Federated Credential Management API (FedCM) is a
web API for privacy-preserving identity federation. With identity federation, an
RP (relying party) relies on an IdP (identity provider) to provide the user an
account without requiring a new username and password.
FedCM is a purpose-built API that allows the browser to understand the context
in which the RP and IdP exchange information, inform the user as to the
information and privilege levels being shared and prevent unintended abuse.
Updates
There are a few updates to Chrome’s FedCM implementation:
- For the ID assertion
endpoint, IdPs need to
check theOriginheader (instead of theRefererheader) to see if the
value matches the origin of the client ID. - A new Chrome flag
chrome://flags/#fedcm-without-third-party-cookiesadded. With this flag, you can
test FedCM functionality in Chrome by blocking third-party
cookies.
For all the past updates to the API check out Federated Credential Management
API updates.
The latest version of FedCM includes a new auto-reauthentication feature, which enables reauthenticaticating users automatically when they come back after their initial authentication using FedCM. Auto-reauthentication is available as an origin trial starting in Chrome 112.
Auto-reauthentication
Currently, after a user has created a federated account on an RP with an IdP
via the FedCM, the next time they visit
the website they need to go through the same steps in the user interface.
That is, they need to explicitly confirm and reauthenticate to
proceed with the sign-in flow. As one of the main
goals of FedCM is to prevent covert tracking, this user experience (UX) makes sense before the user
has created the federated account, but it becomes unnecessary and cumbersome after the user has
gone through it once. After the user grants permission to allow communication
between the RP and the IdP, there’s no privacy or security benefit for
enforcing another explicit user confirmation for something that they have
already previously acknowledged. That’s why Chrome is introducing a more streamlined
UX that RPs can choose for their returning users.
FedCM auto-reauthentication
(«auto-reauthn» in short) reauthenticates users automatically (when RPs opt-in),
when they come back after their initial authentication using FedCM. «The initial
authentication» here means the user creates an account or signs into the RP’s
website by tapping on the «Continue as…» button on FedCM’s sign-in dialog
for the first time on the same browser instance.
The RP can request auto-reauthn by calling navigator.credentials.get() with autoReauthn: true.
const cred = await navigator.credentials.get({
identity: {
providers: ,
// NOTE: We are exploring different API options to expose this
// functionality here:
// https://github.com/fedidcg/FedCM/issues/429#issuecomment-1426358523
// You should expect that, as a result of the origin trial, we'll
// learn more from developers and browser vendors what works best here.
autoReauthn: true, // default to false
},
});
With this call, auto-reauthentication happens under the following conditions:
- FedCM is available to use. For example, the user has not disabled FedCM either
globally or for the RP. - The user used only one FedCM account to sign into the website on this browser.
- The user is signed into the IdP with that account.
- The auto-reauthn didn’t happen within the last 10 minutes.
When the above conditions are met, an attempt to automatically reauthenticate the
user starts as soon as the FedCM navigator.credentials.get() is invoked.
To avoid a frustrating experience of auto-reauthentication immediately after a
user has signed out, it’s recommended to design a sign-out flow that would prevent that.
FedCM has a 10 minute quiet period after an auto-reauthentication to
prevent this behavior. We are also exploring other approaches to achieve this
such as using
CredentialsContainer.preventSilentAccess().
Try it out
You can try FedCM auto-reauthentication locally by turning on a Chrome
flag chrome://flags#fedcm-auto-re-authn on
Chrome 112 or later.
For testing purposes, you can reset the 10 minute quiet period by removing
browser data.
- Navigate to
chrome://history. - Click Clear Browsing History (under the main menu).
- Clear Cookies & Other Site Data for the time range All time.
- Restart Chrome.
Be careful that by doing this, you will lose cookies and storage data from all
websites on the Chrome instance.
Participate in the origin trial
You can also enable the feature on your website by joining the third-party
origin trial available from Chrome 112
through Chrome 114.
Origin trials allow you to try new features and give feedback on their
usability, practicality, and effectiveness to the web standards community. For
more information, see the Origin Trials Guide for Web Developers.
To sign up for this or another origin trial, visit the registration page.
To register for the third-party origin
trial and activate the feature
on third-parties:
- Go to the origin trial registration page.
- Click the Register button and fill out the form to request a token
- Enter the serving origin as Web Origin.
- Check Third-party matching to inject the token with JavaScript on other origins.
- Click Submit.
- Embed the issued token on a third-party.
To embed the token to a third-party, add the following code to your JavaScript
library or SDK served from the registered website’s origin.
const tokenElement = document.createElement('meta');
tokenElement.httpEquiv = 'origin-trial';
tokenElement.content = 'TOKEN_GOES_HERE';
document.head.appendChild(tokenElement);Replace TOKEN_GOES_HERE with your own token.
If FedCM is executed directly by an RP without loading an IdP’s scripts, the RP
must register their origin by themselves for the origin trial.
Engage and share feedback
If you have feedback or encounter any issues during testing, you can share them at crbug.com
under the Blink>Identity>FedCM component.
This post is also available in:
English