w3c-fedid/FedCM Issues

Last updated Jun 4, 2025, 5:56:49 AM UTC.

This repository doesn't have the Priority: Eventually label that's used to mark an issue as triaged without giving it an SLO. Until that's added, this summary uses heuristics to guess if each issue has been triaged.

Untriaged

Try to triage issues within . [ More Info ]

Issue Title Within SLO On maintainers' plates for Time left Time past SLO
#5 Conceptual Scope w.r.t. OpenID Connect/OAuth 2.0
#83 delegation-oriented api requires "consequence-free" - must be free of entropy bits which could enable global tracking when IDPs and RPs collude
#244 Resource Access 1.1.5 interaction model is vague
#294 [Technical] Better specify AbortController support
#312 Add note about PP / TOS
#336 Validate that account_ids are unique
#371 API should be disabled in Fenced Frames
#384 Add non-normative note about compromised renderer
#386 FedCM issues
#387 Remove language referring to sign-up and sign-in, amplify in browser state machine
#407 [Context API] - Authz / relation to ability to specificy scope
#441 The IDP has to support additional infrastructure to support FedCM
#469 Align on user flow for initial and returning FedCM prompts
#487 Erroneous link to JSON object in automation section of spec
#493 Should clearing IDP state also clear RP state?
#495 Should getUserInfo() use an IdentityProviderConfig?
#499 Validate urls once the config fetch occurs
#540 Evaluate string types in the spec
#564 FedCM 4 R&E: Filtering IdPs
#565 FedCM 4 R&E: Technical Considerations
#611 Move the WPTs out of the credential-manager directory
#615 In addition to "use", "continue", "signin" and "signup", consider adding "pay" or "checkout"
#625 Returning accounts go first in getUserInfo
#645 User Info API vs. preventSilentAccess
#665 Thoughts on FedCM full vs FedCM lite
#688 Missing tasks in parallel steps in Federated Credential Management API
#702 Skip accounts_endpoint call when there's no chance of success
#726 getUserInfo definition bug: the connected account set computation uses the iframe's global to compute the connected account set key where it should use the top frame's global
#727 getUserInfo should only reject with exceptions, not throw and reject in different cases
#728 getUserInfo implicitly converts `IdentityProviderConfig` provider, into `IdentityProviderRequestOptions`
#732 Make connected accounts set a quadruple

Agenda

Try to maintain fewer than 25 agenda items and discuss issues on the agenda within . [ More Info ] [ See these issues on Github ]

Issue Title Within SLO On the agenda for Time left Time past SLO
#498 Add API to show error messages from failed token fetches