Agenda: FedID CG/WG call - FedCM - 19 May 2026

Hello FedCM enthusiasts!

Tuesday's call will be dedicated to PR 815. The comments on that are a lot, so while I encourage people to review the PR, I get it might be a bit much. And, frankly, we need to up-level the conversation if we're going to bring that PR to resolution.

PR #815 proposes a mechanism that would allow Identity Providers to handle certain FedCM requests using a Service Worker-based mechanism. The motivating use cases include request signing / proof-of-possession patterns such as DPoP, operational failover, geographic or jurisdiction-specific routing, caching during outages, and integration with legacy identity systems. The discussion has raised detailed questions across FedCM request processing, Service Worker dispatch, Fetch semantics, privacy, and IDP security expectations. Some of the detailed review appears to depend on higher-level direction from the WG. For example, we should clarify what privacy and security properties need to be accounted for in the IdP Interception proposal. If a FedCM request is handled by an IDP-controlled Service Worker rather than sent directly by the browser, what properties must remain true? For example, what may the handler learn compared with the current browser-direct request path? Is fallback to the ordinary network path always acceptable, or are there cases where the IDP must be able to fail closed?

Speaking as chair, I would like to separate those direction-setting questions from line-by-line spec review. I am not taking a position on the proposal, but I would like to make sure the CG and WG has a shared understanding of the problem and the boundaries so we can make an explicit decision on what needs to be in the PR.


The agenda is here: https://github.com/w3c-fedid/meetings/blob/main/2026/2026-05-19-FedCM-agenda.md

See you on Tuesday!


Heather Flanagan (she/hers)
Principal, Spherical Cow Consulting
 hlf@sphericalcowconsulting.com
 sphericalcowconsulting.com