Intent to Extend Experiment: FedCM Bundle 6: Continuation API, Parameters API, Fields API, Multiple configURLs, Custom account labels

144 views
Skip to first unread message

Chromestatus

unread,
Sep 19, 2024, 3:00:25 PMSep 19
to blin...@chromium.org, cbies...@chromium.org

Contact emails

cbies...@chromium.org

Explainer

https://github.com/fedidcg/FedCM/issues/555
https://github.com/fedidcg/FedCM/issues/556
https://github.com/fedidcg/FedCM/issues/559
https://github.com/fedidcg/FedCM/issues/552
https://github.com/fedidcg/FedCM/issues/553

Specification

None

Summary

This bundles a few features that we would like to launch at the same time: Continuation API: https://github.com/fedidcg/FedCM/issues/555 This lets the IDP open a popup window to finish the sign-in flow after potentially collecting additional information. Parameters API: https://github.com/fedidcg/FedCM/issues/556 This lets RPs pass additional data to the ID assertion endpoint Fields API: https://github.com/fedidcg/FedCM/issues/559 This lets RPs bypass the data sharing prompt in favor of the IDP prompting Multiple configURLs: https://github.com/fedidcg/FedCM/issues/552 This lets IDPs use different config files in different contexts without weakening FedCM privacy properties, by allowing one accounts endpoint for the eTLD+1 (instead of one config file, which is more limiting than necessary) Account labels: https://github.com/fedidcg/FedCM/issues/553 Combined with the previous proposal, this allows filtering the account list per config file without providing additional entropy to the IDP.



Blink component

Blink>Identity>FedCM

TAG review

https://github.com/w3ctag/design-reviews/issues/945

TAG review status

Pending

Chromium Trial Name

FedCmContinueOnBundle

Origin Trial documentation link

https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md#continuation-api

WebFeature UseCounter name

kFedCmContinueOnResponse

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/336)

Web developers: Positive (https://github.com/fedidcg/FedCM/issues/488#issuecomment-1749682526) Also: https://github.com/fedidcg/FedCM/issues/496#issuecomment-1781364610 https://github.com/fedidcg/FedCM/issues/533#issuecomment-1878581998

Other signals:

Security

We made sure that the popup from the continuation API is same-origin with the IDP, and that it cannot communicate with the RP except through the narrow IdentityProvider.resolve API. In particular, window.opener is null. The additional parameters from the parameter and scope API are only sent to the server after user interaction, and from a privacy perspective are equivalent to the existing "nonce" field. However, from a developer ergonomics perspective the additions are much easier to use. Account labels were carefully designed not to add entropy and in particular not to send additional data to the server.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation



Reason this experiment is being extended

We would like to extend this origin trial because our partner's experimentation has been delayed for various reasons. In addition, we are updating the API based on feedback from the CG/WG (https://github.com/w3c-fedid/custom-requests/issues/2#issuecomment-2342125924) and need some time to implement this and get partner feedback on that.



Ongoing technical constraints

None



Debuggability

No special support needed



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

FedCM in general is not supported in webview



Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/credential-management/fedcm-authz?label=experimental&label=master&aligned (They currently fail on wpt.fyi because the feature is off by default)



Flag name on chrome://flags

fedcm-authz

Finch feature name

FedCmAuthz

Requires code in //chrome?

True

Tracking bug

https://crbug.com/40262526

Launch bug

https://launch.corp.google.com/launch/4315483

Measurement

https://chromestatus.com/metrics/feature/timeline/popularity/4955 In addition, we have several UMA metrics.

Estimated milestones

Shipping on desktop 131
Origin trial desktop first 127
Origin trial desktop last 131
Origin trial extension 1 end milestone 133
Shipping on Android 131
Origin trial Android first 128
Origin trial Android last 131


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6495400321351680?gate=5307216744415232

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/qqrG6yn1u1Q?pli=1
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XEedt%2Bu2pS_2NHHfxtEV9JJ7wbuKNEnieeWr6w8FtwKLw%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Alex Russell

unread,
Sep 25, 2024, 11:47:41 AMSep 25
to blink-dev, Chromestatus, Christian Biesinger
LGTM
Reply all
Reply to author
Forward
0 new messages