Contact emails eko...@google.com, johann...@chromium.org, g...@chromium.org
Explainer https://github.com/fedidcg/LightweightFedCM Specification None Summary This feature allows Identity Providers (IdPs) to store information about a user's account in the browser ahead of time via the Login Status API, and allow Relying Parties (RPs) to request access to this information via a browser-mediated prompt similar to the current FedCM flow. By storing the account information ahead of time, this eliminates the browser's need to make calls to the accounts endpoint to display the browser-mediated dialog, improving both performance and privacy. Lightweight Mode for FedCM also requires less complex integration for Identity Providers. Currently these benefits come at the cost of reduced freshness for account hint information presented to the user, but future work may address this limitation if there is sufficient developer interest. Blink component Blink>Identity>FedCM <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> Motivation Lightweight Mode for FedCM provides an alternative mode for FedCM that addresses two concerns with the FedCM specification. One concern relates to the ergonomics of implementing the full FedCM specification as an Identity Provider. Lightweight Mode For FedCM, when coupled with the “FedCM as a trust signal for the Storage Access API” proposal, will provide a simple way to retrofit existing third-party-cookie dependent Identity Provider implementations to make use of the improved FedCM user experience and give users more context to make informed decisions. Another concern relates to the “pull” rather than “push” nature of FedCM to allow the user agent to display an account chooser to the user. While FedCM normally issues a credentialed request to an “accounts” endpoint to provide the user with information about available accounts, Lightweight Mode for FedCM addresses this by allowing the Identity Provider to preemptively store user information that can then be displayed by the user agent when presenting the account chooser, instead of issuing a request to IdP before the user has selected an account. This prevents the IdP and RP from colluding to link/identify users without their knowledge via timing attacks. Initial public proposal None TAG review https://github.com/w3ctag/design-reviews/issues/986 TAG review status Pending Risks Interoperability and Compatibility The introduction of this feature will not change the behavior of any existing use of the Credential Management or Login Status APIs. There are still open questions about both UX and functionality described in the explainer that may cause temporary divergence between browser engines. Gecko: No signal. (Implemented behind a flag.) WebKit: No signal. We will request standards positions once the proposal has settled a bit more. Web developers: No signals. Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No. Mozilla has contributed partial, tentative tests <http://fedcm/lfedcm-identity.create-store-collect.tentative.sub.https.html>, though these do not yet reflect the current state of the explainer. Flag name on chrome://flags “fedcm-lightweight-credentials” Finch feature name “FedCmLightweightCredentials” Non-finch justification None Requires code in //chrome? True Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5136302690009088?gate=5098619653586944 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANjFg0k7OWRMULNfJK42BMXvBGB63P_WeTb8fufckPQ7c47igg%40mail.gmail.com.
