FedCM and GDPR regulations

[dusekjan]

Hello,
As identity providers, we must comply with the GDPR regulations within the European Union. We have already started experimenting with FedCM in development and I would like to ask if it will be possible to change or extend the list of user data (inside the disclosure text) that we as identity providers submit to the RP once the dialogue with FedCM has been agreed.

The problem is that we have to show the user in the FedCM dialog all his user data that we want to pass to the RP after clicking on "Continue as...".

Currently the disclosure text is as follows:

To continue, idp.com will share your name, email address, and profile picture with this site. See ...

In addition to the name, email, profile picture, we would need to append information about providing other data, for example whether the person is an adult or not. However, it would be best if we had full control over the user data displayed, ideally sending a list of all items in some HTTP response.

[npm1]

This seems related to #477. With that proposal, IDP can request custom scopes and the use a continue_on URL to display what they want to the user before providing the token to the RP. Does that seem like it would solve your use case?

[dusekjan]

Thanks for the reply.

Does that seem like it would solve your use case?

yes, it seems to me that this would solve the problem.

This seems related to #477.

I'll keep an eye on the news within this Issue, and when this new feature makes it into the documentation, I'll implement it.