Intent to Experiment: Federated Credentials Management (was WebID)

245 views
Skip to first unread message

Sam Goto

unread,
Mar 21, 2022, 12:06:17 PMMar 21
to blink-dev, Sam Goto

Contact emails


go...@google.com 


Explainer


https://github.com/fedidcg/FedCM/blob/main/explainer.md


Specification


https://fedidcg.github.io/FedCM/


Summary


A Web Platform API that allows users to login to websites with their federated accounts in a manner compatible with improvements to browser privacy.


In this origin trial, we are interested in experimenting with an account chooser for federated accounts, which we expect to be a foundational infrastructure for the Web going forward.


Blink component


Blink > Identity > FedCM


TAG review


Spec review: https://github.com/w3ctag/design-reviews/issues/718 

Early review: https://github.com/w3ctag/design-reviews/issues/622  


TAG review status


Pending


Risks


Interoperability and Compatibility


                Zero compatibility risk (new API)


Interoperability risk not yet known, currently working on getting formal signals.


Gecko: No Signals. standards position filed 


WebKit: No Signals. standards position filed


Web developers: No signals. We have been proactively working with Identity Providers and expect much of the origin trial experimentation to be a determining factor on their position.


Other signals: No signals. This API is being developed within the FedID CG with attendance of identity providers, browser vendors and standards experts. We are working on a community report https://github.com/fedidcg.


Activation


  We made a deliberate and concerted effort to make as many backwards

compatible changes as we possibly could to facilitate the adoption of FedCM.

When it wasn’t possible, we favored changes impacting Browsers and Identity

Providers and reduced changes impacting websites and users.


  So far, we think we maintained backwards compatibility with website’s server-

side Infrastructure, which we expect to be a meaningful activation lever.


We believe we found a structure that would make it easy for websites to adopt, but that's one of the risks that we are trying to mitigate as soon as we possibly can as part of the origin trial.


WebView Application Risks


Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This API does not deprecate or change behavior of existing APIs.



Goals for experimentation


To learn about:


  • requirements: what aspects of federated identity are going to be affected by phasing out third party cookies?

  • demand: who is going to be affected? and how important is it for them?

  • deployment viability: is it a practical solution?

  • user acceptance: does our implementation perform well with users?


Ongoing technical constraints


The following are current technical constraints that we expect to resolve as we go along (i.e. we are actively working on these known constraints):


  • Android only implementation (here is the desktop implementation tracking bug)

  • Only ID tokens provided, no access or refresh tokens (access tokens PR in progress)

  • Front-channel logout designed and implemented, but disabled for origin trials (HOWTO try it)

  • Only available in top level frames 


Debuggability


Basic devtools integration supported. More to come as we learn.


https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO.md


https://bugs.chromium.org/p/chromium/issues/detail?id=1291653



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?


No

We expect the feature to be available on all platforms (Windows, Mac, Linux, ChromeOS and Android) except WebView. The current implementation is currently only supported on Android, with Desktop (Windows/Mac/Linux/ChromeOS) coming before our I2S.


Is this feature fully tested by web-platform-tests?


Yes.


DevTrial instructions


https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO.md


Flag name


 chrome://flags/#fedcm


Requires code in //chrome?


True


Tracking bug


You can track our progress here:


https://chromium-review.googlesource.com/q/hashtag:FedCM+is:merged


Launch bug


https://bugs.chromium.org/p/chromium/issues/detail?id=1216142


Measurement


kFederatedCredentialManagement


Estimated milestones


OriginTrial - Android

101-105

Origin Trial - Desktop 

102-105

DevTrial on android

98


Link to entry on the Chrome Platform Status


https://chromestatus.com/feature/6438627087220736


Links to previous Intent discussions



This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Mar 23, 2022, 1:20:38 AMMar 23
to blink-dev, Sam Goto, Sam Goto
LGTM to experiment till M105 (inclusive)

Kaan Icer

unread,
May 31, 2022, 12:40:50 PMMay 31
to blink-dev, yoav...@chromium.org, Sam Goto, Sam Goto, Yi Gu
Hello,
FedCM has been in the origin trial since M101 only on the Android platform. As part of the ongoing origin trial, we expand FedCM to desktop as well with M103.
Could you please help us understand if we need a new I2E for desktop support?
Thank you,
Kaan

Mike Taylor

unread,
May 31, 2022, 12:47:41 PMMay 31
to Kaan Icer, blink-dev, yoav...@chromium.org, Sam Goto, Sam Goto, Yi Gu
Hi Kaan,

No need for another I2E - you have the LGTM to experiment without any conditions on platforms (and I see you had Desktop listed as 102 to 105. The fact that it slipped a milestone is fine).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/adcda1fc-b000-4b8e-a0eb-3104b21879a3n%40chromium.org.


Kaan Icer

unread,
May 31, 2022, 1:48:09 PMMay 31
to Mike Taylor, blink-dev, yoav...@chromium.org, Sam Goto, Sam Goto, Yi Gu
Thank you, Mike!

We have already updated Chromestatus to reflect desktop milestone change from M102 to M103.

Screen Shot 2022-05-31 at 1.46.31 PM.png

Regards,
Kaan
Reply all
Reply to author
Forward
0 new messages