Intent to Prototype: FedCM AuthZ API
Sam Goto
Contact emails
Explainer
https://github.com/fedidcg/FedCM/issues/477
Specification
TBD
Summary
An extension to the FedCM API that allows relying parties to request broader OAuth scopes.
Blink component
Motivation
~20% of federated identity consumer flows on the web involve requesting more than the user’s basic profile. While FedCM so far has managed to mediate the exchange of enumerable attributes of the user’s identity (e.g. name, email and profile picture), there is an non-enumerable number of OAuth scopes (e.g. access to the users social graph, calendar, etc), which requires a very different attitude towards delegating authorization flows while maintaining the privacy properties.
Initial public proposal
https://github.com/fedidcg/FedCM/issues/477
TAG review
None
TAG review status
Not started
Risks
Interoperability and Compatibility
The problem this proposal sets to address is a problem that we think is shared across browser vendors and identity providers. For example, related discussions appear here, here and here. It is too soon to know if this specific proposal is going to address all of these issues, but this is the closest so far and agreeing on the (existence and definition of the) problem is a good step towards finding a solution together.
Gecko: No signal
WebKit: No signal
Web developers: We are working with identity providers to gather requirements, understand trade-offs and abuse vectors.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
API is not available in WebView
Debuggability
Same as FedCM in general – console messages in devtools and general JS debugging
Is this feature fully tested by web-platform-tests?
No
Flag name
FedCmAuthz
Requires code in //chrome?
True
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5080914991775744