Open npm1 opened 4 months ago
Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).
it doesn't really matter (we treat all errors the same) but I agree that it would be good if we added a note with a suggestion for how to handle that
Maybe this is best documented as part (or maybe, in addition to?) of one of the profiles? WDYT @aaronpk @timcappalli, any guidance on where these "IdP implementation" guidance should live? The FedCM spec? The profile? Both?
Note that, as far as FedCM's spec per se, the browser can't actually check if the IdP is implementing these things properly, so we can, at best, have non-normative text, I think.
This is a core FedCM security feature, so I would expect to see this in the FedCM spec. The spec is not only for browser implementers, so it's fine to have normative requirements for the other roles as well.
100% with @aaronpk ^
It looks like there is a note but it is in ID assertion section. We can move it up higher, as this applies to other sensitive endpoints, like accounts endpoint as well. Based on feedback from @philsmart