Bug - FedCM shows only 1st account after login

[yaron-zehavi]

Chrome Version 125.0.6422.77 (Official Build) (64-bit)

After IDP accounts endpoint returns HTTP 401, user is prompted to login. After completion of login accounts endpoint returns 2 accounts, but FedCM displays only the first account. When refreshing the page FedCM displays both accounts. When IDP changes the order of accounts returned FedCM displays still a single account, the first instance in accounts endpoint response.

accounts response.txt

[yi-gu]

IIUC it happened when you "Signed in to the IdP with two accounts simultaneously", right?

Typically, when a user is going through the process to sign in to an IdP, e.g. using username and password, their active account number goes from N to N+1. Chrome optimizes the flow by only showing the delta which is the newly signed-in account, because apparently that's the account which the user is more likely to use.

In the reported case, two accounts were added (N -> N +2) so the browser picked up the first account on the list. We believe that the N+2 case should not happen in practice other than testing. That said, if it's not true, we'd like hear about the use cases and adjust the implementation accordingly.

The reason why refreshing the page would show two accounts was that there was no "Sign in to IdP optimization" and the user had already signed in to the IdP with two active accounts.

[anderspitman]

@yi-gu LastLogin works exactly the way you describe; you can log in to multiple identities during a single LastLogin login.

[yaron-zehavi]

I understand the logic, thanks

[yi-gu]

@yi-gu LastLogin works exactly the way you describe; you can log in to multiple identities during a single LastLogin login.

Thanks for letting us know. Will track the change in https://issues.chromium.org/u/1/issues/342194490

[anderspitman]

Thanks @yi-gu. I'm open to designing around this if necessary, since it is a pretty niche use case.