Add fedcm docs #23675
Add fedcm docs #23675
Conversation
chrisdavidmills
requested review from
sideshowbarker and
bsmth
and removed request for
a team
github-actions
bot
added
Content:Glossary
chrisdavidmills
requested review from
teoli2003
and removed request for
a team
|
|
||
| The well-known file must be served from the [eTLD+1](https://web.dev/same-site-same-origin/#site) of the IdP at `/.well-known/web-identity`. | ||
|
|
||
| For example, if the IdP endpoints are served under `https://accounts.idp.example/`, they must serve a well-known file at `https://idp.example/.well-known/web-identity`. The well-known file's content should look have the following JSON structure: |
There was a problem hiding this comment.
Is "should look have" a valid English expression I'm not familiar with?
There was a problem hiding this comment.
Heh ... no, it's a typo ;-)
I've updated it to "should have" in my next commit.
|
|
||
| The browser requests the IdP config file and carries out the sign-in flow detailed below. For more information on the kind of interaction a user might expect from the browser-supplied UI, see [Sign in to the relying party with the identity provider](https://developer.chrome.com/docs/privacy-sandbox/fedcm/#sign-into-rp). | ||
|
|
||
| ### FedCM sign-in flow |
There was a problem hiding this comment.
I like how this section is separated from endpoint description and describes expected HTTP headers from RP point of view!
There was a problem hiding this comment.
I like it too. I've basically copied the sign-in flow structure from one of your articles but added more details on what happens at each stage.
|
|
||
| ### Exceptions | ||
|
|
||
| - `NetworkError` {{domxref("DOMException")}} | ||
| - : In the case of a `get()` call with an `identity` option, this exception is thrown if the IdP does not respond within 60 seconds, or if the provided credentials are not valid/found. |
There was a problem hiding this comment.
I'm curious, publicKey type accepts timeout value. What happens if more than 60 seconds is specified to the timeout?
There was a problem hiding this comment.
Good question. I've had a look through all the related specs, and can't find an answer. I'm guessing nothing, as the WebAuthn spec doesn't specify any kind of network/timeout error, and the timeout value is a hint indicating the time the caller is willing to wait, rather than a set value after which something will happen. Also, the two types don't seem to have any interplay at all.
There was a problem hiding this comment.
OK, I noticed the concept of timeout is not part of Credential Management API and it's rather of PublicKeyCredential or IdentityCredential. So there's no contradiction. There might be a need to clarify what would happen when they are used together, but it's too early to worry about that. Please ignore this comment.
|
Thanks for the review @agektmr ! I've made updates according to your comments and provided responses above. Let me know if there is anything else you think these docs need. |
Co-authored-by: Jean-Yves Perrier <[email protected]>
Co-authored-by: Jean-Yves Perrier <[email protected]>
|
Thanks @teoli2003 ; committed. |
|
|
||
| ### Exceptions | ||
|
|
||
| - `NetworkError` {{domxref("DOMException")}} | ||
| - : In the case of a `get()` call with an `identity` option, this exception is thrown if the IdP does not respond within 60 seconds, or if the provided credentials are not valid/found. |
There was a problem hiding this comment.
OK, I noticed the concept of timeout is not part of Credential Management API and it's rather of PublicKeyCredential or IdentityCredential. So there's no contradiction. There might be a need to clarify what would happen when they are used together, but it's too early to worry about that. Please ignore this comment.
|
It looks like this one is ready to go. All reviewed, and updates made. @teoli2003 you've already looked at this one. Can you approve and merge? |
| - Security | ||
| --- | ||
|
|
||
| In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction. |
There was a problem hiding this comment.
nit
| In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction. | |
| In web security, a _replay attack_ happens when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction. |
There was a problem hiding this comment.
Updated in my next commit.
| } | ||
| ``` | ||
|
|
||
| Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow). |
There was a problem hiding this comment.
The 2nd link is wrong here:
There was a problem hiding this comment.
The first one was also wrong ;-) Should have pointed to the top of the FedCM page. I've fixed them both now.
| @@ -11,6 +11,8 @@ browser-compat: api.FederatedCredential | |||
|
|
|||
| The **`FederatedCredential`** interface of the [Credential Management API](/en-US/docs/Web/API/Credential_Management_API) provides information about credentials from a federated identity provider. A federated identity provider is an entity that a website trusts to correctly authenticate a user, and that provides an API for that purpose. [OpenID Connect](https://openid.net/developers/specs/) is an example of a federated identity provider framework. | |||
|
|
|||
| > **Note:** The newer [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type. | |||
There was a problem hiding this comment.
Does it means FederatedCredential is deprecated: if not, maybe remove newer.
| > **Note:** The newer [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type. | |
| > **Note:** The [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type. |
There was a problem hiding this comment.
Sure; removed. I seem to remember that it is marked for deprecation, but not officially at this time.
|
|
||
| A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance. | ||
|
|
||
| Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow). |
There was a problem hiding this comment.
D'oh, schoolboy error! Again, I've fixed them both.
|
|
||
| A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance, which can be used to access the token used to validate the sign-in. | ||
|
|
||
| Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow). |
There was a problem hiding this comment.
And fixed again ;-)
|
@teoli2003 thanks for the review. Fixes made as requested. |
Description
This PR adds content for the FedCM API.
See my research document for more information on the exact changes required for this addition.
Motivation
Additional details
Related issues and pull requests