Specify multiple configURLs (#667)

* Specify multiple configURLs

Bug: #552

* Address comments from TallTed

* don't return within the fetch handler

* skip fetch if same-site

* wellknown

Author: cbiesinger

spec/index.bs

@@ -947,11 +947,12 @@ or failure.
     1. Set |rootUrl|'s [=url/scheme=] to |configUrl|'s [=url/scheme=].
     1. Set |rootUrl|'s [=url/host=] to |configUrl|'s [=url/host=]'s [=host/registrable domain=].
     1. Set |rootUrl|'s [=url/path=] to the <a>list</a> «".well-known", "web-identity"».
-    1. Let |config|, |configInWellKnown| both be null.
+    1. Let |config|, |wellKnown|, |accounts_url|, and |login_url| be null.
+    1. Let |skipWellKnown| be false.
     1. Let |rpOrigin| be |globalObject|'s [=associated Document=]'s [=Document/origin=].
     1. If |rpOrigin| is not an [=opaque origin=], and |rootUrl|'s [=url/host=] is equal
         to |rpOrigin|'s [=host/registrable domain=], and |rootUrl|'s [=url/scheme=] is
-        equal to |rpOrigin|'s [=origin/scheme=], set |configInWellKnown| to true.
+        equal to |rpOrigin|'s [=origin/scheme=], set |skipWellKnown| to true.
 
         Note: Because domain cookies are valid across an entire site, there is no privacy
             benefit from doing the well-known check if the RP and IDP are in the same site.
@@ -985,22 +986,18 @@ or failure.
             [pull request](https://github.com/whatwg/fetch/pull/1533) for details.
 
         1. [=Fetch request=] with |wellKnownRequest| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
-            set to the following steps given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
+            set to the following steps, given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
             1. Let |json| be the result of [=extract the JSON fetch response=] from |response| and
                 |responseBody|.
-            1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderWellKnown}},
-                |discovery|.
+            1. Set |wellKnown| to the result of [=converted to an IDL value|converting=] |json|
+                to an {{IdentityProviderWellKnown}}.
             1. If one of the previous two steps threw an exception, or if the
-                [=list/size=] of |discovery|["{{IdentityProviderWellKnown/provider_urls}}"] is
-                greater than 1, set |configInWellKnown| to false.
+                [=list/size=] of |wellKnown|["{{IdentityProviderWellKnown/provider_urls}}"] is
+                greater than 1, set |wellKnown| to failure.
 
                 Issue: [relax](https://github.com/fedidcg/FedCM/issues/333) the size of the
                 provider_urls array.
 
-            1. Otherwise, set to |configInWellKnown| to true if
-                |discovery|["{{IdentityProviderWellKnown/provider_urls}}"][0] [=string/is=] equal to
-                |provider|'s {{IdentityProviderConfig/configURL}}, and to false otherwise.
-
     1. Let |configRequest| be a new <a spec=fetch for=/>request</a> as follows:
 
         :  [=request/url=]
@@ -1038,11 +1035,31 @@ or failure.
         1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderAPIConfig}} stored
             in |config|.
         1. If one of the previous two steps threw an exception, set |config| to failure.
-        1. Set |config|.{{IdentityProviderAPIConfig/login_url}} to the result of [=computing
-            the manifest URL=] with |provider|, |config| and |globalObject|.
-        1. If |config|.{{IdentityProviderAPIConfig/login_url}} is null, return failure.
-    1. Wait for both |config| and |configInWellKnown| to be set.
-    1. If |configInWellKnown| is true, return |config|. Otherwise, return failure.
+        1. Set |login_url| to the result of [=computing the manifest URL=] with |provider|,
+            |config|.{{IdentityProviderAPIConfig/login_url}}, and |globalObject|.
+        1. Set |accounts_url| to the result of [=computing the manifest URL=] with |provider|,
+            |config|.{{IdentityProviderAPIConfig/accounts_endpoint}}, and |globalObject|.
+        1. If |login_url| or |accounts_url| is failure, set |config| to failure.
+    1. Wait for |config| to be set.
+    1. If |config| is failure, return failure.
+    1. If |skipWellKnown| is true, return |config|.
+    1. Wait for |wellKnown| to be set.
+    1. If |wellKnown| is failure, return failure.
+    1. If |wellKnown|.{{IdentityProviderWellKnown/accounts_endpoint}} and
+        |wellKnown|.{{IdentityProviderWellKnown/login_url}} are set:
+        1. Let |well_known_accounts_url| be the result of [=computing the manifest URL=] with
+            |provider|, |wellKnown|.{{IdentityProviderWellKnown/accounts_endpoint}},
+            and |globalObject|.
+        1. Let |well_known_login_url| be the result of [=computing the manifest URL=] with |provider|,
+            |wellKnown|.{{IdentityProviderWellKnown/login_url}}, and |globalObject|.
+        1. If |well_known_accounts_url| is not [=url/equal=] to |accounts_url|, return failure.
+        1. If |well_known_login_url| is not [=url/equal=] to |login_url|, return failure.
+    1. Otherwise:
+        1. Let |allowed_config_url| be the result of [=computing the manifest URL=] with |provider|,
+            |wellKnown|.{{IdentityProviderWellKnown/provider_urls}}[0], and |globalObject|.
+        1. If |allowed_config_url| is not [=url/equal=] to |configUrl|, return failure.
+    1. Return |config|.
+
 </div>
 
 NOTE: a two-tier file system is used in order to prevent the [=IDP=] from easily determining the [=RP=]
@@ -1055,7 +1072,9 @@ path manipulation to fingerprint (for instance, by including the RP in the path)
 
 <xmp class="idl">
 dictionary IdentityProviderWellKnown {
-  required sequence<USVString> provider_urls;
+  sequence<USVString> provider_urls;
+  USVString accounts_endpoint;
+  USVString login_url;
 };
 
 dictionary IdentityProviderIcon {