regards,

Philip

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHNAms2DKDockc-kEf2WY8u%2BxfjGz966dWoRoh3x%3DbiAw%40mail.gmail.com.

[Christian Biesinger]

It seems I may have a reviewer *now*, maybe. It's been very hard to get someone to review this and I don't know if I will be able to get a timely lgtm, so I am hoping that this I2S won't get blocked on this, since this is mostly outside my control. (I don't think past I2S were blocked on wpt tests when the problem was missing infrastructure support)

Christian

[Nicolás Peña]

To add to what Christian mentioned, we do have WPT tests for this feature here and they have been running in Chromium CQ, so it is only WPT.fyi that is missing coverage. And we already know that Firefox and Apple have not yet implemented FedCM, so at the moment we would not gain any additional information from having the tests pass in WPT.fyi.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHZQ7dzGGrY%2BNznzTLA3ap1W8EbLJuMGVxV4sk4oFxvHQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Rick Byers]

FWIW since the PR has landed, the correct link to reference the spec is https://fedidcg.github.io/FedCM/#browser-api-login-status. Since WebKit has expressed some interest in using this API in other scenarios than just FedCM I imagine there may be a request at some point to move it out of the FedCM spec. But that seems like a bridge we can cross if/when we come to it. Thank you for putting the extra work in at TPAC to get consensus on unification with login status.

And +1 that the WPTs are in place and running where it currently matters, and it's just the wpt.fyi infra that we're waiting on review for. So I don't see any need to block on that.

LGTM1 to ship

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHZQ7dzGGrY%2BNznzTLA3ap1W8EbLJuMGVxV4sk4oFxvHQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHNAms2DKDockc-kEf2WY8u%2BxfjGz966dWoRoh3x%3DbiAw%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1904e559-4318-49e1-af57-69a7038c4fb0n%40chromium.org.

[Mike Taylor]

LGTM2

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_CXDtpQ6EjJ_gL%2BwdQq%2B3RVkUrirKj7x%2BV4nkyb%2BY44g%40mail.gmail.com.

[Yoav Weiss]

LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35238ddf-93f9-41cf-bf08-01cf62f45feb%40chromium.org.