Login Status API

[cbiesinger]

WebKittens

@johnwilander

Title of the spec

Login Status API

URL to the spec

https://fedidcg.github.io/FedCM/#browser-api-login-status

URL to the spec's repository

https://github.com/fedidcg/FedCM

Issue Tracker URL

No response

Explainer URL

https://github.com/fedidcg/FedCM/pull/436

TAG Design Review URL

https://github.com/w3ctag/design-reviews/issues/884

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

This is an extension to the FedCM API.

This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)

[johnwilander]

Ping @othermaciej, @pascoej, @rmondello, @g-davidson, and @annevk.

[marcoscaceres]

Closing in favor or https://github.com/WebKit/standards-positions/issues/309 as we have never given a position of the actual FedCM spec.

[cbiesinger]

It may be worth keeping this one open separately because it is my understanding that webkit wants to support the login status API aka IDP signin status API independently of FedCM?

[marcoscaceres]

I don't know about supporting it, but I've updated the title to be more specific about the Login Status API and now pointing to what's in the FedCM draft.