Who are these updates for?
These updates are for you if:
- You are an IdP using the Federated Credential Management API.
- You are an IdP or RP and interested in extending the API to fit your use case – for example, you've been observing or participating in the discussions on the FedID CG repository and want to understand the changes made to the API.
- You are a browser vendor and you want to catch up on the implementation status of the API.
If you're new to this API or have not experimented with it yet, read the introduction to the Federated Credential Management API.
Roadmap
We are working on landing a number of changes to FedCM. There are a few things we know that still need to be done, including issues we heard about from IdPs, RPs and browser vendors. We believe we know how to resolve these issues:
- Multiple-IdP API: We are exploring ways to support multiple IdPs to coexist cooperatively in the FedCM account chooser.
- Registration API: We're exploring ways to allow RPs to accept any compliant IdPs, instead of listing specific ones. This will further benefit smaller IdPs.
- Improved Fields API: support more selectable identity attributes within the Fields API (such as phone number, username, and others), and improve the disclosure UI so that it better reflects the information that the RP is requesting.
- Relationship with mDLs/VCs/etc: continue working to understand how these fit within FedCM, for example with the Digital Credentials API.
- **Integration with other Chrome features **like Passkeys and Autofill.
- **Delegation-oriented FedCM: **We're experimenting with ways to extend FedCM to support 3-party token formats SD-JWT-KB, MDocs and BBS) in addition to the existing 2-party token formats (such as JWT for OIDC, SAML, etc) to mitigate the IdP Tracking Problem.
- Metrics endpoint: Provides performance metrics to IdPs.
- Enterprises and Education: As is clear at the FedID CG, there are still a lot of use cases that are not well served by FedCM that we'd like to work on, such as front-channel logout (the ability for an IdP to send a signal to RPs to logout).
