gffletch
commented
2 years ago There are many SAML deployments today that intentionally don't require Javascript.
Open will-bartlett opened 2 years ago
gffletch
commented
2 years ago There are many SAML deployments today that intentionally don't require Javascript.
samuelgoto
commented
2 years ago Yep, that makes sense to me.
Invoking FedCM through HTTP Headers should be fairly trivial. Any suggestions on what to call / place it? Maybe a type to WWW-Authenticate?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
WWW-Authenticate: FedCMWDYT?
timcappalli
commented
2 years ago I'm not sure WWW-Authenticate is appropriate as FedCM is not itself an authentication method. Might make sense to add a new header for FedCM.
HughIsaacs2
commented
1 year ago I feel this should be an HTML Form attribute, because FedCM doesn't specify the auth method it just makes federated auth methods easier to use.
So I think a form attribute that prompts the browser to suggest a few autofill options is best here.
Edit: I didn't think it'd fit at first but the autocomplete attribute might be perfect for this. Could have autocomplete="webidentity" on a form element to prompt the browser to provide a dropdown list of some sort.
anderspitman
commented
5 months ago This would be really good to have. https://lastlogin.io/ currently doesn't use any JavaScript and I would love to keep it that way, at least for anything other than progressive enhancement.
It'd be nice to support classic websites as well as single page applications. That is, to define a challenge and response header pattern like user agent client hints where the server is able to return response headers that trigger the FedCM flow, and the results of that FedCM flow are sent to the server on the following HTTP request. Having two patterns of authentication (one for browser-based Javascript applications and another for HTTP-based server applications) is generally to-be-avoided, if possible.