PSA: FedCM Supports Credential Management Mediation Requirements for Auto Re-authentication

[Yi Gu]

Mediation requirements are part of the Credential Management API. One of the goals of mediation requirements is to automatically share credentials with the API caller whenever appropriate in order to provide a consistent way for auto re-authentication among the various credential types defined in the Credential Management API. We plan to support mediation requirements in FedCM starting from M115 - for more context about why browsers (e.g. Firefox besides Chrome) believe this is a reasonable use case to support please refer to this GitHub issue.

While this new functionality does not introduce any backwards incompatible API changes, the default user experience with our FedCM implementation will change as follows:

• Before: the browser will not hand over credentials without user mediation even if the user has granted permission explicitly in the past to hand over the credential to the API caller.

• After: If credentials can be handed over without user mediation (e.g. a user has explicitly granted permission to hand over the credential in the past AND the browser has not received a `preventSilentAccess` signal), they will be. If not, the browser will prompt users to ask for their permission to proceed.

This is because by default the current FedCM API acts as if `mediation: required` is specified but with this change the default mediation requirements become `mediation: optional` as defined in the Credential Management API. API callers (Identity Providers with SDK embedded on Relying Party sites as we suggested; or Relying Parties calling FedCM directly) can keep the existing user experience by changing the default mediation requirements value to `mediation: required`.

It’s worth noting that we originally had a different proposal to support auto re-authentication and are running an origin trial between M112 and M114 inclusive (the intent to experiment email can be found here). Since the work in this PSA implements an existing mechanism in the Credential Management API, and no longer introduces a new web-exposed boolean, we plan to proceed with this PSA instead of an intent to ship.

To ensure users will maintain a consistent experience with FedCM, we reached out to existing partners and they have updated their implementation accordingly. e.g. for partners who are participating in the auto re-authentication origin trial, they have switched to `mediation: optional' . For partners who are not, they have specified `mediation: required` in the API call to keep the existing UX.