Get Inspired
Docs
Blog
Articles
The Privacy Sandbox
What is the Privacy Sandbox? Proposal lifecycle in the Privacy Sandbox Timeline Glossary and key concepts Privacy Sandbox events Privacy Sandbox demos Blog Privacy Sandbox videos
Chrome-facilitated testing Relevance and measurement unified origin trial Enroll your site API status and feature releases
Privacy Sandbox testing FAQs Privacy-related compliance FAQs
Feedback
Prepare for phasing out third-party cookies Related Website Sets Related Website Sets: developer guide How Chrome evolved the First-Party Sets proposal Cookies Having Independent Partitioned State (CHIPS) Storage Partitioning Fenced frames
Federated Credential Management API Federated Credential Management API: developer guide Federated Credential Management API updates
Shared Storage Shared Storage API walkthrough
IP Protection Privacy Budget Bounce tracking mitigations
User-Agent reduction User-Agent reduction snippets
Topics API overview Topic classification Developer guide Integration guide Experiment and participate Topics API demos Test topic inference in a colab Topics API latest updates
Protected Audience API Experiment and participate
Protected Audience API: developer guide Seller guide: run ad auctions Buyer guide: join interest groups and generate bids Protected Audience API auction reporting Sequential auction setup with header bidding and multi-seller Protected Audience auction Improve Protected Audience API auction latency Opt-out of the Protected Audience API Report on Protected Audience API auction results Troubleshoot the Protected Audience API
Status of pending Protected Audience API capabilities Protected Audience API walkthrough
Content selection with Shared Storage Creative rotation Creative selection by frequency A/B Testing Known customers
Maximize ad relevance
Attribution Reporting overview Attribution Reporting end-to-end Experiment and participate Why Chrome plans to ship the Attribution Reporting API
Introduction to debug reports Set up debug reports Debugging cookbook
Attribution Reporting API developer guide Get started with Attribution Reporting Register attribution sources Register attribution triggers Prioritize specific clicks, views, or conversions Define custom rules using filters Prevent duplication in reports Custom report windows Register multiple reporters Report schedules Constraints on Aggregation Reporting data Web-to-app and app-to-web measurement Understanding aggregation keys Understanding noise in summary reports Working with noise Contribution budget for summary reports
API updates
Private Aggregation API Private Aggregation API fundamentals Experiment and participate Unique reach measurement User demographic reporting K+ frequency measurement
Aggregation Service Summary reports
Private State Tokens

Federated Credential Management API updates

Published on Updated on

Eiji Kitamura
Eiji Kitamura

Developer Advocate, Google Chrome

Twitter GitHub Glitch Mastodon

The Federated Credential Management API is shipping in Chrome 108, but it's expected to continue evolving until Q4 2023 at least to stabilize.

Who are these updates for?

These updates are for you if:

  • You are an IdP using the Federated Credential Management API—for example, you've run an origin trial.
  • You are an IdP or RP and interested in extending the API to fit your use case – e.g. you've been observing or participating in the discussions on the FedID CG repository and want to understand the changes made to the API.
  • You are a browser vendor and you want to catch up on the implementation status of the API.

If you're new to this API or have not experimented with it yet, read the introduction to the Federated Credential Management API.

Changelog

To stay updated on the FedCM API changes, please subscribe to our newsletter.

Chrome 117 (Sep 2023)

Chrome 116 (Aug 2023)

  • Added support for following three features in Chrome 116:
    • Login Hint API: Specify a preferred user account to be signed in.
    • User Info API: Fetch the information of the returning user so that the identity provider (IdP) can render a personalized sign-in button within an iframe.
    • RP Context API: Use a title different from 'Sign in' in the FedCM dialog.
  • Origin Trial for IdP Sign-In Status API is available. Learn more about it in FedCM updates: IdP Sign-In Status API, Login Hint, and more.

Chrome 115 (June 2023)

  • Added support for auto-reauthentication which let users reauthenticate automatically when they come back after their initial authentication using FedCM. This improves the user experiences and enables a more streamlined reauthentication to the RP after the initial consent. Learn more about FedCM auto-reauthentication.

Chrome 110 (February 2023)

  • For the ID assertion endpoint, IdPs need to check the Origin header (instead of the Referer header) to see if the value matches the origin of the client ID.
  • Cross-origin iframe support for FedCM is now available. The embedder should specify the Permissions-Policy identity-credentials-get to allow FedCM API in the embedded cross-origin iframe. You can check out an example of the cross-origin iframe.
  • Added a new Chrome flag chrome://flags/#fedcm-without-third-party-cookies. With this flag, you can test FedCM functionality in Chrome by blocking third-party cookies. Learn more from the FedCM documentation.

Chrome 108 (October 2022)

  • "top-level manifest" is now called "well-known file" in the document. No implementation changes are required.
  • "IdP manifest" is now called "config file" in the document. No implementation changes are required.
  • The id_token_endpoint in the "config file" is renamed to id_assertion_endpoint.
  • The requests to IdP now include a Sec-Fetch-Dest: webidentity header instead of a Sec-FedCM-CSRF: ?1 header.

Chrome 105 (August 2022)

  • Added important security information to the document. The identity provider (IdP) needs to check if the Referer header matches the origin the RP registered in advance on the ID token endpoint.
  • The top-level manifest is renamed from /.well-known/fedcm.json to /.well-known/web-identity and the URL specified in provider_urls should include the file name.
  • Methods login(), logout() and revoke() on FederatedCredential instances are no longer available.
  • The Federated Credential Management API now uses a new type IdentityCredential instead of FederatedCredential. This can be used for feature detection but is otherwise a largely invisible change.
  • Move login functionality from a combination of navigator.credentials.get() and FederatedCredential.prototype.login() to navigator.credentials.get().
  • The revocation endpoint in the manifest is no longer in effect.
  • Use an identity field instead of a federated field for navigator.credentials.get() calls.
  • url is now configURL and must be the full URL for the manifest JSON file instead of the path for a navigator.credentials.get() call.
  • nonce is now an optional parameter for navigator.credentials.get().
  • hint is no longer available as an option for navigator.credentials.get().
const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: 'https://idp.example/anything.json',
      clientId: '********',
      nonce: '******'
    }]
  }
});
const { token } = credential;

Chrome 104 (June 2022)

Chrome 103 (May 2022)

  • Supports desktop environments.
  • Supports per-RP settings on desktop.
  • The client metadata endpoint is now optional. In this endpoint, the privacy policy URL is also optional.
  • Added a caveat about using CSP connect-src in the document.

Resources

Updated on Improve article

This site uses cookies to deliver and enhance the quality of its services and to analyze traffic. If you agree, cookies are also used to serve advertising and to personalize the content and advertisements that you see. Learn more about our use of cookies.