Difference between revisions of "FedCM"

Revision as of 16:17, 5 October 2022

Contact emails - Sam Goto goto@chromium.org

Explainer https://github.com/fedidcg/FedCM/blob/main/explainer.md

Specification https://fedidcg.github.io/FedCM

Summary The Federated Credential Management API (originally WebID) allows users to use their federated identity to login to websites in a manner compatible with improvements to browser privacy. This intent covers a Web Platform API to prompt the user to choose accounts from one Identity Provider to sign-up or sign-in to a website. We expect to send future intents to make enhancements over these capabilities (e.g. multiple IdPs) and keep raising the privacy properties of the API (e.g. the timing attack problem).

TAG review Early Tag Review https://github.com/w3ctag/design-reviews/issues/622

Spec Tag Review https://github.com/w3ctag/design-reviews/issues/718

TAG review status Positive

Risks

• Interoperability and Compatibility
  • Zero compatibility risk (new API)
  • Gecko: Positive
  • WebKit: Positive
• On interoperability and forward compatibility: FedCM is large and complex and, as browser vendors start to implement it (example), we are seeing positive and constructive engagement. For example, we are actively working with Mozilla to find an interoperable way to address the timing attack problem, support multiple IdPs and protect endpoints. Because of that, there is a risk of incompatible changes going forward (list of currently known potential risks here), mostly affecting IdPs (see section below on activation). We think it is unavoidable that parts of our current design are suboptimal and are going to need to be revisited, but the biggest risk we are trying to avoid is to fail to bring IdPs along with us, increase their production footprint that we can learn from, and increase our confidence on technical feasibility and product-market fit.

Based on our origin trials, we expect a small number of IdPs (say, less than ~30) to be incentivized to use the API in production until chrome phases-out third party cookies in 2024. These IdPs that we are partnering with need time, confidence, and stability to increase their deployment. For example, in origin trials, we ran into CSP issues and cross-origin iframe issues that we could have never anticipated without IdPs experimentation, even if we had interoperable implementations in all major browsers. We think that the risk we take by not having a baseline that IdPs can work from if the API isn’t shipped outweighs the forward compatibility risks: not shipping would mean that we won’t learn about these bugs until it is too close to the deprecation of third party cookie (e.g. IdPs will continue to evolve their products using iframes and third party cookies without an alternative to build on). We also think that we can address some concerns on forward compatibility by setting the right expectations during developer documentation / outreach to IdPs as we make it battle-tested before we deprecate third party cookies in 2024.

Web developers: We’ve been working with Identity Providers and Relying Parties over the last ~3 years, going over a good amount of design alternatives and prototypes (TPAC 2020, 2021 and 2022, BlinkOn 14, 15, 16, OIDF 2020, IIW 2020), trying to strike the right balance between privacy/security properties and deployment structures (e.g. backwards compatibility). The current formulation is the result of identity providers, relying parties, browser vendors and industry experts that have co-designed with us through our devtrials and gathered production experience with their users through our origin trials (around ~33 small and big registered IdPs). For example, in the last two quarters, the Google Sign-in team has run experiments with ~20 Relying Parties leading to more than ~300K real users logging-in in production, achieving comparable sign-in/up conversion rates without depending on third party cookies. While this is a small sample size of the ecosystem and the deployment (notably missing representation of enterprises and EDU), we are encouraged by the approach and confident this is a solid and necessary first step.

Other signals: This API is being developed within the FedID CG composed of identity providers, relying parties, browser vendors and industry experts. The CG has produced an enumeration of known issues in the absence of third party cookies, a list of mitigation alternatives and is actively working on how to decide which Web Platform API to use for each circumstance. We don’t expect (or are designing for) FedCM to be used exclusively to solve all of the known issues, but rather in coordination with other browser proposals (e.g. CHIPS). We acknowledge that there is a series of anticipated breakages that are not handled (effectively) by any proposal (FedCM included) at the moment, and we are excited to continue working with the FedID CG, the Privacy CG and the Privacy Sandbox to extend FedCM in whichever way is constructive and/or work on new proposals.

Activation

Our design assumes that it is exponentially harder, in this order, to make changes to (a) user behavior than, (b) websites, (c) identity providers and then, lastly, (d) browsers.

So, the design pulls as much as possible the burden of change to browsers vendors and identity providers, and goes to a great extent to require little to no changes to websites and user's norms, while at the same time, raising the privacy properties of the system.

While that’s not always possible, we believe we found an activation structure that could work at scale for a substantial part of the deployment (especially for consumers) through JS SDKs that are provided by Identity Providers and get dynamically embedded into relying parties.

For example, through their JS SDKs, the Google Sign-in team was able to replace their dependence on third party cookies with FedCM without requiring changes to relying parties.

We acknowledge that this activation model is insufficient for a lot of the deployment (especially for enterprises), so finding alternative activation structures is an active area of investigation.

WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This API does not deprecate or change behavior of existing APIs.

Debuggability Basic devtools integration supported. We plan to extend this support as the product matures and we learn from developers what challenges they run into.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? No

The current implementation is available on all platforms (Windows, Mac, Linux, ChromeOS and Android) except WebView.

Is this feature fully tested by web-platform-tests? Yes, fedcm-* tests in this directory.

Known issue: some of our WPT tests are failing on wpt.fyi. While the tests exist and pass in Chromium’s infrastructure, they rely on a Chrome-specific flag that would not work in other browsers. Making them work on upstream WPT requires PAC support; however, WPT’s PAC support does not currently support HTTPS tests, which FedCM requires because it is only exposed to secure contexts. We are working on adding that support, which is in progress here.

Origin Trial Instructions https://developer.chrome.com/blog/fedcm-origin-trial/

Flag name fedcm

Requires code in //chrome? True

Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1353814

Launch bug https://bugs.chromium.org/p/chromium/issues/detail?id=1321238

Measurement kFederatedCredentialManagement

Estimated milestones OriginTrial desktop last

107

OriginTrial desktop first

103

OriginTrial Android last

107

OriginTrial Android first

101

DevTrial on Android

98

Anticipated spec changes

We’re also currently resolving some questions related to Fetch integration.

Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6438627087220736

Commentary

I really like the `document.currentScript.src` suggestion, and I think that’s a great way to help us control future breakages!

As you suggested, there is a lot that we can do by working with the Developer Relations (devrel) and Business Development (BD) teams to set up the right expectations as this goes out. Here are a few examples that we think could work:

Set up a communication channel (e.g. a mailing list similar to the one we have for Core Web Vitals here and here) that IdPs can subscribe to coordinate with us (in addition to direct 1:1 partnerships)

Be transparent about the moving parts (e.g. the timing attack problem, the multi-IdPs API, etc), and a rough timeline to resolve them (e.g. we could use the Privacy Sandbox Timeline and have meaningful stability checkpoints at General Availability in 2023 and Phase-out in 2024).

Make a recommendation to IdPs to control their SDKs (e.g. either through document.currentScript.src or SLAs), at least until some moving parts settle, so that we can iterate quickly as an industry. It is ultimately a business decision that IdPs make, so we can only go as far as making a recommendation.

Just a few more data points:

We expect it is going to take us more than a quarter but less than a year to resolve the known moving parts with confidence. Also, importantly, they may or may not require backwards incompatible API changes.

To give you a sense of numbers, in origin trials, ~33 IdPs registered over the last ~7 months. There are few IdPs (that have the incentives to use the API at the moment, while 3P cookies are still around) and they are large and sophisticated developers

In our experience so far, very few websites choose to self-host (in origin trials, we found only 1), and the ones that do, are extremely large and sophisticated developers that can afford to self-host (i.e. we would know how to reach out to them individually)

Outside of real-world production IdP deployment, it is possible, though, that we are going to find developers playing with the API, writing blogs or demos, and that’s more likely to break (because we wouldn’t be able to reach out to them individually), but that’s a more acceptable breakage.