philsmart
commented
1 week ago Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).
Open npm1 opened 1 week ago
philsmart
commented
1 week ago Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).
cbiesinger
commented
1 week ago it doesn't really matter (we treat all errors the same) but I agree that it would be good if we added a note with a suggestion for how to handle that
samuelgoto
commented
5 minutes ago Maybe this is best documented as part (or maybe, in addition to?) of one of the profiles? WDYT @aaronpk @timcappalli, any guidance on where these "IdP implementation" guidance should live? The FedCM spec? The profile? Both?
Note that, as far as FedCM's spec per se, the browser can't actually check if the IdP is implementing these things properly, so we can, at best, have non-normative text, I think.
It looks like there is a note but it is in ID assertion section. We can move it up higher, as this applies to other sensitive endpoints, like accounts endpoint as well. Based on feedback from @philsmart