philsmart
commented
4 months ago Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).
Open npm1 opened 4 months ago
philsmart
commented
4 months ago Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).
cbiesinger
commented
4 months ago it doesn't really matter (we treat all errors the same) but I agree that it would be good if we added a note with a suggestion for how to handle that
samuelgoto
commented
3 months ago Maybe this is best documented as part (or maybe, in addition to?) of one of the profiles? WDYT @aaronpk @timcappalli, any guidance on where these "IdP implementation" guidance should live? The FedCM spec? The profile? Both?
Note that, as far as FedCM's spec per se, the browser can't actually check if the IdP is implementing these things properly, so we can, at best, have non-normative text, I think.
aaronpk
commented
3 months ago This is a core FedCM security feature, so I would expect to see this in the FedCM spec. The spec is not only for browser implementers, so it's fine to have normative requirements for the other roles as well.
bc-pi
commented
3 months ago 100% with @aaronpk ^
It looks like there is a note but it is in ID assertion section. We can move it up higher, as this applies to other sensitive endpoints, like accounts endpoint as well. Based on feedback from @philsmart