search

fedidcg / FedCM

A privacy preserving identity exchange Web API
https://fedidcg.github.io/FedCM
Other
357 stars 66 forks source link

Multi-IdP API: The RP needs a way to know which IdP the user selected #560

Open samuelgoto opened 2 months ago

samuelgoto commented 2 months ago

I'm posting this on behalf of an IdP that is currently experimenting with the Multi-IdP API and has given us this feedback

In the Multi-IdP API proposal, the RP needs to know which IdP was selected from the list of providers, so that it can interpret the token that it gets in the IdentityCredential.

samuelgoto commented 2 months ago

One of the proposals that @npm1 is exploring is exposing the configURL that was used when the user made the choice in the resulting IdentityCredential.

obfuscoder commented 2 months ago

Or the configURL provided by the IdP during IdP registration (see #240) when client used "any" as IdP configURL?

samuelgoto commented 2 months ago

Or the configURL provided by the IdP during IdP registration (see https://github.com/fedidcg/FedCM/issues/240) when client used "any" as IdP configURL?

Yep.

obfuscoder commented 2 months ago

I read somewhere else that this is already available in Canary for testing?

cbiesinger commented 2 months ago

Yes! @npm1 added a configURL property to the returned IdentityCredential in version 126.0.6436.0 (requires the multi IDP flag to be enabled)

samuelgoto commented 2 months ago

Yes! @npm1 added a configURL property to the returned IdentityCredential in version 126.0.6436.0 (requires the multi IDP flag to be enabled)

This cl here.

As @cbiesinger, you should be able to use the configURL in the returning IdentityCredential to figure out which IdP that was used that resulted into the promise.

I think @npm1 was intending it to be used somewhat like the following:

const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: "https://idp1.example",
      // ... other stuff ...
    }, {
      configURL: "https://idp2.example",
      // ... other stuff ...
    }, ]
  }
});

const {token, configURL} = credential;

// decode the token differently depending on which configURL was used

I'm going to mark this as fixed, since there is a different issue tracking putting this into the spec, etc here:

319

Let me know if you give this a try and it doesn't work for you @obfuscoder .

cbiesinger commented 2 months ago

We should probably keep this open until we actually added this to the spec

aaronpk commented 1 month ago

Just wanted to chime in and say this is working for me.