Skip to content

Status of FPWD‐identified Issues (Consensus Blockers for CR)

Jump to bottom
Heather Flanagan edited this page May 22, 2025 · 16 revisions

This is a tracking list of issues the WG labeled as critical open issues during the FPWD process that must be formally addressed before publication of a Candidate Recommendation.

Criteria for a feature to be in core: a second implementation that agrees with the design. All other features will be considered for an extension (which may be limited to one browser's implementation).

Issue Stage Proposal Core FedCM?
Issue 317: concerns about email in Accounts List 1? Proposal to move to Stage 1 Yes
Issue 319: Allow multiple IDPs to be used 2 Multi-IdP API Yes
Issue 407: [Context API] - Authz / relation to ability to specify scope 2? duplicate of this? Yes
Issue 467: Use cases for Cross-Site Cookie Access through Storage Access API after FedCM grant? – SAA Auto-grant 2 (merged into the SAA spec) Storage Access API Auto-grant Yes
Issue 488: Users may be confused after showing intent to sign in but the sign-in is failed 2? Error API TBD
Issue 511: Allow signing in to additional account(s) 2 Add Account API Yes
Issue 553: Allowing IDPs to expose different account lists in different contexts 2 Account Labels API Yes
Issue 578: Allow IdPs to return JSON objects rather than Strings back to RPs 0 Yes
Issue 585: Allow IdP registration and RPs to match on a "type" – IdP Registration 1 IdP Registration Yes
Issue 587: Why must SameSite=none? 0 Keeping this on the CR blocker list Yes
Issue 616: Once params are merged into the spec, deprecate the nonce parameter 0 Mark this as deprecated to be removed later Yes
Issue 618: Support chained authentication flows before reducing heuristics and classifications/lists in navigational tracking mitigations 0 Yes
Issue 620: Make it easier to deploy this at the eTLD+1 for registered IdPs 1 IdP Registration Yes

Issues that are closed/merged

Issue Stage Proposal Core FedCM?
Issue 320: Why Sec-FedCM-CSRF and not Sec-Fetch-Mode 0 Closed as resolved
Issue 428: Enforce CORS on the Identity Assertions endpoint 2 (merged) See PR 547 Yes
Issue 442: A not-yet logged in IDP has no route to success with this flow – Active Mode 2 (merged) Active Mode API Yes
Issue 537: Allow setting IDP login status from same-site subresources 2 (merged) See PR 538 Yes
Issue 552: Allow IDPs to use multiple config files within an eTLD+1 2 (merged) Multiple configURLs API Yes
Issue 555: Allow IdPs to continue and finish the request in a popup window – Continuation API 2 (merged) Continuation API Yes
Issue 556: Passing arbitrary parameters to the ID assertion endpoint 2 (merged) Params API Yes
Issue 609: Spec says we send SameSite=Strict cookies 0 Closed Yes
Issue 626: PP/TOS requirements are different from auto reauthentication 0 Closed Yes

Not in Core FedCM nor required for CR

Issue Stage Proposal Core FedCM?
Issue 559: Allow RPs to selectively request attributes of the user’s profile 2 Fields API No
Issue 517: Allow user agents to use "Connected Accounts Set" with flexibility 2? 3PC Relaxation No
Issue 352: Share performance measurement with IDP 2? Metrics API No
Issue 240: Users can’t use IdPs outside of the ones enumerated by RPs 1 IdP Registration API No
Issue 441: The IDP has to support additional infrastructure to support FedCM 1 Lightweight API No :-(
Issue 677 IdP Blindness: User Info VCs 1 Delegation-oriented FedCM No
Issue 599: OAuth profile for FedCM 0 Not expected to be part of the spec; identifies gaps that would result in OAuth not being useful in a FedCM flow No
Issue 625: Returning accounts go first in getUserInfo 0 No
Issue 627: Add webdriver command to open PP/TOS 0 This will be handled in an extension No

Clone this wiki locally