IdP Sign-In Status API support on Android and new flag for testing from Chrome 117

[FedCM developer newsletter]

Hello FedCM newsletter subscribers!

IdP Sign-In Status API is a mechanism that enables an IdP to inform the browser of the user's sign-in status on the IdP. With this API, the browser can reduce unnecessary requests to the IdP and mitigate potential timing attacks. 

We have started an origin trial of IdP Sign-In Status API on desktop from Chrome 116. The API is supported in Chrome on Android from version 117.

Chrome has been disabling FedCM when the third-party cookies are disabled, but with the IdP Sign-in Status API, FedCM can be enabled even if the third-party cookies are disabled.

The IdP Sign-in Status API is a requirement and will be a breaking change when it's shipped. If you have an existing implementation of FedCM, make sure to participate in the origin trial and provide feedback. You can find more information about FedCM updates in Chrome 116 in FedCM updates: IdP Sign-In Status API, Login Hint, and more.

In addition, Chrome introduced a new flag that bypasses the configURL check to help developers testing their deployment: chrome://flags/#fedcm-without-well-known-enforcement.

Currently we enforce that the IdP configUrl to show up twice both in the well-known file and in the API to mitigate a manifest attack. In addition, we limit the number of config urls in the well-known file to 1. While it has privacy benefits, it introduces a burden in development for IdPs that have pre-production channels that require over 3 config urls. Using the flag chrome://flags/#fedcm-without-well-known-enforcement bypasses the configURL check.

If you have any feedback about the API, please file it on crbug.com.

Thank you!