eko...@google.com, joha...@chromium.org, go...@chromium.org
https://github.com/fedidcg/LightweightFedCM
None
This feature allows Identity Providers (IdPs) to store information about a user's account in the browser ahead of time via the Login Status API, and allow Relying Parties (RPs) to request access to this information via a browser-mediated prompt similar to the current FedCM flow. By storing the account information ahead of time, this eliminates the browser's need to make calls to the accounts endpoint to display the browser-mediated dialog, improving both performance and privacy. Lightweight Mode for FedCM also requires less complex integration for Identity Providers. Currently these benefits come at the cost of reduced freshness for account hint information presented to the user, but future work may address this limitation if there is sufficient developer interest.
Lightweight Mode for FedCM provides an alternative mode for FedCM that addresses two concerns with the FedCM specification. One concern relates to the ergonomics of implementing the full FedCM specification as an Identity Provider. Lightweight Mode For FedCM, when coupled with the “FedCM as a trust signal for the Storage Access API” proposal, will provide a simple way to retrofit existing third-party-cookie dependent Identity Provider implementations to make use of the improved FedCM user experience and give users more context to make informed decisions.
Another concern relates to the “pull” rather than “push” nature of FedCM to allow the user agent to display an account chooser to the user. While FedCM normally issues a credentialed request to an “accounts” endpoint to provide the user with information about available accounts, Lightweight Mode for FedCM addresses this by allowing the Identity Provider to preemptively store user information that can then be displayed by the user agent when presenting the account chooser, instead of issuing a request to IdP before the user has selected an account. This prevents the IdP and RP from colluding to link/identify users without their knowledge via timing attacks.
None
https://github.com/w3ctag/design-reviews/issues/986
Pending
The introduction of this feature will not change the behavior of any existing use of the Credential Management or Login Status APIs.
There are still open questions about both UX and functionality described in the explainer that may cause temporary divergence between browser engines.
Gecko: No signal. (Implemented behind a flag.)
WebKit: No signal.
We will request standards positions once the proposal has settled a bit more.
Web developers: No signals.
Other signals:
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
No. Mozilla has contributed partial, tentative tests, though these do not yet reflect the current state of the explainer.
“fedcm-lightweight-credentials”
“FedCmLightweightCredentials”
None
True
No milestones specified
https://chromestatus.com/feature/5136302690009088?gate=5098619653586944
This intent message was generated by Chrome Platform Status.