Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Augment autofill with a conditional get #694

Open
samuelgoto opened this issue Jan 16, 2025 · 6 comments
Open

Augment autofill with a conditional get #694

samuelgoto opened this issue Jan 16, 2025 · 6 comments

Comments

@samuelgoto
Copy link
Collaborator

samuelgoto commented Jan 16, 2025
edited
Loading

There is a big intersection between the data that is available to FedCM and autofill, most notably, verified email addresses. Email addresses, in particular, are interesting because verifying them today is super cumbersome with magic links, so anything that helps there would be great.

I think it would be really cool if we could call FedCM conditionally (much like you can call Passkeys conditionally), and connect it to autofill.

Here is more or less what I have in mind:

<html>
  <script>
    // calls FedCM's conditional get
    const {token} = await navigator.credentials.get({
      mediation: "conditional",
      providers: [{
        // assumes email.com has exposed itself as a FedCM IdP:
        configURL: "https://email.com",
        // ... other fedcm parameters ...
      }]
    });
  </script>

  Welcome to my website! 

  Enter your email to create an account!

  <form>
     <!-- augments the self-asserted list of email addressed with verified ones -->
     <input type="email" autocomplete="email fedcm">
     <input type="submit">
  </form>
</html>

It is not clear to me what the UX would look like, but here is more or less what I have in mind:

Image

This isn't a particularly new idea (see this presentation from 2021), but I think we have built enough infrastructure in FedCM that this is more adjacent now.
@timcappalli
Copy link

So the browser would introspect the token returned by the IdP/AS and parse out the email claim?

If so, it is a bit complicated because just because the email is passed in an ID token, doesn't mean it was ever verified. There is an optional email_verified claim that can be included in the ID token to convey that the issuer verified the email in some way. So at a minimum, that would need to be checked to realistically give any kind of "Verified by: " UI.

As an aside, there have quite a few security incidents in the industry related to this (specifically related to email being used as an identifier where it was assumed to be verified). Even if it is the email provider and IdP are the same, and asserting based on assumed ownership of the identifier, most IdPs allow usernames/email addresses for domains they are not responsible for. For example, I can create a Google account with the identifier "[email protected]".

@aaronpk
Copy link

aaronpk commented Jan 17, 2025

I'm not quite clear on the proposal. Is it:

  • to use FedCM-verified email addresses in email autofill fields? or
  • to call FedCM with a specific email address in an <input> field rather than the current FedCM trigger mechanisms?

It's also not clear from the notes here whether the email address appears in the autocomplete before or after the FedCM exchange complete.

@timcappalli
Copy link

The latter being the closest to how WebAuthn autofill works.

@samuelgoto
Copy link
Collaborator Author

samuelgoto commented Jan 17, 2025
edited
Loading

just because the email is passed in an ID token, doesn't mean it was ever verified.

Yeah, I think we'd probably need a filter where the iss's origin (or maybe the configURL's origin) and the email's origin are the same, or something like that (maybe also include testing for RWS membership).

to use FedCM-verified email addresses in email autofill fields? or

I'm not quite sure I understand the distinction. I initially thought it was more like the former, but on second read, I think it is the latter. Does my code snippet help clarify that?

It's also not clear from the notes here whether the email address appears in the autocomplete before or after the FedCM exchange complete.

Before.

@jyasskin
Copy link
Contributor

(Ignoring for now that email_verified is terrible...) When and how should the proof be given to the website? e.g. I have a form

<form action="./submit.php">
  <input type="email" autocomplete="email fedcm">
  <input type="text" autocomplete="name fedcm">
  <input type="tel" autocomplete="tel fedcm">
  <input type="submit">
</form>

When I pick the 'verified by Google' email address from the dropdown, does the Promise resolve immediately? What if I also want to pick the 'verified by Google' name? And the 'verified by AT&T' phone number even though Google is also capable of verifying a phone number?

I kinda want to say that the result should be communicated through a field on the HTMLInputElement that updates with the change event, and by somehow encoding it into the form submission. And that it should eventually be possible to configure the request declaratively, without needing Javascript to execute to call navigator.credentials.get()....

@yi-gu yi-gu added agenda+ Regular CG meeting agenda items and removed agenda+ Regular CG meeting agenda items labels Mar 12, 2025
@wseltzer
Copy link
Collaborator

wseltzer commented Mar 21, 2025
edited
Loading

Discussed March 11, with demos (screenshots in minutes).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jyasskin @aaronpk @wseltzer @samuelgoto @timcappalli @yi-gu