Status of FPWD‐identified Issues (Consensus Blockers for CR)

This is a tracking list of issues the WG labeled as critical open issues during the FPWD process that must be formally addressed before publication of a Candidate Recommendation.

Criteria for a feature to be in core: a second implementation that agrees with the design. All other features will be considered for an extension (which may be limited to one browser's implementation).

Issue	Stage	Proposal	Core FedCM?
Issue 319: Allow multiple IDPs to be used	2	Multi-IdP API issue 5	Yes
Issue 578: Allow IdPs to return JSON objects rather than Strings back to RPs	0	awaiting proposal	Yes
Issue 585: Allow IdP registration and RPs to match on a "type" – IdP Registration	1	IdP Registration	Yes
Issue 587: Why must SameSite=none?	0	awaiting security discussion	Yes
Issue 618: Support chained authentication flows before reducing heuristics and classifications/lists in navigational tracking mitigations	0		Yes
Issue 620: Make it easier to deploy this at the eTLD+1 for registered IdPs	1	IdP Registration	Yes
Issue 729: globalObjects should be the top level window, rather than the cross site iframe when Permissions Policy is used	0	potential security issue?

Issues that are closed/merged

Issue	Stage	Proposal	Core FedCM?
Issue 317: concerns about email in Accounts List	1?	closed as completed 11 July	Yes
Issue 511: Allow signing in to additional account(s)	2	Add Account API	Yes
Issue 488: Users may be confused after showing intent to sign in but the sign-in is failed	2?	Error API	TBD
Issue 320: Why Sec-FedCM-CSRF and not Sec-Fetch-Mode	0	Closed as resolved
Issue 428: Enforce CORS on the Identity Assertions endpoint	2 (merged)	See PR 547	Yes
Issue 442: A not-yet logged in IDP has no route to success with this flow – Active Mode	2 (merged)	Active Mode API	Yes
Issue 467: Use cases for Cross-Site Cookie Access through Storage Access API after FedCM grant? – SAA Auto-grant	2 (merged into the SAA spec)	Storage Access API Auto-grant	Yes
Issue 537: Allow setting IDP login status from same-site subresources	2 (merged)	See PR 538	Yes
Issue 552: Allow IDPs to use multiple config files within an eTLD+1	2 (merged)	Multiple configURLs API	Yes
Issue 553: Allowing IDPs to expose different account lists in different contexts	2	Account Labels API	Yes
Issue 555: Allow IdPs to continue and finish the request in a popup window – Continuation API	2 (merged)	Continuation API	Yes
Issue 556: Passing arbitrary parameters to the ID assertion endpoint	2 (merged)	Params API	Yes
Issue 609: Spec says we send SameSite=Strict cookies	0	Closed	Yes
Issue 616: Once params are merged into the spec, deprecate the nonce parameter	0	Mark this as deprecated to be removed later -- closed with https://github.com/w3c-fedid/FedCM/pull/768	Yes
Issue 626: PP/TOS requirements are different from auto reauthentication	0	Closed	Yes
Issue 700: Tracking through IDP with individualized account and client_metadata endpoints		[closed as completed]	Yes

Not in Core FedCM nor required for CR

Issue	Stage	Proposal	Core FedCM?
Issue 407: [Context API] - Authz / relation to ability to specify scope	2?	proposed non-CR blocking	Yes
Issue 559: Allow RPs to selectively request attributes of the user’s profile	2	Fields API	No
Issue 517: Allow user agents to use "Connected Accounts Set" with flexibility	2?	3PC Relaxation	No
Issue 352: Share performance measurement with IDP	2?	Metrics API	No
Issue 240: Users can’t use IdPs outside of the ones enumerated by RPs	1	IdP Registration API	No
Issue 441: The IDP has to support additional infrastructure to support FedCM	1	Lightweight API	No :-(
Issue 677 IdP Blindness: User Info VCs	1	Delegation-oriented FedCM	No
Issue 599: OAuth profile for FedCM	0	Not expected to be part of the spec; identifies gaps that would result in OAuth not being useful in a FedCM flow	No
Issue 625: Returning accounts go first in getUserInfo	0		No
Issue 627: Add webdriver command to open PP/TOS	0	This will be handled in an extension	No