Liquid Surf — Can FedCM improve the user experience of decentralized ecosystem ?

FedCM, short for Federated Credential Management, is a new draft specification for web browsers, published by the Federated Identity Community Group and strongly driven by teams from Google. It represents an advancement in how websites manage user logins, when logging in through different identity providers (such as “Sign in with GitHub/Google/etc.”) while preserving user privacy. The initial motivation is to be able to use federated authentication without the use of 3rd party cookies. As described by Google:

FedCM is a method that allows users to log into websites through federated identity services, such as “Sign in with…”, without sharing personal information with either the identity service or the website.

Traditionally, when you log into a website using an external service provider (like using “Sign in with GitHub”), you are redirected to the provider’s login page. This is the classic flow of federated authentication standards such as OIDC and OAuth. FedCM changes this flow by acting as an intermediary within your browser, between the website (called Relying Party or RP) and in this example GitHub (called Identity Provider or IDP). If the end-user/agent has once before logged successfully into their IDP, the browser can on subsequent visits to the RP retrieve the access token on behalf of the user without the need of a redirect to the IDP. We all know these weird hops from the RP to the IDP and back. No more.

In the following example Alice has logged into her IDP beforehand and is not visiting the RP again, where the session expired. Time for a new token.

Leave a Comment