Contact emails
[email protected] Specification https://github.com/w3c-fedid/FedCM/pull/760 Summary To address cross-site identity correlation risks in the FedCM API, Identity Providers (IdPs) that utilize client_metadata within their FedCM configuration are required to implement the direct endpoints format in the .well-known/web-identity file. This mandate ensures that both accounts_endpoint and login_url are explicitly defined whenever a client_metadata_endpoint is present. This approach strengthens privacy protections by preventing relying parties from exploiting metadata to correlate user identities across multiple sites. For further details and discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700. Migration Plan Chrome will enforce this rule in two phases: Chrome 143 (Warning Phase): If client_metadata_endpoint exists but accounts_endpoint or login_url is missing, the browser will display console warnings. This gives IdPs time to update configurations. Chrome 145 (Enforcement Phase): The requirement becomes mandatory. FedCM configurations missing these endpoints will be blocked, preventing authentication flows. Blink component Blink>Identity>FedCM <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> Web Feature ID fedcm <https://webstatus.dev/features/fedcm> TAG review None Risks Interoperability and Compatibility IdPs failing to update .well-known/web-identity for FedCM client metadata risk breaking authentication flows. Chrome 143 issues warnings, but starting Chrome 145, missing accounts_endpoint or login_url will block configurations entirely. Immediate migration is critical to maintain compatibility and avoid service disruptions for relying parties and end-users. Gecko: No signal (Firefox does not wish to support the client metadata endpoint of the FedCM API so this would not be a change applicable to them) WebKit: No signal Web developers: No signals Other signals: WebView application risks FedCM does not work in WebView. Ongoing technical constraints None Debuggability Same as other FedCM features. The network view in devtools would be especially helpful for debugging this feature. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No, FedCM in general is not supported on webview. Supported on all other blink platforms. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master Flag name on about://flags fedcm-well-known-endpoint-validation Finch feature name FedCmWellKnownEndpointValidation Requires code in //chrome? False Estimated milestones Shipping on desktop 145 Shipping on Android 145 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4614417052467200 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org.
