FedCM - Federated Credential Management API

[marcoscaceres]

WebKittens

@othermaciej, @pascoej, @rmondello, @g-davidson, @annevk, @marcoscaceres, @johnwilander.

Title of the spec

Federated Credential Management API

URL to the spec

https://fedidcg.github.io/FedCM/

URL to the spec's repository

https://github.com/fedidcg/FedCM/

Issue Tracker URL

https://github.com/fedidcg/FedCM/issues/

Explainer URL

https://github.com/fedidcg/FedCM/blob/main/explainer.md

TAG Design Review URL

https://github.com/w3ctag/design-reviews/issues/718

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Allows users to login to websites with their federated accounts in a privacy preserving manner.

[yi-gu]

Thanks for merging the requests! When we ship new FedCM extensions in Blink in the future, should we link to this thread instead of opening new ones?

Some extra context: here's the support we received from webkit-dev before shipping FedCM API in Blink. In addition, Mozilla is "broadly supportive" of the FedCM API. They started prototyping in Firefox and have been collaborating with the Chrome team on a handful of spec PRs. Edge recently showed their support of the FedCM API as well.

[marcoscaceres]

Seems we already gave a position to FedCM on the blink-dev mailing list: https://lists.webkit.org/pipermail/webkit-dev/2022-March/032162.html

We are generally supportive and interested in working together to make this coexist well with passkeys.

[RByers]

Yeah that's what we've referred to as "WebKit support" in our Chromium tracking. I was just wondering if maybe it would be a good idea to get this onto the standards position list too, to improve visibility?

[samuelgoto]

Mozilla standards-positions issue URL

FWIW, here is a link to Mozilla's Standards position:

https://github.com/mozilla/standards-positions/issues/618#issuecomment-1221964677

It is almost 2 years old (FedCM has evolved a lot since then) so we should probably ask them to refresh their position, but figured it would be helpful at least to have something there.

[marcoscaceres]

Sorry, it's difficult for us to review this because the spec has gotten rather chunky (not a bad thing... but it means that it continues to be challenging to find time to dive into all the details). Continuing to try to get to it.

[samuelgoto]

No worries! We would be happy to jump on a call to walk you through it if that helps, as well as give you a sense of directionality (e.g. with passkeys, DBSC, the Login Status API and the digital credentials API)

[marcoscaceres]

@samuelgoto, that would help a lot. At the same time, I really would need folks like @rmondello and @pascoej and a few folks that know Web Authn well in the WebKit community to provide an opinion (this is a bit outside my purview... otherwise all you would get is "Marcos' hilariously uninformed option 👍").

[samuelgoto]

I'd also recommend coordinating with @johnwilander.

[Bug-Reaper]

Hey all, anybody here have a take on whether or not 3rd party cookies will be extinguished by Q1 2025?

I don't really want to do the dev for "login with ..." if all these implementations get killed by end-of-year. I also don't really want to implement FedCM and only support chrome.

I can't wrap my head around how many websites are gonna have their login/sign-up bricked by 3rd party cookie deprecation and it seems like the runway to make a clean switch to FedCM is gonna be mere months. Am I missing something here?