LGTM1 On Friday, June 9, 2023 at 9:10:14 PM UTC+2 Nicolás Peña wrote:
> Contact emails > > n...@chromium.org > > Explainers > > https://github.com/fedidcg/FedCM/issues/382 > > https://github.com/fedidcg/FedCM/issues/426 > > https://github.com/fedidcg/FedCM/issues/456 > > Specification > > https://github.com/fedidcg/FedCM/pull/470 > > Design docs > > (Google internal > <https://docs.google.com/document/d/1vDXzFArpxbbjfZ9yLXazNs6Kc12g6S7_hTq3udYIh8U/edit?resourcekey=0-3Trh4Xld6cKGNBcO9p6JJg>. > > See tracking bug for implementation and GitHub PR for specification) > > Summary > > This entry covers a few incremental extensions to the FedCM API: > > > - > > With LoginHint, the RP can specify a hint about the user account they > want displayed in the FedCM UI. Accounts which do not match the hint are > not displayed. This is mainly used to provide a better UX for returning > users and is a feature supported > <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest> by > OpenID. > - > > The UserInfo extension allows the IdP to personalize the login > experience for returning users, for instance via personalized sign-in > buttons. After the user has used FedCM with a given IdP on some RP site, > this API fetches the user accounts from the IdP and returns basic > information like name, email, and picture from the response to an IdP > iframe on subsequent visits to the RP. > - > > With the context parameter, the IdP can request for the FedCM dialog > to show a different title than “Sign in”, to improve the message being > displayed to the user in the FedCM UI (alternatives currently include > “Sign > up”, “Continue” and “Use”). > > > > Blink component > > Blink>Identity>FedCM > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> > > TAG review > > https://github.com/w3ctag/design-reviews/issues/839 > > TAG review status > > Pending > > Risks > > Interoperability and Compatibility > > These are extensions to the FedCM API. Apple and Mozilla have both > expressed a positive opinion on the initial FedCM API > <https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/bzghj9N3AQAJ>. > > They have not yet been implemented but Mozilla is prototyping > <https://bugzilla.mozilla.org/buglist.cgi?quicksearch=fedcm>. If a user > agent chooses not to implement these extensions, it will limit the quality > of the UI that it can provide to users, but should not break the FedCM > flow. LoginHint not being implemented means that all available accounts are > shown, not just the one that the RP wants to display. Context not being > implemented means that the user agent shows the default UI. And UserInfo > not being implemented means that the IDP cannot show personalized buttons, > but they would fallback to the generic ones. Given that Mozilla has also > expressed a positive position for the extensions in this Intent (see > below), we do not anticipate interop issues. > > Gecko: Positive > <https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> For > incremental improvements to FedCM, Firefox has asked us not to file > standards position, and they will instead provide feedback in the GitHub > PR. Their LGTM on the PR > <https://github.com/fedidcg/FedCM/pull/470#discussion_r1223437051> is > thus considered as a positive signal. > > WebKit: No signal > <https://github.com/WebKit/standards-positions/issues/175> > > Web developers: Positive These features are being developed to address > existing use-cases which will not be possible once third-party cookies are > phased out. > > Ergonomics > > No new ergonomics risks. > > Activation > > No new activation risks. > > Security > > Context API has no security risks. For LoginHint API, it is important that > the user agent treats no-match the same way as receiving an empty accounts > list. For UserInfo API, it can only be called from within the IdP’s > same-origin <iframes>, but still our developer documentation will point out > to identity providers that they need to be careful when using this API in > order to not accidentally leak information to relying parties through > postMessage. > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > N/A as this feature is not available on WebView. > > Debuggability > > We added console errors > <https://bugs.chromium.org/p/chromium/issues/detail?id=1440181> > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? > > No: all except WebView > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > UserInfo > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-userinfo.https.html> > > LoginHint > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-loginhint.https.html> > > Context > <https://chromium-review.googlesource.com/c/chromium/src/+/4605035> > (while we implemented webdriver and chromedriver support for FedCM, we are > still missing additional automation > <https://bugs.chromium.org/p/chromium/issues/detail?id=1453691> for this > test to run successfully in Chrome) > > DevTrial instructions > > https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md > > Flag name > > #fedcm-login-hint, #fedcm-rp-context, and #fedcm-user-info > > Requires code in //chrome? > > True > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1412893 > > Launch bug > > https://launch.corp.google.com/launch/4249829 > > Estimated milestones > > Shipping on desktop 116 > > Shipping on Android 116 > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > N/A > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5166718178033664 > > Links to previous Intent discussions > > N/A > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5e6675f4-b30a-430a-8d97-08eff76a5599n%40chromium.org.
