On Mon, Oct 20, 2025 at 2:19 PM 'Nicolás Peña Moreno' via blink-dev < [email protected]> wrote:
> Responding for Suresh since he's OOO this week. We have UKM metrics that > tell us which IDPs would break today due to this change. We plan to > document this change through our public devrel outreach and also reach out > to IDPs that we detected through our metrics. While the number of sites > that would break today due to this is relatively high, the number of IDPs > is fairly small, so we are confident we can deploy once we know it would > cause no breakage. > Except we've now had at least one web compat incident due to a major RP who doesn't depend on an IDP-served SDK, right? On Friday, October 17, 2025 at 1:04:59 PM UTC-4 [email protected] wrote: > >> >> On 10/17/25 10:41 a.m., suresh potti wrote: >> >> Contact emails >> >> [email protected] Specification >> >> https://github.com/w3c-fedid/FedCM/pull/760 Summary To address >> cross-site identity correlation risks in the FedCM API, Identity Providers >> (IdPs) that utilize client_metadata within their FedCM configuration are >> required to implement the direct endpoints format in the >> .well-known/web-identity file. This mandate ensures that both >> accounts_endpoint and login_url are explicitly defined whenever a >> client_metadata_endpoint is present. This approach strengthens privacy >> protections by preventing relying parties from exploiting metadata to >> correlate user identities across multiple sites. For further details and >> discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700. >> >> Migration Plan Chrome will enforce this rule in two phases: >> >> Chrome 143 (Warning Phase): If client_metadata_endpoint exists but >> accounts_endpoint or login_url is missing, the browser will display >> console warnings. This gives IdPs time to update configurations. >> >> Chrome 145 (Enforcement Phase): The requirement becomes mandatory. FedCM >> configurations missing these endpoints will be blocked, preventing >> authentication flows. >> >> Does this apply to both passive mode and active mode? "Preventing authentication flows" for passive mode seems like a completely trivial severity of breakage <https://docs.google.com/document/d/1RC-pBBvsazYfCNNUSkPqAVpSpNJ96U8trhNkfV0v9fk/edit?tab=t.0#heading=h.u5ya6jvru7dl> since it just means an optional extra UI doesn't show up. But any breakage for active mode (where a user has just clicked on a "sign-in") button seems very serious. So if the latter, I think we'd want to see UseCounter data proving that the usage has been migrated before approving a breaking change. > Blink component >> >> Blink>Identity>FedCM >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> >> >> Web Feature ID >> >> fedcm <https://webstatus.dev/features/fedcm> >> >> TAG review >> >> None >> >> Risks >> >> Interoperability and Compatibility >> >> IdPs failing to update .well-known/web-identity for FedCM client metadata >> risk breaking authentication flows. Chrome 143 issues warnings, but >> starting Chrome 145, missing accounts_endpoint or login_url will block >> configurations entirely. Immediate migration is critical to maintain >> compatibility and avoid service disruptions for relying parties and >> end-users. >> >> Similar to the previous email, can you say something about expected >> impact/usage here? And how confident are we that IdPs are going to be >> paying attention to console warnings? >> >> Gecko: No signal (Firefox does not wish to support the client metadata >> endpoint of the FedCM API so this would not be a change applicable to them) >> WebKit: No signal Web developers: No signals Other signals: >> >> WebView application risks >> >> FedCM does not work in WebView. >> >> Ongoing technical constraints >> >> None >> >> Debuggability >> >> Same as other FedCM features. The network view in devtools would be >> especially helpful for debugging this feature. >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> No, FedCM in general is not supported on webview. Supported on all other >> blink platforms. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> Yes >> https://wpt.fyi/results/fedcm/fedcm-well-known-validation?label=experimental&label=master >> >> Flag name on about://flags >> >> fedcm-well-known-endpoint-validation >> >> Finch feature name >> >> FedCmWellKnownEndpointValidation >> >> Requires code in //chrome? >> >> False >> >> Estimated milestones >> >> Shipping on desktop >> >> 145 >> >> Shipping on Android >> >> 145 >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/4614417052467200 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bb953b88-ddd6-4d4d-9d7a-f1384dae2511n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27918dd1-04ae-4e90-9daf-22fb8f27b6f4n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27918dd1-04ae-4e90-9daf-22fb8f27b6f4n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9-A%3DKmyXs4OfYhPyDDWmQP21mmPXAuN0xovq_kH1yfHg%40mail.gmail.com.
