[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Technical review: Add content on FedCM Login Status API, Error API and isAutoSelected #31521

Closed
wants to merge 15 commits into from
Closed

Technical review: Add content on FedCM Login Status API, Error API and isAutoSelected #31521

wants to merge 15 commits into from

Conversation

chrisdavidmills
Copy link
Contributor
@chrisdavidmills chrisdavidmills commented Jan 5, 2024
edited
Loading

Note: This technical review is now completed and approved. For the follow-on editorial review, see #31658.

Description

Chrome 120 adds several updates to the FedCM API (see https://chromestatus.com/feature/5177628008382464 and https://chromestatus.com/feature/5384360374566912).

This PR adds/modifies:

  • The Login Status API:
    • Navigator.login
    • NavigatorStatus
    • NavigatorStatus.setStatus()
    • The Set-Login HTTP header
  • The Error API, which mainly manifests as useful properties of the return error object when a FedCM get() call rejects.
  • The Auto-Selected Flag, which mainly manifests as the IdentityCredential.isAutoSelected property.
  • IdentityProvider.close(), which is not part of the above ChromeStatuses, but is related and not documented, so I decided to deal with it as part of this workstream.

Note also:

  • I have taken this opportunity to split up the FedCM landing page into separate guides, as it was getting quite huge and unwieldy. The FedCM landing page now has two subpages, one that covered IdP integration, and one that covers the RP sign-in flow. These seem to work well as separate items.
  • I've included the Login Status API as a part of the IdP integration guide. There is an argument to put it in its own separate API tree, but currently, only FedCM uses it, and it is also part of the FedCM spec.

See also my research document for more details of what changes were added.

Motivation

Additional details

Fixes mdn/mdn#501

Related BCD update: mdn/browser-compat-data#21721

Related issues and pull requests

@chrisdavidmills chrisdavidmills requested review from a team as code owners January 5, 2024 11:29
@chrisdavidmills chrisdavidmills requested review from Elchi3 and dipikabh and removed request for a team January 5, 2024 11:29
@github-actions github-actions bot added Content:WebAPI Web API docs Content:HTTP HTTP docs labels Jan 5, 2024
@github-actions GitHub Actions
Copy link
Contributor
github-actions bot commented Jan 5, 2024
edited
Loading
Preview URLs (16 pages)
Flaws (4)

Note! 12 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/API/IdentityCredential/isAutoSelected
Title: IdentityCredential: isAutoSelected property
Flaw count: 1

  • bad_bcd_queries:
    • No BCD data for query: api.IdentityCredential.isAutoSelected

URL: /en-US/docs/Web/API/Navigator
Title: Navigator
Flaw count: 1

  • macros:
    • /en-US/docs/Web/API/Navigator/standalone does not exist

URL: /en-US/docs/Web/API/CredentialsContainer/get
Title: CredentialsContainer: get() method
Flaw count: 1

  • broken_links:
    • No need for the pathname in anchor links if it's the same page

URL: /en-US/docs/Web/HTTP/Headers/Set-Login
Title: Set-Login
Flaw count: 1

  • bad_bcd_queries:
    • No BCD data for query: http.headers.Set-Login
External URLs (11)

URL: /en-US/docs/Web/API/FedCM_API/IDP_integration
Title: Identity provider integration with FedCM

URL: /en-US/docs/Web/API/FedCM_API/RP_sign-in
Title: Relying party federated sign-in

URL: /en-US/docs/Web/API/IdentityCredential/isAutoSelected
Title: IdentityCredential: isAutoSelected property

URL: /en-US/docs/Web/API/IdentityProvider/close_static
Title: IdentityProvider: close() static method

(comment last updated: 2024-01-11 10:32:58)

@chrisdavidmills chrisdavidmills changed the title Add content on FedCM Login Status API, Error API and isAutoSelected Technical review: Add content on FedCM Login Status API, Error API and isAutoSelected Jan 5, 2024
@chrisdavidmills chrisdavidmills removed request for a team, Elchi3 and dipikabh January 5, 2024 11:35
npm1
npm1 reviewed Jan 5, 2024
View reviewed changes
files/en-us/web/api/credentialscontainer/get/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/credentialscontainer/get/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/credentialscontainer/get/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/navigator/login/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/navigatorlogin/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/navigatorlogin/setstatus/index.md Outdated Show resolved Hide resolved
files/en-us/web/http/headers/set-login/index.md Outdated Show resolved Hide resolved
files/en-us/web/http/headers/set-login/index.md Outdated Show resolved Hide resolved
npm1
npm1 reviewed Jan 8, 2024
View reviewed changes
Copy link
@npm1 npm1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

files/en-us/web/api/credentialscontainer/get/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/credentialscontainer/get/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/rp_sign-in/index.md Outdated Show resolved Hide resolved
npm1
npm1 reviewed Jan 9, 2024
View reviewed changes
Copy link
@npm1 npm1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated Show resolved Hide resolved
@chrisdavidmills
Copy link
Contributor Author

Thanks @npm1! We are close now. The only bits left now are a couple of clarifications/verifications:

@chrisdavidmills
Copy link
Contributor Author

Thanks again @npm1. I've gotten the last couple of fixes done before signing off tonight. Let me know if there is anything else you think this needs, or give me an LGTM, so we can get it put into editorial review tomorrow!

npm1
npm1 reviewed Jan 10, 2024
View reviewed changes
Copy link
@npm1 npm1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple more comments but LGTM

files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated
| accounts_endpoint | `GET` | No | Yes | No |
| client_metadata_endpoint | `GET` | Yes | No | Yes |
| id_assertion_endpoint | `POST` | Yes | Yes | Yes |
| Endpoint/resource | Method | Credentialed | Includes cookies | Includes {{httpheader("Origin")}} |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I missed that this table has 'credentialed' and 'includes cookies'. Those are the same thing? The Credentialed column is incorrect anyways so can we remove it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, done. I also changed the column header to "Credentialed (with cookies)" just in case some people understand one, and some understand the other.

files/en-us/web/api/fedcm_api/idp_integration/index.md Outdated

## The `Sec-Fetch-Dest` HTTP header

All requests sent from the browser via FedCM include a `{{httpheader("Sec-Fetch-Dest")}}: webidentity` header to prevent {{glossary("CSRF")}} attacks. All IdP endpoints must confirm this header is included. For example, the well-known file request would look like so:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We were discussing some issue with the team regarding this. In reality, while all endpoints have that Dest, it is only really important to check it on the credentialed (eg accounts and id assertion) endpoints. Perhaps we can update this to note that instead of saying all endpoints?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense - done! I also included the webidentity value on the actual Sec-Fetch-Destheader ref page, as I noticed it was missing.

@chrisdavidmills
Copy link
Contributor Author

Great stuff, thanks @npm1. I'll get this passed into the editorial review stage (I'll create a new PR based on the same branch to contain that, so it doesn't become too busy).

@chrisdavidmills chrisdavidmills mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npm1 npm1 npm1 left review comments

Assignees
No one assigned
Labels
Content:HTTP HTTP docs Content:WebAPI Web API docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Federated Credential Management API | sync
2 participants
@chrisdavidmills @npm1