-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify the mode API #660
base: main
Are you sure you want to change the base?
Specify the mode API #660
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looks good. See comments below. We should probably add a Note: in some appropriate place that the user agent should consider displaying the account chooser in a louder way if mode is active.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor, human-facing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trivial, editorial
Co-authored-by: Ted Thibodeau Jr <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, looks good modulo two minor comments
Co-authored-by: Ted Thibodeau Jr <[email protected]>
Discussed in Oct. 15 call. [minutes to be linked] |
@aaronpk @bvandersloot-mozilla @philsmart Please take a look! |
From the perspective of at least the R&E federations I am involved with, 'active' mode is a better fit. This mode supports authentication with Identity Providers (IdPs) that the user has not yet logged into (as signalled by the login status API). Supporting multiple IdPs in 'active' mode would be helpful, but it could result in the same account fetching issues as enabling multi-IdP in 'passive' mode. The 'passive' mode addressed this (if I recall correctly) by including only the IdPs you've signed into, which brings us back to the same issue (unable to use an IdP you've not logged into). This can be addressed for now by using an external IdP discovery service and populating FedCM with a single IdP in 'active' mode. For what it's worth, I agree with renaming 'button' and 'widget' to 'active' and 'passive', it is clearer. |
spec/index.bs
Outdated
1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. | ||
1. If |mode| is [=active=] | ||
1. If [=transient activation=] is not present, return (failure, true). | ||
1. If [=transient activation=] is present and there is a pending |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part about pending request is also not precise enough. Presumably this is also scoped to something (perhaps top-level browsing context?). In addition, you are never going to reach this because we disallow this from credential management in 8.2 https://w3c.github.io/webappsec-credential-management/#algorithm-request so that will need to be modified as well at some point
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch on the scoping... let me know if |W|'s top-level browsing context works or if that should be even more specific. Should modifying 8.2 be in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, you cannot modify 8.2 in this PR since that is a separate repo. I also filed an issue because that uses the wrong scope as well. Need to think how to fix it while also allowing the active mode to be prioritized (eg supersede a pending passive mode request)
spec/index.bs
Outdated
1. If [=transient activation=] is present and there is a pending | ||
request where |mode| is [=passive=], cancel the previous request | ||
as if a {{CredentialRequestOptions/signal}} of | ||
[=AbortSignal/aborted=] was given to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm but isnt the abort signal only for the developer to use? This does not make sense to me, is this actually what we do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No we don't actually use the abort signal for this case, but instead we directly reject the previous request. Though this was why its worded this way: #660 (comment)
Maybe we can get rid of as if a {{CredentialRequestOptions/signal}} of [=AbortSignal/aborted=] was given to it.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why SHOULD?
PR further discussed in https://github.com/w3c-fedid/meetings/blob/main/2024/2024-10-22-notes.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review, please take another look!
spec/index.bs
Outdated
1. If [=transient activation=] is present and there is a pending | ||
request where |mode| is [=passive=], cancel the previous request | ||
as if a {{CredentialRequestOptions/signal}} of | ||
[=AbortSignal/aborted=] was given to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No we don't actually use the abort signal for this case, but instead we directly reject the previous request. Though this was why its worded this way: #660 (comment)
Maybe we can get rid of as if a {{CredentialRequestOptions/signal}} of [=AbortSignal/aborted=] was given to it.
?
spec/index.bs
Outdated
1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. | ||
1. If |mode| is [=active=] | ||
1. If [=transient activation=] is not present, return (failure, true). | ||
1. If [=transient activation=] is present and there is a pending |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch on the scoping... let me know if |W|'s top-level browsing context works or if that should be even more specific. Should modifying 8.2 be in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
This depends on PR w3c-fedid#660 (Mode API). Bug: w3c-fedid/active-mode#3
@bvandersloot-mozilla Friendly ping :) |
Note: discussed during https://github.com/fedidcg/meetings/blob/main/2024/2024-11-12-notes.md ; PR blocked pending @bvandersloot-mozilla review. |
Fixes w3c-fedid/active-mode#2
Preview | Diff