-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Occurred since Chrome 126: FedCM Accounts API does not show the user in the FedCM dialog if the email is blank. #379
Comments
I recommend filing a bug at crbug.com in the "Chromium > Blink > Identity > FedCM" component. |
Do you have a username or something? Perhaps put that while we make the email optional, see w3c-fedid/FedCM#317 |
Ugh, this does seem to be a backwards incompatible change that we made that is causing this. Here is the CL that introduced the requirement that email addresses are present, which, as you noted, got into Chrome 126 and above. https://chromium-review.googlesource.com/c/chromium/src/+/5529788 It is technically neither (a) incompatible with the spec nor (b) a bug, since email is a required field and this CL is just enforcing that the string is non-empty.
That's a good question. Can you help us understand a bit more about your deployment. A few questions: (a) Do all of your users not have email or just some? |
@npm1 Currently, we work around the problem of accounts not showing up in FedCM by displaying the nickname in the "email" field. |
@samuelgoto (a) Only some users do not have an email address. (b) No, multiple accounts are not supported. (c)The condition does not occur because the response to b is no. (d) We believe that there are a certain number of IdPs that support a function that allows users to reject the acquisition of personal information through GDRP or other means. |
Followup questions:
|
@npm1 Ans. 1Nicknames may be shared in RP. However, we do not share email addresses. Ans. 2This happens a lot in my case. For example, this is the case where the RP is offering a game. If the RP cannot manage the data until the user finishes the tutorial without tying the data to something, the IdP will provide the user tied to a cookie as an ephemeral account. The user may interrupt and resume the tutorial as long as the cookie is not deleted. This is beneficial to the user in terms of personal information management, since the user can play the game without unwillingly registering any personal or other information. We want to respect the user's willingness to register, so we offer ephemeral accounts that rely on cookies. Ans. 3Yes. I think it is an important element of IdP for users to be able to identify themselves by nicknames, icons, etc. |
Ok, I think we heard two different things in this thread. Let me try to reconcile them. First, we heard:
The problem is that we currently have
This would allow you to pass us Here is an example of an accounts response without an email address: {
"accounts": [{
"id": "1234",
"name": "John Doe",
"username": "johndown1982",
"approved_clients": ["123", "456", "789"],
}]
} Would that work? Second, we heard:
The problem here is that, indeed, FedCM currently assumes that what will be shared will be
Here is an example of how the RP would call the FedCM API: const credential = await navigator.credentials.get({
identity: {
providers: [{
configURL: ...,
// controls what permission is asked of the user
fields: ["name", "username", "picture"], // in case the RP wants the username
fields: ["name", "picture"], // in case the RP doesn't need the username
}]
}
}); Would that address this issue? |
We think it is good, no problem.
A few questions remain regarding this one. So I would prefer the following response account endpoint response
{
"accounts": [{
"id": "1234",
"name": "John Doe",
"unique_name": "john_doe@idp.example", // For example, if an IdP has id + email as uniq
"unique_name": "John Doejohn_doe_123456789", // For example, if an IdP has id + name as uniq
"unique_name": "Jack", // For example, if an IdP has id + nickname as uniq
"picture": "https://idp.example/profile/123",
"approved_clients": ["123", "456", "789"],
"login_hints": ["john_doe"],
"domain_hints": ["idp.example"],
}]
} account endpoint request
const credential = await navigator.credentials.get({
identity: {
providers: [{
configURL: ...,
// Optionally specify additional information to be obtained
fields: ["email"], // in case the RP wants the email
}]
}
}); The above will solve the problem in my use case where an email cannot be retrieved in an RP request. |
Ok, I think we are getting there!
One of the challenges with taking an arbitrary string is abuse: a spammer can abuse the API to include something like "Get 5% off" and create an intrusion for users. I was hoping we'd be able to prevent some of this abuse if we could enumerate the types of valid strings (e.g. we can regex email, phone numbers and usernames). An IdP would be able to choose which one to pass to be displayed to the user to disambiguate accounts. For example: {
"accounts": [{
"id": "1234",
"name": "John Doe",
"email": "john_doe@idp.example", // For example, if an IdP has id + email as uniq, has to match emails
"phone_number": "(630) 023-3243", // For example, if an IdP has id + phone as uniq, has to be numeric
"username": "John Doejohn_doe_123456789", // For example, if an IdP has id + name as uniq, can't contain spaces
"username": "Jack", // For example, if an IdP has id + nickname as uniq, can't contain spaces
"picture": "https://idp.example/profile/123",
"approved_clients": ["123", "456", "789"],
"login_hints": ["john_doe"],
"domain_hints": ["idp.example"],
}]
} Would that work? Or do you have any other type of way to clarify to the user accounts other than
Yeah, I think this would work. |
It will work! I believe the problem can be solved by doing what is in the example. If only a modification to the accounts API response interface on the IdP side, or to the IdP such as |
Yeah, that's one of the benefits of this approach: we could make the accounts endpoint response backwards compatible. |
I believe this issue completes the identification of the problem and the rubbing of the direction of the response. |
Let's discuss in the future at w3c-fedid/FedCM#639. |
Overview
The FedCM Accounts API behaves differently in Chrome 125 and earlier than in Chrome 126 and later when the email address is blank.
In Chrome 126 and later, user selection is no longer possible in the dialog.
I have not been able to find an issue regarding this change, so I am submitting an issue.
If you know of any discussion of the specification change, please let me know.
Thanks for reading this far.
This issue is made in translation. Sorry if the language is strange.
Details
The Accounts API responds with the following JSON
For Chrome 125, the FedCM dialog will ask if you want to log in as "John Doe" and the FedCM assertion process will run.
For Chrome 126 and later, the FedCM dialog does not display user information.
We have confirmed that Chrome 126 or later behaves the same as Chrome 125 by including a value such as "dummy@test" in the email field.
Question
Is this behavior a specification or a bug?
If it is a spec, how should IdPs who do not know the user's email address deal with it future Chrome?
The text was updated successfully, but these errors were encountered: