Domain Hint API, Button Mode API, CORS, SameSite=None and Registration API

113 views
Skip to first unread message

FedCM developer newsletter

unread,
Apr 22, 2024, 8:11:46 AMApr 22
to FedCM developer newsletter

Hello FedCM newsletter subscribers!



We have a few exciting updates to the Federated Credential Management API.

  • Shipping the Domain Hint API in Chrome 123.

  • Starting an origin trial for the Button Mode API from Chrome 125.

  • CORS and SameSite=None will be required from Chrome 125.

  • Running a dev trial for the Registration API from Chrome 125.


Domain Hint API


Chrome 123 adds support for the Domain Hint API in FedCM. The Domain Hint API allows RPs to specify a domainHint property on a FedCM API call to show only matching accounts for the user. You can learn more about the Domain Hint API in FedCM updates: Domain Hint API blog post.



Button Mode API origin trial


FedCM's existing UI mode, widget mode, requires the user to be signed in to the IdP separately. This worked well for IdPs with long session life, but for ones with shorter session life, it's ideal that the user can sign in to the IdP dynamically. This is where a button mode comes handy.


With the Button Mode API, if a user is not signed in to the IdP, FedCM will display a UI to sign in to the IdP dynamically, in contrast to the widget mode where no UI is shown. If a user is signed in to the IdP, they can select the IdP account from a modal dialog because the button mode API is gated by user gesture, in contrast to the widget mode where the widget could be displayed on page load.


Chrome 125 starts an origin trial for the Button Mode API on desktop. To develop locally, enable a flag at chrome://flags#fedcm-button-mode on Chrome Beta. Try a Button Mode API demo in Glitch. You can find out more on the Button Mode API and an optional "use other account".


CORS and SameSite=None will be required


Chrome will enforce CORS on the ID assertion endpoint and only cookies explicitly marked as SameSite=None will be sent to credentialed FedCM endpoints starting from Chrome 125.

To learn more details, see the blog post on the updates.



Registration API dev trial


Originally, OpenID aimed at making the internet a true open world—whenever a user wanted to sign in using OpenID, they could use an  identity from their preferred identity provider to do so. However, due to usability and technical limitations, most relying parties end up listing buttons to sign in with a few large OpenID providers (usually along with a username and a password). This is called the NASCAR problem. We explore how to solve this challenge with the Registration API.


With the Registration API, users can register their identities at the identity providers in advance. FedCM allows the browser to display a filtered list of identities that match the RP's criteria and let the user sign in using it.


Starting from Chrome 125, you can try this feature as a dev trial. Follow the instructions described in GitHub and tell us what you think.



If you have any feedback about the API, file an issue. We will keep the canonical FedCM developer guide up to date, along with the accumulated update logs page.

Reply all
Reply to author
Forward
0 new messages