Re: [w3ctag/design-reviews] Early Design Review: Lightweight FedCM (Issue #986) from bvandersloot-mozilla on 2024-08-28 (public-webapps-github@w3.org from August 2024)

From: bvandersloot-mozilla <notifications@github.com>
Date: Wed, 28 Aug 2024 10:40:08 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/986/2315921541@github.com>

Thank you for the look!

> When reviewing the explainer, it wasn't immediately obvious why this deserves a new web feature when sites could "just" use the existing FedCM API. 

:+1:, further emphasis on the simplicity of use relative to the existing FedCM API is worth calling out in the introduction.

>  [...] it seems to make the case that this new proposal is almost uniformly simpler than FedCM. The only downside seems to be that there's less IDP-provided information shown in the dialog? 

Sam beat me to much of the punch here. 

It does boil down to the power of dynamically fetching the account information in the existing FedCM API. This gives those freshness guarantees. I actually developed this proposal because I didn't see those freshness guarantees shared by any IDPs participating in FedID CG and the complexity of using FedCM was a concern. We had one idea on how to get those freshness guarantees to Lightweight FedCM involving the Push API and making `navigator.credentials.store` available on ServiceWorkers, but never pursued it.

There is one more difference that is unlocked by the push of account information here: we allow a few more IDP use-cases.  Because Lightweight FedCM does not send unparitioned requests in the background, it allows an arbitrary navigation if a credential isn't found, rather than being restricted to a single url linked by a `.well-known` file stored on the site's root. This isn't really covered in the explainer, nor the wiki tables yet, so sorry for this lack of clarity.

> Given this simplicity, why does the more-complex FedCM API need to stay in the platform?

This proposal was initially designed and adopted by FedID CG as an independent Credential type and alternative to FedCM. In fact, it still operates as a fully functional subset of FedCM! However, we moved it to be a separate "operating mode" of FedCM because of the significant degree of overlap, to neither fanfare nor complaint in FedID CG. The idea being to leave the complicated bits for those that desperately need them. I personally am not wed to any spelling or names, though I cannot speak for my coauthor or the chairs.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/986#issuecomment-2315921541
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/986/2315921541@github.com>

Received on Wednesday, 28 August 2024 17:40:13 UTC