Skip to content

Specify "Use another account". #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Jun 17, 2025
56 changes: 41 additions & 15 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -828,6 +828,9 @@ the exception thrown.
1. Let |config| be the result of running [=fetch the config file=] with
|provider| and |globalObject|.
1. If |config| is failure, return (failure, false).
1. Let |supportsUseOtherAccount| be the value of |config|.
{{IdentityProviderAPIConfig/supports_use_other_account}} if |options|.
{{IdentityCredentialRequestOptions/mode}} is `"active"`, otherwise `"false"`.
1. <dfn>Fetch accounts step</dfn>: Let |accountsList| be the result of
[=fetch the accounts=] with |config|, |provider|, and |globalObject|.
1. If |accountsList| is failure, or the size of |accountsList| is 0:
Expand Down Expand Up @@ -914,18 +917,25 @@ the exception thrown.
1. Otherwise, if |accountsList|'s size is 1:
1. Set |account| to |accountsList|[0].
1. If [=compute the connection status=] of |account|, |provider|, and |globalObject| returns
[=compute the connection status/connected=], show a dialog to request user permission to sign
in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} and |options|'s
{{IdentityCredentialRequestOptions/mode}} to customize the dialog.
[=compute the connection status/connected=]:
1. Show a dialog to request user permission to sign in via |account|, and set the result
in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} and |options|'s
{{IdentityCredentialRequestOptions/mode}} to customize the
dialog.
1. If |supportsUseOtherAccount| is true, that dialog MUST provide
an affordance to use another account. If that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|. Also set
|permissionRequested| to true if the user agent [=supports showing a permission prompt=].
algorithm with |account|, |supportsUseOtherAccount|, |config|, |provider|, and
|globalObject|. Also set |permissionRequested| to true if the user
agent [=supports showing a permission prompt=].
1. Otherwise:
1. Set |account| to the result of running the [=select an account=] from the
|accountsList|.
1. Set |account| to the result of running [=select an account=] with
|accountsList|, |supportsUseOtherAccount|, |config|, |provider|, and |globalObject|.
1. If |account| is failure, return (failure, true).
1. If [=compute the connection status=] of |account|, |provider| and |globalObject| is
1. If [=compute the connection status=] of |account|, |provider|, and |globalObject| is
[=compute the connection status/connected=], set |permission| to true.
1. Otherwise, if |provider|.{{IdentityProviderRequestOptions/fields}} is [=list/empty=],
[=create a connection between the RP and the IdP account=] with |provider|, |account|,
Expand All @@ -935,7 +945,8 @@ the exception thrown.
algorithm, but we do not want to show an extra dialog in this case.
1. Otherwise:
1. Let |permission| be the result of running the [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|.
algorithm with |account|, |supportsUseOtherAccount|, |config|,
|provider|, and |globalObject|.
1. Set |permissionRequested| to true.
1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
closed, if any are created in the previous steps.
Expand Down Expand Up @@ -1117,6 +1128,7 @@ dictionary IdentityProviderAPIConfig {
required USVString login_url;
USVString disconnect_endpoint;
IdentityProviderBranding branding;
boolean supports_use_other_account = false;
USVString account_label;
};
</xmp>
Expand Down Expand Up @@ -1370,10 +1382,16 @@ dictionary IdentityAssertionResponse {
<!-- ============================================================ -->

<div algorithm>
To <dfn>select an account</dfn> given an |accountsList|, run the following steps. This returns an
{{IdentityProviderAccount}} or failure.
To <dfn>select an account</dfn> given an |accountsList|, a boolean
|supportsUseOtherAccount|, an {{IdentityProviderAPIConfig}} |config|, an
{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following
steps. This returns an {{IdentityProviderAccount}} or failure.
1. Assert |accountsList|'s [=list/size=] is greater than 1.
1. Display an account chooser displaying the options from |accountsList|.
1. If |supportsUseOtherAccount| is true, the account chooser MUST provide
an affordance to use another account. If that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. Let |account| be the {{IdentityProviderAccount}} of the account that the user
manually selects from the accounts chooser, or failure if no account is selected.
1. Return |account|.
Expand All @@ -1384,9 +1402,11 @@ waits for the user to grant permission to use the given account, and returns whe
granted permission or not.

<div algorithm="request permission to sign-up">
To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}} |account|,
an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} |provider|, and a
|globalObject|, run the following steps. This returns a boolean.
To <dfn>request permission to sign-up</dfn> the user with a given an
{{IdentityProviderAccount}} |account|, a boolean |supportsUseOtherAccount|, an
{{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
|provider|, and a |globalObject|, run the following steps. This returns a
boolean.
1. Assert: These steps are running [=in parallel=].
1. Let |fields| be |provider|.{{IdentityProviderRequestOptions/fields}} or, if not present,
`["name", "email", "picture"]`.
Expand Down Expand Up @@ -1426,6 +1446,12 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
1. The user agent MAY use the
{{IdentityCredentialRequestOptions/context}} and |provider|'s
{{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
1. If |supportsUseOtherAccount| is true, the account chooser MUST
provide an affordance to use another account unless such an affordance was
provided in a previous step (e.g., if [=select an account=] was invoked). If
that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. If the user does not grant permission, return false.
1. Return true.
</div>
Expand Down