Brief update: both spec PRs are now merged. Hoping to ship in M122. On Friday, December 15, 2023 at 2:29:58 PM UTC-5 Nicolás Peña wrote:
> Contact emails > > n...@chromium.org > > Explainer > > Domain Hint (formerly hosted domain): > https://github.com/fedidcg/FedCM/issues/427 > > Disconnect (formerly revoke): https://github.com/fedidcg/FedCM/issues/496 > > (Note: in the FedCM team, we have explainers in the form of GitHub issues > per feedback > <https://github.com/fedidcg/FedCM/issues/431#issuecomment-1425025469> > from FedID CG. The issue and the first comment are the explainers in each > case.) > > Specification > > Domain Hint: https://github.com/fedidcg/FedCM/pull/512 > > Disconnect: > https://fedidcg.github.io/FedCM/#browser-api-identity-credential-disconnect > > > Note on spec PR merging policy (to answer the question “why has the first > not been merged”): in the FedID CG, we have agreed that non-editorial spec > PRs require review from two implementations. Disconnect has been approved, > while domainHint is still under review. Both features have been discussed > thoroughly in the FedID CG and the feedback there has been incorporated. > > Summary > > Allows showing only accounts matching a given domain hint in the FedCM > account chooser, and allows disconnecting a federated login account via the > relying party website. With domain hint, developers may provide a better UX > by only showing the federated login accounts from the domain that they > accept. With the disconnect API, a relying party (RP) may notify the > identity provider (IdP) that an IdP account previously used via FedCM in an > RP is now disconnected, and hence using that account again via federated > login would require treating it as a new account. > > Blink component > > Blink>Identity>FedCM > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> > > TAG review > > https://github.com/w3ctag/design-reviews/issues/893 > > TAG review status > > Issues addressed > > Risks > > Interoperability and Compatibility > > These are small additions to the FedCM API, which has (general) support > from WebKit and Mozilla. They haven't shipped FedCM yet, but it would not > be a lot more work to add these features. If a user agent did not have > domain hint support, this would mean it would show more accounts in the > chooser compared to user agents which do have domain hint support. Not > adding disconnect would mean that this feature of allowing RPs to > disconnect accounts would not be available in the browser, but it would not > impact the FedCM API otherwise. > > > Gecko: Positive for disconnect and no signal yet for domainHint. Firefox > asked us to not send standards positions requests for small FedCM > additions, and to instead rely on pull requests. See > https://github.com/fedidcg/FedCM/pull/512 and > https://github.com/fedidcg/FedCM/pull/515. > > WebKit: No signal ( > https://github.com/WebKit/standards-positions/issues/249) > > Web developers: Positive. This is a feature requested by developers to > satisfy existing flows which break once third-party cookies are removed. > > Other signals: > > Ergonomics > > It will be often used within the FedCM API. We do not see ergonomics risks. > > > Activation > > Domain hint can be polyfilled via login hint but it would be pretty > cumbersome to do so. The disconnect API would be hard to polyfill, but > could perhaps be done in a non-user friendly way via popups. This would > still be imperfect since the browser knowledge about the connection would > not be cleared, only the IdP-side disconnection would occur. > > > Security > > The Disconnect endpoint will use CORS. An RP may not impact the connection > status of accounts not belonging to that RP origin. > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > N/A (FedCM does not work on WebViews) > > > Debuggability > > Console errors and DevTools issues will be used to highlight any issues > with the disconnect call. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? > > FedCM is not supported on Android WebView. > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes. Look for domainhint and disconnect in > https://wpt.fyi/results/credential-management?label=experimental&label=master&aligned > . > > > Flag name on chrome://flags > > FedCmDomainHint, FedCmDisconnect > > Finch feature name > > FedCmDomainHint, FedCmDisconnect > > Requires code in //chrome? > > True > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1473135 (follow > implementations in the two BlockedOn bugs) > > Launch bug > > https://launch.corp.google.com/launch/4273848 > > Estimated milestones > > No milestones specified > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > None > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5202286040580096 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1da7172f-acff-43d6-916e-fd4860c1abben%40chromium.org.