On 10/17/25 10:41 a.m., suresh potti wrote:
Contact emails
[email protected]
https://github.com/w3c-fedid/FedCM/pull/760SummaryTo address
cross-site identity correlation risks in the FedCM API, Identity
Providers (IdPs) that utilize client_metadatawithin their FedCM
configuration are required to implement the direct endpoints format in
the .well-known/web-identityfile. This mandate ensures that both
accounts_endpointand login_urlare explicitly defined whenever a
client_metadata_endpointis present. This approach strengthens privacy
protections by preventing relying parties from exploiting metadata to
correlate user identities across multiple sites. For further details
and discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700
<https://github.com/w3c-fedid/FedCM/issues/700>.
Migration PlanChrome will enforce this rule in two phases:
Chrome 143 (Warning Phase):If client_metadata_endpointexists but
accounts_endpointor login_urlis missing, the browser will display
console warnings. This gives IdPs time to update configurations.
Chrome 145 (Enforcement Phase):The requirement becomes mandatory.
FedCM configurations missing these endpoints will be blocked,
preventing authentication flows.
Blink component
Blink>Identity>FedCM<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22>
Web Feature ID
fedcm<https://webstatus.dev/features/fedcm>
TAG review
None
Risks
Interoperability and Compatibility
IdPs failing to update .well-known/web-identity for FedCM client
metadata risk breaking authentication flows. Chrome 143 issues
warnings, but starting Chrome 145, missing accounts_endpoint or
login_url will block configurations entirely. Immediate migration is
critical to maintain compatibility and avoid service disruptions for
relying parties and end-users.
Similar to the previous email, can you say something about expected
impact/usage here? And how confident are we that IdPs are going to be
paying attention to console warnings?
Gecko: No signal (Firefox does not wish to support the client metadata
endpoint of the FedCM API so this would not be a change applicable to
them)WebKit: No signalWeb developers: No signalsOther signals:
WebView application risks
FedCM does not work in WebView.
Ongoing technical constraints
None
Debuggability
Same as other FedCM features. The network view in devtools would be
especially helpful for debugging this feature.
Will this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?
No, FedCM in general is not supported on webview. Supported on all
other blink platforms.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yeshttps://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master<https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master>
Flag name on about://flags
fedcm-well-known-endpoint-validation
Finch feature name
FedCmWellKnownEndpointValidation
Requires code in //chrome?
False
Estimated milestones
Shipping on desktop
145
Shipping on Android
145
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/4614417052467200<https://chromestatus.com/feature/4614417052467200>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/73a8e393-decd-40a7-b857-63605d83d75f%40chromium.org.
