Intent to Ship: FedCM extensions: Error API and Auto-Selected Flag API
Yi Gu
Contact emails
Explainer
https://github.com/fedidcg/FedCM/issues/488
https://github.com/fedidcg/FedCM/issues/497
Specification
https://github.com/fedidcg/FedCM/pull/498
https://github.com/fedidcg/FedCM/pull/500
Design docs
https://docs.google.com/document/d/1DEjbFSAMmmT47_n8JBLmcleCNPz_WS5a24WDrglSQMo/edit?usp=sharing
Summary
Dedicated APIs to help developers and users to better understand the authentication flow. Both APIs are triggered post user permission to sign in to an RP with an IdP. i.e. after the user clicks the "Continue as" button.
- With Error API, if a user's sign-in attempt fails, the IdP can share the reasons with the browser to keep both users and RP developers updated.
- With AutoSelectedFlag API, both IdP and RP developers could have a better understanding about the sign-in UX, evaluate performance and segment metrics accordingly.
Blink component
Search tags
TAG review
https://github.com/w3ctag/design-reviews/issues/893
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
These are extensions to the FedCM API. Apple and Mozilla have both expressed a positive opinion on the initial FedCM API[1] and Mozilla is currently prototyping the FedCM API. If a user agent chooses to not implement these extensions, it may hurt the quality of the UI that they can provide to users, but should not break the FedCM flow.
Gecko: Under consideration (https://github.com/fedidcg/FedCM/pull/498
https://github.com/fedidcg/FedCM/pull/500) Firefox has asked us not to file standard position, and they provided feedback in the GitHub PR.
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/249)
Web developers: Positive These features are being developed to address existing use-cases which will not be possible once third-party cookies are phased out.
Other signals:
Security
For the Error API, the browser may open a pop-up window with a URL provided by the IdP when an error happens. It has the same web platform properties as what one would get with window.open(url,””,”popup,noopener,noreferrer”)) that loads the error.url. There's no communication between the website and this pop-up is allowed (e.g. no postMessage, no window.opener). We have also considered the potential phishing risk and had the mitigations in place (see the explainer for more details).
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
FedCM is not supported in WebView
Debuggability
The two new APIs are extensions of the FedCM API which has proper devtools support.
For the Error API, the browser takes an error returned by the IdP (if any) and rejects the promise with an error exception. For RP developers, the only thing that they need to take care of is handling the exception which may not need DevTools support. For IdP developers, the only potentially useful information that we could add to the console is when the error URL is cross-site to the IdP in which case we won't use the error URL in the flow.
For AutoSelectedFlag API, it just introduces a new boolean for both IdP and RP developers to parse. We believe that in this case we don't need to provide extra information in DevTools.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
FedCM is available in all Blink platforms except for WebView.
Is this feature fully tested by web-platform-tests?
Yes.
Testing on wpt.fyi is blocked on https://github.com/web-platform-tests/wpt/pull/40709 getting reviewed and merged. Otherwise, we are adding tests that will be in the credential-management directory as shown on the WPT dashboard here: https://wpt.fyi/results/credential-management?label=experimental&label=master&aligned
DevTrial instructions
https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md
Flag name on chrome://flags
chrome://flags/#fedcm-error
chrome://flags/#fedcm-auto-selected-flag
Finch feature name
FedCmError
FedCmAutoSelectedFlag
Requires code in //chrome?
True
Tracking bug
Launch bug
https://launch.corp.google.com/launch/4273845
Sample links
https://drive.google.com/file/d/1Z8r4OkQMmKulGv-vf-XTfwqh6VUyGZF9/view?usp=sharing
Estimated milestones
Anticipated spec changes
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5384360374566912
Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/YfaGM8v-Ocs/m/4E0RHMhJAwAJ
This intent message was generated by Chrome Platform Status.
Yoav Weiss
Contact emails
Explainer
Yi Gu
Mike Taylor
On 10/25/23 4:14 PM, Yi Gu wrote:
Thanks Yoav for the review!> It'd be useful to write a short (inline?) explainer here outlining what this does and how it'd look like. Specifically, would we start throwing on errors in scenarios that silently failed before?
For the Error API, it allows IdP to signal to the browser about the sign-in failure details such that the browser can make sure the user is kept informed with possibly next steps. Without this API, when a user clicks the "Continue as Name" button to sign-in, if it fails for whatever reasons, the browser rejects the promise silently so the user could be confused about the status. The fact that we are delaying rejecting the promise (for privacy reasons) would make it worse because the website wouldn't learn about the failure immediately either. With this API, the browser will first show a native UI with proper strings to explain the error to users and possibly allow users to learn more about next steps. It will also reject the promise with the errors (if provided by IdP) via IdentityCredentialError instead of a generic DOMException (which we currently use). You could find more details here.
For the AutoSelected Flag API, it shares whether auto re-authentication has been triggered during the flow with both IdP and RP. By default the CredentialManagement API supports credential auto selection when possible. However, the browser may decide not to trigger auto selection for legitimate reasons. While the exact reason should be opaque to IdP or RP, we could share with them the outcome such that they can better understand the flow and handle things differently. e.g. for metrics purposes they could know how many transactions were done with auto re-authentication to better understand the performance; in addition, an IdP can use the signal (boolean) to support some security related features. e.g. a user may prefer explicitly selecting an account with an IdP, if the IdP gets a token request that shows the account was automatically selected, they could reject the request and trigger a new sign-in flow to ask for explicit user mediation. You could find more details here.
> What's preventing these PRs from landing?
We aligned with Mozilla, who is prototyping FedCM in Firefox right now, that such spec changes should be reviewed by at least two implementers before merging. While we have discussed the two APIs at FedIdCG and it "generally looks reasonable", it's not yet formally reviewed by Mozilla (hence the "Under consideration" signal).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCM8FnGsYjCQhzskrzU4RK9fMvpSBv23VV4Cdtr%2BMj0O2w%40mail.gmail.com.
Yi Gu
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f3bf599d-4ce2-482d-8153-87bba1dd1836%40chromium.org.
Nicolás Peña
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCM8FnGsYjCQhzskrzU4RK9fMvpSBv23VV4Cdtr%2BMj0O2w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Mike Taylor
Thanks Nicolás and Yi.
LGTM1 % the PRs landing before this ships, and assuming Mozilla does not have feedback that materially changes the API shape. If that's the case, can you report back?
thanks,
Mike
Rick Byers
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCM8FnGsYjCQhzskrzU4RK9fMvpSBv23VV4Cdtr%2BMj0O2w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f3bf599d-4ce2-482d-8153-87bba1dd1836%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0efea540-3115-4435-8837-fd4983ffd68d%40chromium.org.
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9xmqXCW%3DHowGt_2FCjaoEp0SPzOuqhSD%3Dcg6wrjH2fhw%40mail.gmail.com.
Mike Taylor
I'd like to remove my condition around my LGTM - I was able to
reach out to Ben offline to confirm that he's roughly in favor of
the proposed additions. Given that, I don't think we should block
on reviews (acknowledging a private chat is not an official
position or statement of support).
So, LGTM1 to ship.