FedCM: A New Proposed Identity Standard That Could Change Web Logins

FedCM (Federated Credential Management) is a browser API proposal that aims to provide frictionless federated login. It offers developers a secure, privacy-conscious workflow, simplifying how users log in on the web.

Key Features

• Browser-mediated federated login that reduces reliance on passwords and third-party cookies. :contentReference[oaicite:0]{index=0}
• Simple for developers: typical web app can integrate via API calls, identity providers (IdPs), and relying parties (RPs). :contentReference[oaicite:1]{index=1}
• Prioritizes security and privacy, including mitigations for timing attacks, explicit user consent, and limited exposure of identity data. :contentReference[oaicite:2]{index=2}
• Under active development: it’s a W3C working draft moving toward recommendation status; many Chromium-based browsers implement it. Other browser vendors are reviewing the proposal. :contentReference[oaicite:3]{index=3}

How FedCM Works (Developer View)

Basic Flow

• User lands on a relying party (RP) site that supports FedCM.
• RP triggers `navigator.credentials.get()` with identity providers listed.
• Browser shows UI for the user to select or consent to an identity provider (IdP).
• Browser obtains an identity assertion from the IdP and returns it to the RP.
• RP uses that assertion to create a session or log in the user.

New APIs Under FedCM

• Login Status API: lets identity providers tell the browser when users are logged in or out. Helps avoid silent timing attacks. :contentReference[oaicite:4]{index=4}
• Error API: conveys sign-in failures via native UI rather than silently failing. :contentReference[oaicite:5]{index=5}
• Auto-Selected Flag API: informs the RP and IdP when a credential was auto-chosen, improving UX awareness. :contentReference[oaicite:6]{index=6}

Code Example

Using the FedCM API in JavaScript

// Example: relying party initiating FedCM login

async function loginWithFedCM() {
  const cred = await navigator.credentials.get({
    identity: {
      providers: [
        {
          configURL: 'https://idp.example.com/fedcm/manifest.json',
          clientId: 'YOUR_CLIENT_ID'
        }
      ]
    }
  });

  // credential assertion obtained
  console.log('Identity assertion:', cred);
}
  

Updating Login Status from IdP

// From IdP origin, when user logs in or out

// user logs in
navigator.login.setStatus('logged-in');

// user logs out
navigator.login.setStatus('logged-out');
  

Considerations for Developers

• Browser support is strongest in Chromium‐based browsers. Other vendors are reviewing or planning implementation. :contentReference[oaicite:7]{index=7}
• Existing login flows (cookies, OAuth, etc.) may need adjustments. Evaluate how FedCM behaves when third-party cookies are blocked. :contentReference[oaicite:8]{index=8}
• UX changes: consent prompts, error handling, auto-selected credential behavior require careful design. :contentReference[oaicite:9]{index=9}
• Security & privacy best practices still apply: ensure manifest files / IdP endpoints are secure, use HTTPS, validate assertions, manage logout properly.

Future Outlook

• Progress toward FedCM becoming a W3C Recommendation. :contentReference[oaicite:10]{index=10}
• Broader browser adoption possible as other vendors help review and possibly implement. :contentReference[oaicite:11]{index=11}
• Extension of related APIs (error reporting, login status header, auto-selection flag) to polish developer and user experience. :contentReference[oaicite:12]{index=12}
• Potential standardization of flows for federated identity across many providers, reducing fragmentation.

FedCM promises to change how logins are done on the web by offering a simpler, more privacy-aware, and secure federated login standard.
For developers, it’s worth tracking, experimenting with, and preparing to adopt, since it could become the default way users authenticate in web apps.