FedCM solves a number of federated user identity flows through new, purpose-built APIs that do not expose 3p cookies to IDPs. However, there are a number of capabilities and technological patterns that are currently in use by the (federated) identity ecosystem currently dependent on the login state that is stored in 3p cookies after the FedCM flow.
Based on what we’ve heard from FedID CG meetings and partner conversations, some enterprises or edu IDPs might be able to adopt FedCM, but probably could not drop reliance on 3p cookies in all of their users flows without custom-built FedCM extensions, and so would otherwise need to guide their users to re-enable 3p cookies.
We'd like to propose a seed of an idea: what if IDPs that are granted user consent through FedCM are permitted to access their 3p cookies using the Storage Access API (SAA), without requiring an additional permission prompt from SAA, with RPs’ explicit opt-in? We suspect this could help a broader audience of developers adopt the user-friendly FedCM flow, and also remove the design / maintenance burden for less common data / interaction flows for FedCM.
Our question to this group: would this help resolve any so far unaddressed use cases in the identity space? To what extent do you feel this is helpful compared to a longer term outlook of additional higher-level APIs in FedCM? To browser vendors implementing FedCM: does that seem right directionally? Any concerns / recommendations? The idea is still in the exploratory stage and thoughts are welcome!
FedCM solves a number of federated user identity flows through new, purpose-built APIs that do not expose 3p cookies to IDPs. However, there are a number of capabilities and technological patterns that are currently in use by the (federated) identity ecosystem currently dependent on the login state that is stored in 3p cookies after the FedCM flow.
Based on what we’ve heard from FedID CG meetings and partner conversations, some enterprises or edu IDPs might be able to adopt FedCM, but probably could not drop reliance on 3p cookies in all of their users flows without custom-built FedCM extensions, and so would otherwise need to guide their users to re-enable 3p cookies.
We'd like to propose a seed of an idea: what if IDPs that are granted user consent through FedCM are permitted to access their 3p cookies using the Storage Access API (SAA), without requiring an additional permission prompt from SAA, with RPs’ explicit opt-in? We suspect this could help a broader audience of developers adopt the user-friendly FedCM flow, and also remove the design / maintenance burden for less common data / interaction flows for FedCM.
Our question to this group: would this help resolve any so far unaddressed use cases in the identity space? To what extent do you feel this is helpful compared to a longer term outlook of additional higher-level APIs in FedCM? To browser vendors implementing FedCM: does that seem right directionally? Any concerns / recommendations? The idea is still in the exploratory stage and thoughts are welcome!