Federated Credential Management API (FedCM) is a
web API for privacy-preserving identity federation. With identity federation, an
RP (relying party) relies on an IdP (identity provider) to provide the user an
account without requiring a new username and password.
FedCM allows the browser to understand the context in which the RP and IdP
exchange information. It informs the user about the information and privilege
levels being shared and prevents unintended abuse. FedCM has been available in
Chrome since version 108.
In Chrome 115, FedCM is getting support for auto-reauthentication which improves
the user experiences and enables a more streamlined reauthentication to the RP
after the initial consent.
Auto-reauthentication
Currently, after a user has created a federated account on an RP with an IdP
via the FedCM API, the next time they
visit the website they need to go through the same steps in the user interface.
That means the user will need to explicitly and manually re-confirm to
reauthenticate and proceed with the sign-in flow.
While the explicit user experience makes sense before the user has created the
federated account to prevent tracking (which is one of the main goals of FedCM),
it is unnecessarily cumbersome after the user has gone through it once: after
the user grants permission to allow communication between the RP and the IdP,
there’s no privacy or security benefit for enforcing another explicit user
confirmation for something that they have already previously acknowledged.
That’s why we are introducing a more streamlined UX that RPs can choose for
their returning users.
FedCM
auto-reauthentication
(«auto-reauthn» in short) can let users reauthenticate automatically, when they
come back after their initial authentication using FedCM. «The initial
authentication» here means the user creates an account or signs into the RP’s
website by tapping on the «Continue as…» button on FedCM’s sign-in dialog
for the first time on the same browser instance.
Choose an option for auto-reauthn
While we are introducing auto-reauthn to provide better UX and to align with the
specification, the default user experience will be different without any code
change. With auto-reauthn available, the browser changes its behavior depending
on the option you select in the mediation
option developers provide with
navigator.credentials.get()
.
const cred = await navigator.credentials.get({
identity: {
providers: ,
},
mediation: 'optional', // this is the default
});
The mediation
is a property in the Credential Management
API,
it behaves in the same
way as it
does for
PasswordCredential
and
FederatedCredential
and it’s partially supported by
PublicKeyCredential
as well. The property accepts the following four values:
'required'
: Always requires a mediation to proceed, for example, clicking the
«Continue» button on the UI. Choose this option if your users are expected to
grant permission explicitly every time they need to be authenticated.'optional'
(default): Auto-reauthn if possible, requires a mediation if not. We
recommend choosing this option on the sign-in page.'silent'
: Auto-reauthn if possible, silently fail without requiring a
mediation if not. We recommend choosing this option on the pages other than
the dedicated sign-in page but where you want to keep users signed in—for
example, an item page on a shipping website or an article page on a news
website.'conditional'
: Used for WebAuthn and not available for FedCM at the moment.
With this call, auto-reauthn happens under the following conditions:
- FedCM is available to use. For example, the user has not disabled FedCM
either globally or for the RP in the settings. - The user used only one account with FedCM API to sign into the website on this
browser. - The user is signed into the IdP with that account.
- The auto-reauthn didn’t happen within the last 10 minutes.
- The RP hasn’t called
navigator.credentials.preventSilentAccess()
after
the previous sign in.
When the above conditions are met, an attempt to automatically reauthenticate
the user starts as soon as the FedCM navigator.credentials.get()
is invoked.
preventSilentAccess()
Enforce mediation with Auto-reauthenticating users immediately after they sign out would not make for a
very good user experience. That’s why FedCM has a 10-minute quiet period after
an auto-reauthn to prevent this behavior. This means that auto-reauthn happens
at most once in every 10-minutes unless the user signs back in within
10-minutes. The RP should call navigator.credentials.preventSilentAccess() to
explicitly request the browser to disable auto-reauthn when a user signs out of
the RP explicitly, for example, by clicking a sign-out button.
function signout() {
navigator.credentials.preventSilentAccess();
location.href = '/signout';
}
Users can opt-out of auto-reauthn in settings
Users can opt-out from auto-reauth from the settings menu:
- On desktop Chrome, go to
chrome://password-manager/settings
> Sign in
automatically. - On Android Chrome, open Settings > Password Manager > Tap on a
cog at the top right corner > Auto sign-in.
By disabling the toggle, the user can opt-out from auto-reauthn behavior all
together. This setting is stored and synchronized across devices, if the user is
signed into a Google account on the Chrome instance and synchronization is
enabled.
Users can also opt-out from FedCM per
domain.
Share feedback
If you are testing FedCM you can share your feedback or any issues you run into
at crbug.com under a component «Blink>Identity>FedCM».
Photo by Noah Samuel Franz on Unsplash
This post is also available in: English