Intent to Ship: FedCM Privacy Enforcement for Client Metadata

[suresh potti]

Contact emails

sures...@microsoft.com

Specification

https://github.com/w3c-fedid/FedCM/pull/760

Summary
To address cross-site identity correlation risks in the FedCM API, Identity Providers (IdPs) that utilize client_metadata within their FedCM configuration are required to implement the direct endpoints format in the .well-known/web-identity file. This mandate ensures that both accounts_endpoint and login_url are explicitly defined whenever a client_metadata_endpoint is present. This approach strengthens privacy protections by preventing relying parties from exploiting metadata to correlate user identities across multiple sites. For further details and discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700.

Migration Plan
Chrome will enforce this rule in two phases:

Chrome 143 (Warning Phase): If client_metadata_endpoint exists but accounts_endpoint or login_url is missing, the browser will display console warnings. This gives IdPs time to update configurations.

Chrome 145 (Enforcement Phase): The requirement becomes mandatory. FedCM configurations missing these endpoints will be blocked, preventing authentication flows.

Blink component

Blink>Identity>FedCM

Web Feature ID

fedcm

TAG review

None

Risks

Interoperability and Compatibility

IdPs failing to update .well-known/web-identity for FedCM client metadata risk breaking authentication flows. Chrome 143 issues warnings, but starting Chrome 145, missing accounts_endpoint or login_url will block configurations entirely. Immediate migration is critical to maintain compatibility and avoid service disruptions for relying parties and end-users.

Gecko: No signal (Firefox does not wish to support the client metadata endpoint of the FedCM API so this would not be a change applicable to them)

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

FedCM does not work in WebView.

Ongoing technical constraints

None

Debuggability

Same as other FedCM features. The network view in devtools would be especially helpful for debugging this feature.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No, FedCM in general is not supported on webview. Supported on all other blink platforms.

Is this feature fully tested by web-platform-tests?

Yes
https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master

Flag name on about://flags

fedcm-well-known-endpoint-validation

Finch feature name

FedCmWellKnownEndpointValidation

Requires code in //chrome?

False

Estimated milestones

Shipping on desktop

145

Shipping on Android

145

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4614417052467200

This intent message was generated by Chrome Platform Status.

[Mike Taylor]

On 10/17/25 10:41 a.m., suresh potti wrote:

Contact emails

sures...@microsoft.com Specification

https://github.com/w3c-fedid/FedCM/pull/760 Summary To address cross-site identity correlation risks in the FedCM API, Identity Providers (IdPs) that utilize client_metadata within their FedCM configuration are required to implement the direct endpoints format in the .well-known/web-identity file. This mandate ensures that both accounts_endpoint and login_url are explicitly defined whenever a client_metadata_endpoint is present. This approach strengthens privacy protections by preventing relying parties from exploiting metadata to correlate user identities across multiple sites. For further details and discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700.

Migration Plan Chrome will enforce this rule in two phases:

Chrome 143 (Warning Phase): If client_metadata_endpoint exists but accounts_endpoint or login_url is missing, the browser will display console warnings. This gives IdPs time to update configurations.

Chrome 145 (Enforcement Phase): The requirement becomes mandatory. FedCM configurations missing these endpoints will be blocked, preventing authentication flows.

Blink component

Blink>Identity>FedCM

Web Feature ID

fedcm

TAG review

None

Risks

Interoperability and Compatibility

IdPs failing to update .well-known/web-identity for FedCM client metadata risk breaking authentication flows. Chrome 143 issues warnings, but starting Chrome 145, missing accounts_endpoint or login_url will block configurations entirely. Immediate migration is critical to maintain compatibility and avoid service disruptions for relying parties and end-users.

Similar to the previous email, can you say something about expected impact/usage here? And how confident are we that IdPs are going to be paying attention to console warnings?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org.