Skip to content

Specify "Use another account". #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Specify "Use another account". #678

Changes from 11 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a191a15
Specify "Use another account".
cbiesinger Nov 4, 2024
3d56908
ted changes
cbiesinger Nov 7, 2024
cbd0adf
npm comment
cbiesinger Nov 7, 2024
af610e6
fix indentation
cbiesinger Nov 7, 2024
cd1c73d
fix indentation
cbiesinger Nov 7, 2024
82ea3fa
fix nit
cbiesinger Nov 7, 2024
533de6b
fix indentation
cbiesinger Nov 7, 2024
20b53f0
oxford commas
cbiesinger Nov 22, 2024
c9b78be
Merge remote-tracking branch 'origin' into otheraccount
cbiesinger Nov 22, 2024
ccf4850
Merge remote-tracking branch 'origin/main' into otheraccount
cbiesinger Mar 13, 2025
b5417b3
single boolean
cbiesinger Mar 13, 2025
ab1d327
otherwise
cbiesinger Mar 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 41 additions & 15 deletions spec/index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -828,6 +828,9 @@ the exception thrown.
1. Let |config| be the result of running [=fetch the config file=] with
|provider| and |globalObject|.
1. If |config| is failure, return (failure, false).
1. Let |supportsUseOtherAccount| be the value of |config|.
{{IdentityProviderAPIConfig/supports_use_other_account}} if |options|.
{{IdentityCredentialRequestOptions/mode}} is `"active"`, otherwise `"false"`.
1. <dfn>Fetch accounts step</dfn>: Let |accountsList| be the result of
[=fetch the accounts=] with |config|, |provider|, and |globalObject|.
1. If |accountsList| is failure, or the size of |accountsList| is 0:
Expand Down Expand Up @@ -914,18 +917,25 @@ the exception thrown.
1. Otherwise, if |accountsList|'s size is 1:
1. Set |account| to |accountsList|[0].
1. If [=compute the connection status=] of |account|, |provider|, and |globalObject| returns
[=compute the connection status/connected=], show a dialog to request user permission to sign
in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} and |options|'s
{{IdentityCredentialRequestOptions/mode}} to customize the dialog.
[=compute the connection status/connected=]:
1. Show a dialog to request user permission to sign in via |account|, and set the result
in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} and |options|'s
{{IdentityCredentialRequestOptions/mode}} to customize the
dialog.
1. If |supportsUseOtherAccount| is true, that dialog MUST provide
an affordance to use another account. If that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|. Also set
|permissionRequested| to true if the user agent [=supports showing a permission prompt=].
algorithm with |account|, |supportsUseOtherAccount|, |config|, |provider|, and
|globalObject|. Also set |permissionRequested| to true if the user
agent [=supports showing a permission prompt=].
1. Otherwise:
1. Set |account| to the result of running the [=select an account=] from the
|accountsList|.
1. Set |account| to the result of running [=select an account=] with
|accountsList|, |supportsUseOtherAccount|, |config|, |provider|, and |globalObject|.
1. If |account| is failure, return (failure, true).
1. If [=compute the connection status=] of |account|, |provider| and |globalObject| is
1. If [=compute the connection status=] of |account|, |provider|, and |globalObject| is
[=compute the connection status/connected=], set |permission| to true.
1. Otherwise, if |provider|.{{IdentityProviderRequestOptions/fields}} is [=list/empty=],
[=create a connection between the RP and the IdP account=] with |provider|, |account|,
Expand All @@ -935,7 +945,8 @@ the exception thrown.
algorithm, but we do not want to show an extra dialog in this case.
1. Otherwise:
1. Let |permission| be the result of running the [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|.
algorithm with |account|, |supportsUseOtherAccount|, |config|,
|provider|, and |globalObject|.
1. Set |permissionRequested| to true.
1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
closed, if any are created in the previous steps.
Expand Down Expand Up @@ -1117,6 +1128,7 @@ dictionary IdentityProviderAPIConfig {
required USVString login_url;
USVString disconnect_endpoint;
IdentityProviderBranding branding;
boolean supports_use_other_account = false;
USVString account_label;
};
</xmp>
Expand Down Expand Up @@ -1370,10 +1382,16 @@ dictionary IdentityAssertionResponse {
<!-- ============================================================ -->

<div algorithm>
To <dfn>select an account</dfn> given an |accountsList|, run the following steps. This returns an
{{IdentityProviderAccount}} or failure.
To <dfn>select an account</dfn> given an |accountsList|, a boolean
|supportsUseOtherAccount|, an {{IdentityProviderAPIConfig}} |config|, an
{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following
steps. This returns an {{IdentityProviderAccount}} or failure.
1. Assert |accountsList|'s [=list/size=] is greater than 1.
1. Display an account chooser displaying the options from |accountsList|.
1. If |supportsUseOtherAccount| is true, the account chooser MUST provide
an affordance to use another account. If that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. Let |account| be the {{IdentityProviderAccount}} of the account that the user
manually selects from the accounts chooser, or failure if no account is selected.
1. Return |account|.
Expand All @@ -1384,9 +1402,11 @@ waits for the user to grant permission to use the given account, and returns whe
granted permission or not.

<div algorithm="request permission to sign-up">
To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}} |account|,
an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} |provider|, and a
|globalObject|, run the following steps. This returns a boolean.
To <dfn>request permission to sign-up</dfn> the user with a given an
{{IdentityProviderAccount}} |account|, a boolean |supportsUseOtherAccount|, an
{{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
|provider|, and a |globalObject|, run the following steps. This returns a
boolean.
1. Assert: These steps are running [=in parallel=].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parallel steps would be better presented as bullets (which might bullets within a numbered step), rather than as numbered steps. As this stands, I am unsure exactly which steps are running in parallel.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would not be correct. Please check the definition of "in parallel": https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The definition of "in parallel" is not sufficient for me (and I have some familiarity with the subject) to know whether the numbered steps (1)-(20) of which this Assert is (1) are to run in parallel with each other (which appears possible, and indeed, the most likely meaning) or that this sequence of 20 steps is to occur in parallel with other operations (sequences, single steps, etc.) in the spec.

Presuming that one goal of writing this specification is to have it be comprehensible by readers who are new to the subject, I suggest that some rewording would be helpful.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A PR to the HTML spec is welcome, but I think it's pretty clear personally:

means those steps are to be run, one after another

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"In parallel" does not mean "in sequence", no matter what spec is written as if it does.

Also, I highly doubt that most readers of this spec will go to the HTML spec, so while I may well submit a PR there (if I can find where to do so; it wasn't obvious when I looked for it yesterday), I think it better to provide more clarity in the FedCM spec.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better or worse, "in parallel" is an existing term in specland. Ted, do you have a specific suggestion for how to improve this?

In general we should assume that readers either know what these terms mean or click through to their definition, IMO.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(https://github.com/whatwg/html/blob/main/source is where you would send PRs for the HTML spec)

Copy link
Contributor

@TallTed TallTed Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, GitHub's web interface (my primary tool) can't handle docs the size of that WHATWG source. But, I was able to view it, and noted the "parallel queue".

<p>A <dfn export>parallel queue</dfn> represents a queue of algorithm steps that must be run in 
series.</p>

I think that's a more apt description of this 20-step sequence. Something like

Suggested change
1. Assert: These steps are running [=in parallel=].
1. Assert: These steps comprise a [=parallel queue=] that should run [=in parallel=] with any other active algorithms and/or [=parallel queues=].

(That does presume that plurals of defined terms are properly handled; the last might need change from [=parallel queues=] to [=parallel queue=].)

I've added a note to whatwg/html#10049, but noting that they have 1923 open issues and 169 pending pull requests, I don't have high hopes of it being addressed in a timely fashion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@domenic — Your thumb-down emoji doesn't communicate even as well as the "in parallel" that is meant to be understood as some language other than English. If you have an argument against my points, please do me the courtesy of writing it out.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am at a loss. @domenic, you are not participating usefully. Please refrain from emoting unexplained "thumb down". If you have an argument against what I've said, please put into words, so I and others can consider your point(s) against my own.

1. Let |fields| be |provider|.{{IdentityProviderRequestOptions/fields}} or, if not present,
`["name", "email", "picture"]`.
Expand Down Expand Up @@ -1426,6 +1446,12 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
1. The user agent MAY use the
{{IdentityCredentialRequestOptions/context}} and |provider|'s
{{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
1. If |supportsUseOtherAccount| is true, the account chooser MUST
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this should instead be covered by showing an initial step to select an account if this is true, otherwise go direct to request permission?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're suggesting that we should require showing the account chooser first if "supports use other account" is true, even if there is only one account signed in to the IDP?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea... that matches the Chrome implementation (for active mode which the only case we are keeping anyways)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds reasonable to me.

provide an affordance to use another account unless such an affordance was
provided in a previous step (e.g., if [=select an account=] was invoked). If
that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider|, and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
1. If the user does not grant permission, return false.
1. Return true.
</div>
Expand Down