w3c-fedid · tttzach · Oct 2, 2024 · Oct 3, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/spec/index.bs b/spec/index.bs
@@ -784,29 +784,34 @@ or a pair (failure, bool), where the bool indicates whether to skip delaying
 the exception thrown.
     1. Assert: These steps are running [=in parallel=].
     1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}.
-    1. If |mode| is [=active=]
-        1. If [=transient activation=] is not present, return (failure, true).
-        1. If [=transient activation=] is present and there is a pending
-            request where |mode| is [=passive=], cancel the previous request
-            as if a {{CredentialRequestOptions/signal}} of
-            [=AbortSignal/aborted=] was given to it.
+    1. Let |globalObject| be the [=current global object=].
+    1. Let |W| be |globalObject|'s [=associated Window=].
+    1. If |mode| is [=active=]:
+        1. If |W| does not have [=transient activation=], return (failure, true).
+        1. Otherwise, and if there is a pending request on |W|'s top-level browsing
+            context where |mode| is [=passive=], reject the previous request.
     1. Let |loginStatus| be the result of [=get the login status=] with
         the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}.
     1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=].
-    1. If |loginStatus| is [=logged-out=]
-
-        1. If |mode| is [=active=],
-            [=fetch the config file=] and [=show an IDP login dialog=].
-        1. If |mode| is [=passive=], the user agent MUST do one of the following:
+    1. If |loginStatus| is [=logged-out=]:
+        1. If |mode| is [=active=]:
+            1. Let |config| be the result of running [=fetch the config file=]
+                with |provider| and |globalObject|.
+            1. If |config| is failure, return (failure, true).
+            1. [=Show an IDP login dialog=] with |config| and |provider|.
+            1. If that algorithm returns failure, return (failure, true).
+        1. Otherwise, the user agent MUST do one of the following:
             * Return (failure, false).
             * Prompt the user whether to continue. If the user continues, the user
                 agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an
                 affordance to [=show an IDP login dialog=].
-
                 * If the user cancels this dialog, return (failure, true).
-                * If the user triggers this affordance,
-                    [=fetch the config file=] and [=show an IDP login dialog=].
-
+                * If the user triggers this affordance:
+                    1. Let |config| be the result of running [=fetch the config file=]
+                        with |provider| and |globalObject|.
+                    1. If |config| is failure, return (failure, true).
+                    1. [=Show an IDP login dialog=] with |config| and |provider|.
+                    1. If that algorithm returns failure, return (failure, true).
     1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s
         [=requires user mediation=].
     1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}.
@@ -895,7 +900,7 @@ the exception thrown.
         1. Set |account| to |accountsList|[0].
         1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns
             [=compute the connection status/connected=], show a dialog to request user permission to sign
-            in via |account|, and set the result in |permission|. The user agent SHOULD use |options|'s
+            in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
             {{IdentityCredentialRequestOptions/context}} and |options|'s
             {{IdentityCredentialRequestOptions/mode}} to customize the dialog.
         1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
@@ -1303,7 +1308,7 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
             is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of
             |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display
             the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link.
-        1. The user agent SHOULD use the
+        1. The user agent MAY use the
             {{IdentityCredentialRequestOptions/context}} and |options|'s
             {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
     1. If the user does not grant permission, return false.