Need help understanding how the IdP knows what accounts a User Agent is logged in to

[bretticus-mc]

Hello,

After the RP makes the credentials.get() call, the browser will make a GET /accounts call to the IdP to return a list of accounts the user is already logged in to. How does the IdP know what accounts that specific browser is logged in to? Are there cookies involved with the GET /accounts call to differentiate this browser from a separate user's browser call? How does this work from an embedded context? Would an embedded third-party iframe calling credentials.get() still be able to know the accounts the User Agent is logged in to after 3rd party cookies are deprecated? Or would the embedded iframe need to log in to the IdP again.

[cbiesinger]

Yes, these requests are made with cookies.

The caller of get() does not get to know the list of accounts. They get to know the issued ID token and only if the user consents (and an IDP iframe can also call getUserInfo if the user has previously consented). But yes, that will work even after third-party cookie deprecation.

[npm1]

To add to Christian, it is not the case that an embedded iframe would know the accounts the user is logged in to. Invoking FedCM means the accounts endpoint is hit but the user would have to go through the FedCM flow in order for the caller to receive an id token, which can include the user account information. Let us know if we can close or if there are other questions!

[samuelgoto]

Closing this as resolved, unless there are any more questions that we need to clarify. Feel free to re-open if you feel like there is still something hanging.