Contact emails y...@chromium.org, tanzach...@chromium.org, cbiesin...@chromium.org
Explainer https://github.com/w3c-fedid/active-mode Specification Spec PR for the Mode API: https://github.com/w3c-fedid/FedCM/pull/660 Spec PR for the Use Another Account API: https://github.com/w3c-fedid/FedCM/pull/678 Summary We intend to ship two new extensions for FedCM to address two issue that were collectively identified as CR blockers <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> by the FedID WG: “A not-yet logged in IDP has no route to success” <https://github.com/w3c-fedid/active-mode/issues/2> and “Allow signing in to additional account(s) <https://github.com/w3c-fedid/FedCM/issues/511>”. To address this issue, we intend to introduce the following extensions to FedCM: - Mode: The “active” mode allows websites to call FedCM inside a button click (e.g. clicking on a “Sign-in to IdP” button), which requires FedCM to guarantee it will always respond with a visible user interface (as opposed to in “passive” mode, which doesn’t show any UI when users are logged out). So, calling the FedCM API in “active mode” takes users to login to the Identity Provider (IdP) when users are logged-out. Also, because the active mode is called within an explicit user gesture, the UI is also more prominent (e.g. centered and modal) compared to the UI from the passive mode (which doesn’t require a user gesture requirement and can be called on page load). - Use Other Account: With this extension, an IdP can allow users to sign in to other accounts. In addition, the APIs are solving two related CR blockers <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> identified <https://lists.w3.org/Archives/Public/public-fedid-wg/2024Jul/0006.html> by the FedID WG. Feedback from Origin Trial: We ran the Origin Trial <https://developer.chrome.com/origintrials/#/view_trial/2288391560657633281> with 30+ registrants. The feedback we got was positive. >From the extension’s perspective, this proposal is sufficient <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> to assist the users who are not signed in to their IdP when FedCM extension is invoked. We also renamed the extension from “button” mode to “active” mode to untie from certain UI affordances which was well received <https://github.com/w3c-fedid/FedCM/pull/660#issuecomment-2414525421> by partners as well. >From UX’s perspective, we have been iterating on the Chrome implementation based on feedback to address potential usability issues and provide users better context about their login. Blink component Blink>Identity>FedCM <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> Search tags fedcm <https://chromestatus.com/features#tags:fedcm> TAG review https://github.com/w3ctag/design-reviews/issues/935 TAG review status Pending Chromium Trial Name FedCmButtonMode, FedCmUseOtherAccount Origin Trial documentation link https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-125-updates#button-mode-api WebFeature UseCounter name kFedCmButtonMode, kFedCmUseOtherAccount Risks Interoperability and Compatibility Gecko: Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs). Positive on the “active” mode based on TPAC discussions and GitHub issues <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> . WebKit: No signal on the particular FedCM extensions. Positive <https://github.com/WebKit/standards-positions/issues/309#issuecomment-2008324563> on the initial FedCM API. Standards position requests for FedCM extensions have been merged <https://github.com/WebKit/standards-positions/issues/309> so not filing a new one. Web developers: Positive <https://github.com/fedidcg/FedCM/issues/442> These features are being developed to address existing feedback for the FedCM API. Other signals: N/A Activation Similar to the FedCM API, we deliberately leave the bulk of the work to the IdP to ensure that minimal RP change is needed. This feature, specifically, is one that can be currently controlled by JS SDKs, so we expect activation to have a similar profile as FedCM: immediately enabled to websites (without redeployment) by IdPs making use of it (by redeploying their JS SDKs). Security The active mode shares all of the security properties from the passive mode. e.g. honoring CSP, CORS, using security headers, not asking users to type in the browser UI etc. It’s worth noting that the pop-up window has the same web platform properties as what one would get with window.open(url,””,”popup,noopener,noreferrer”)) that loads the login_url. There's no communication between the website and this pop-up is allowed (e.g. no postMessage, no window.opener). WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability Same as FedCM in general – console messages in devtools and general JS debugging. e.g. we show messages when transient activation is missing when invoking an active mode, or when a passive flow is terminated in favor of an active flow etc. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No, FedCM API is not available in WebView Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes <https://wpt.fyi/results/fedcm/fedcm-button-and-other-account?label=master&label=experimental&aligned&q=fedcm%2Ffedcm-button-and-other-account%2F> Flag name on chrome://flags FedCmButtonMode, FedCmUseOtherAccount Finch feature name FedCmButtonMode, FedCmUseOtherAccount Requires code in //chrome? True Tracking bug https://crbug.com/1490588, https://crbug.com/40939658 Launch bug https://launch.corp.google.com/launch/4348674 Sample links https://fedcm-button.glitch.me Estimated milestones Shipping on desktop 132 Origin trial desktop first 125 Origin trial desktop last 133 Origin trial extension 1 end milestone 130 Origin trial extension 2 end milestone 133 DevTrial on desktop 124 Shipping on Android 132 Origin trial Android first 128 Origin trial Android last 133 DevTrial on Android 125 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4689551782313984?gate=4942283999019008 Links to previous Intent discussions Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPzJ1beiSbsmQqvu9x24zmf6LkGuup%3DgPVyXEx%2Bux9%3Dyg%40mail.gmail.com Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1745ebe7-6c98-49c7-9d98-94b25d39b409n%40chromium.org Intent to Extend Experiment 1: https://groups.google.com/a/chromium.org/g/blink-dev/c/bQqXXv2S9q0/m/yHvhuFL3AQAJ Intent to Extend Experiment 2: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCMPQ9s2hUR2UYuTTkRDra0qfjxBXA0bOme2baQGbPE6NA%40mail.gmail.com -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com.
