Federated Credential Management API updates
The Federated Credential Management API is shipping in Chrome 108, but it's expected to continue evolving until Q4 2023 at least to stabilize.
Who are these updates for?
These updates are for you if:
- You are an IdP using the Federated Credential Management API—for example, you have run an origin trial.
- You are an IdP or RP and interested in extending the API to fit your use case – e.g. you've been observing or participating in the discussions on the FedID CG repository and want to understand the changes made to the API.
- You are a browser vendor and you want to catch up on the implementation status of the API.
If you're new to this API or have not experimented with it yet, read the introduction to the Federated Credential Management API.
Changelog
To stay updated on the FedCM API changes, please subscribe to our newsletter.
Chrome 110 (February 2023)
- For the ID assertion endpoint, IdPs need to check the
Origin
header (instead of theReferer
header) to see if the value matches the origin of the client ID. - Cross-origin iframe support for FedCM is now available. The embedder should specify the Permissions-Policy
identity-credentials-get
to allow FedCM API in the embedded cross-origin iframe. You can check out an example of the cross-origin iframe. - Added a new Chrome flag
chrome://flags/#fedcm-without-third-party-cookies
. With this flag, you can test FedCM functionality in Chrome by blocking third-party cookies. Learn more from the FedCM documentation.
Chrome 108 (October 2022)
- "top-level manifest" is now called "well-known file" in the document. No implementation changes are required.
- "IdP manifest" is now called "config file" in the document. No implementation changes are required.
- The
id_token_endpoint
in the "config file" is renamed toid_assertion_endpoint
. - The requests to IdP now include a
Sec-Fetch-Dest: webidentity
header instead of aSec-FedCM-CSRF: ?1
header.
Chrome 105 (August 2022)
- Added important security information to the document. The identity provider (IdP) needs to check if the
Referer
header matches the origin the RP registered in advance on the ID token endpoint. - The top-level manifest is renamed from
/.well-known/fedcm.json
to/.well-known/web-identity
and the URL specified inprovider_urls
should include the file name. - Methods
login()
,logout()
andrevoke()
onFederatedCredential
instances are no longer available. - The Federated Credential Management API now uses a new type
IdentityCredential
instead ofFederatedCredential
. This can be used for feature detection but is otherwise a largely invisible change. - Move login functionality from a combination of
navigator.credentials.get()
andFederatedCredential.prototype.login()
tonavigator.credentials.get()
. - The revocation endpoint in the manifest is no longer in effect.
- Use an
identity
field instead of afederated
field fornavigator.credentials.get()
calls. url
is nowconfigURL
and must be the full URL for the manifest JSON file instead of the path for anavigator.credentials.get()
call.nonce
is now an optional parameter fornavigator.credentials.get()
.hint
is no longer available as an option fornavigator.credentials.get()
.
const credential = await navigator.credentials.get({
identity: {
providers: [{
configURL: 'https://idp.example/anything.json',
clientId: '********',
nonce: '******'
}]
}
});
const { token } = credential;
Chrome 104 (June 2022)
consent_acquired
parameter sent to the ID token endpoint is nowdisclosure_text_shown
. The value is unchanged.- branding icons in the IdP manifest have stopped supporting SVG images, but no longer need to be allowed by the RP's Content Security Policy.
Chrome 103 (May 2022)
- Supports desktop environments.
- Supports per-RP settings on desktop.
- The client metadata endpoint is now optional. In this endpoint, the privacy policy URL is also optional.
- Added a caveat about using CSP
connect-src
in the document.
Resources
- Read the introduction to Federated Credential Management.