Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow auto-reauthentication in FedCM #458

Merged
merged 9 commits into from
May 9, 2023
Merged

Allow auto-reauthentication in FedCM #458

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
018f95a
b
npm1 Apr 26, 2023
005f1bd
b
npm1 Apr 26, 2023
dd2d1ad
b
npm1 Apr 26, 2023
26a8d00
b
npm1 Apr 26, 2023
819707e
b
npm1 Apr 26, 2023
04e0767
b
npm1 Apr 26, 2023
d790572
b
npm1 Apr 26, 2023
387160e
b
npm1 May 1, 2023
0c811a6
Rebase
npm1 May 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 39 additions & 19 deletions spec/index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ spec: ecma262; urlPrefix: https://tc39.github.io/ecma262/
spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/
type: dfn
text: same-origin with its ancestors; url: same-origin-with-its-ancestors
type: dfn
text: requires user mediation; url: origin-requires-user-mediation
</pre>

<pre class=link-defaults>
Expand Down Expand Up @@ -458,8 +460,6 @@ This [=internal method=] accepts three arguments:

</dl>

NOTE: The |options|.{{CredentialRequestOptions/mediation}} flag is currently not used.

The |options|.{{CredentialRequestOptions/signal}} is used as an abort signal for the
requests.

Expand Down Expand Up @@ -492,8 +492,8 @@ algorithm is invoked, the user agent MUST execute the following steps. This retu
method to throw an error. If there was no such timer, the developer could easily infer
whether the user has an account with the [=IDP=] or not, or whether the user closed the UI without granting permission to share the [=IDP=] account information with the [=RP=].
1. Let |provider| be |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"][0].
1. Let |credential| be the result of running [=create an IdentityCredential=] with |provider| and
|globalObject|.
1. Let |credential| be the result of running [=create an IdentityCredential=] with |provider|,
|options|["{{CredentialRequestOptions/mediation}}"], and |globalObject|.
1. If |credential| is failure, throw a new "{{NetworkError}}" {{DOMException}}.
1. Return |credential|.
</div>
Expand All @@ -507,44 +507,64 @@ agent UI, and creates the {{IdentityCredential}} that is then returned to the [=

<div algorithm>
To <dfn>create an IdentityCredential</dfn> given an {{IdentityProviderConfig}}
|provider| and a |globalObject|, run the following steps. This returns an {{IdentityCredential}} or
failure.
|provider|, a {{CredentialRequestOptions/mediation}} |mediation|, and a |globalObject|, run the
following steps. This returns an {{IdentityCredential}} or failure.
1. Assert: These steps are running [=in parallel=].
1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s
[=requires user mediation=].
1. If |requiresUserMediation| is true and |mediation| is
"{{CredentialMediationRequirement/silent}}", return failure.
1. Let |config| be the result of running [=fetch the config file=] with |provider| and
|globalObject|.
1. If |config| is failure, return failure.
1. Let |accountsList| be the result of [=fetch the accounts list=] with |config|, |provider|,
and |globalObject|.
1. If |accountsList| is failure, return failure.
1. For each |account| in |accountsList|:
1. If |account|["{{IdentityProviderAccount/picture}}"] is present,
[=fetch the account picture=] with |account| and |globalObject|.
1. For each |acc| in |accountsList|:
1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=]
with |acc| and |globalObject|.

Note: The [=user agent=] may choose to show UI which does not initially require fetching the
account pictures. In these cases, the [=user agent=] may delay these fetches until they are
needed. Because errors from these fetches are ignored, they can happen in any order.
1. Let |registeredAccount|, |numRegisteredAccounts| be null and 0, respectively.
1. Let |account| be null.
1. For each |acc| in |accountsList|:
1. Let |accState| be the result of running the [=compute account state=] algorithm given
|provider| and |acc|.
1. If |accState| is {{registered}}, set |registeredAccount| to |acc| and increase
|numRegisteredAccounts| by 1.
1. Let |permission| be false.
1. If |accountsList|'s size is 1:
1. Let |account| be |accountsList|[0].
1. Let |accountState| be the result of running the [=compute the connection status=] algorithm
1. If |mediation| is not "{{CredentialMediationRequirement/required}}", |requiresUserMediation|
is false, and |numRegisteredAccounts| is equal to 1:
1. Set |account| to |registeredAccount| and |accountState| to the result of running
[=compute account state=] algorithm given |provider| and |account|. When doing this,
the user agent MAY show some UI to the user indicating that they are being
auto-reauthenticated.
1. Otherwise, if |mediation| is "{{CredentialMediationRequirement/silent}}", return failure.
1. Otherwise, if |accountsList|'s size is 1:
1. Set |account| to |accountsList|[0].
1. Set |accountState| to the result of running the [=compute the connection status=] algorithm
given |provider|, |account|, and |globalObject|.
1. If |accountState| is [=compute the connection status/disconnected=], set |permission|
to the result of running [=request permission to sign-up=] algorithm with |account|,
|config|, |provider|, and |globalObject|.
1. If |accountState| is [=compute the connection status/disconnected=],
let |permission| be the result of running [=request permission to sign-up=] algorithm
with |account|, |accountState|, |config|, |provider|, and |globalObject|.
1. Otherwise, show a dialog to request user permission to sign in via |account|, and set the
result in |permission|.
1. Otherwise:
1. Let |account| be the result of running the [=select an account=] from the
1. Set |account| to the result of running the [=select an account=] from the
|accountsList|.
1. If |account| is failure, return failure.
1. Let |accountState| be the result of running the [=compute the connection status=] algorithm
1. Set |accountState| to the result of running the [=compute the connection status=] algorithm
given |provider| and |account|.
1. If |accountState| is [=compute the connection status/disconnected=]:
1. Let |permission| be the result of running the [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|.
1. Otherwise, set |permission| to true.
1. Wait until the [=user agent=]'s dialog is closed.
1. If |permission| is false, return failure.
1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
closed, if any are created in the previous steps.
1. Assert: |account| is not null.
1. If |permission| is false, then return failure.
1. Let |credential| be the result of running the [=fetch an identity assertion=] algorithm with
|account|'s {{IdentityProviderAccount/id}}, |provider|, |config|, and
|globalObject|.
Expand Down