Responding for Suresh since he's OOO this week. We have UKM metrics that tell us which IDPs would break today due to this change. We plan to document this change through our public devrel outreach and also reach out to IDPs that we detected through our metrics. While the number of sites that would break today due to this is relatively high, the number of IDPs is fairly small, so we are confident we can deploy once we know it would cause no breakage.
On Friday, October 17, 2025 at 1:04:59 PM UTC-4 [email protected] wrote: > > On 10/17/25 10:41 a.m., suresh potti wrote: > > Contact emails > > [email protected] Specification > > https://github.com/w3c-fedid/FedCM/pull/760 Summary To address cross-site > identity correlation risks in the FedCM API, Identity Providers (IdPs) that > utilize client_metadata within their FedCM configuration are required to > implement the direct endpoints format in the .well-known/web-identity > file. This mandate ensures that both accounts_endpoint and login_url are > explicitly defined whenever a client_metadata_endpoint is present. This > approach strengthens privacy protections by preventing relying parties from > exploiting metadata to correlate user identities across multiple sites. For > further details and discussion, refer to > https://github.com/w3c-fedid/FedCM/issues/700. > > Migration Plan Chrome will enforce this rule in two phases: > > Chrome 143 (Warning Phase): If client_metadata_endpoint exists but > accounts_endpoint or login_url is missing, the browser will display > console warnings. This gives IdPs time to update configurations. > > Chrome 145 (Enforcement Phase): The requirement becomes mandatory. FedCM > configurations missing these endpoints will be blocked, preventing > authentication flows. > > Blink component > > Blink>Identity>FedCM > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> > > Web Feature ID > > fedcm <https://webstatus.dev/features/fedcm> > > TAG review > > None > > Risks > > Interoperability and Compatibility > > IdPs failing to update .well-known/web-identity for FedCM client metadata > risk breaking authentication flows. Chrome 143 issues warnings, but > starting Chrome 145, missing accounts_endpoint or login_url will block > configurations entirely. Immediate migration is critical to maintain > compatibility and avoid service disruptions for relying parties and > end-users. > > Similar to the previous email, can you say something about expected > impact/usage here? And how confident are we that IdPs are going to be > paying attention to console warnings? > > Gecko: No signal (Firefox does not wish to support the client metadata > endpoint of the FedCM API so this would not be a change applicable to them) > WebKit: No signal Web developers: No signals Other signals: > > WebView application risks > > FedCM does not work in WebView. > > Ongoing technical constraints > > None > > Debuggability > > Same as other FedCM features. The network view in devtools would be > especially helpful for debugging this feature. > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? > > No, FedCM in general is not supported on webview. Supported on all other > blink platforms. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes > https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master > > > Flag name on about://flags > > fedcm-well-known-endpoint-validation > > Finch feature name > > FedCmWellKnownEndpointValidation > > Requires code in //chrome? > > False > > Estimated milestones > > Shipping on desktop > > 145 > > Shipping on Android > > 145 > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/4614417052467200 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27918dd1-04ae-4e90-9daf-22fb8f27b6f4n%40chromium.org.
