From ebc24fc095700750a3760702a86a3ae6f290fdf1 Mon Sep 17 00:00:00 2001 From: Zachary Tan Date: Wed, 2 Oct 2024 15:34:29 -0400 Subject: [PATCH 01/15] Add mode for FedCM Fixes https://github.com/w3c-fedid/active-mode/issues/2 --- spec/index.bs | 43 +++++++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index b2462419..ef364ca2 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -624,7 +624,8 @@ The {{IdentityCredentialRequestOptions}} contains a list of {{IdentityProviderConfig}}s that the [=RP=] supports and has pre-registered with (i.e. the [=IDP=] has given the [=RP=] a `clientId`). The {{IdentityCredentialRequestOptions}} also contains a {{IdentityCredentialRequestOptionsContext}} -which the user agent can use to provide a more meaningful dialog to users. +which the user agent can use to provide a more meaningful dialog to users and {{IdentityCredentialRequestOptionsMode}} +which the user agent can use to specify different behaviors or dialog types. enum IdentityCredentialRequestOptionsContext { @@ -634,9 +635,15 @@ enum IdentityCredentialRequestOptionsContext { "continue" }; +enum IdentityCredentialRequestOptionsMode { + "active", + "passive" +}; + dictionary IdentityCredentialRequestOptions { required sequence<IdentityProviderRequestOptions> providers; IdentityCredentialRequestOptionsContext context = "signin"; + IdentityCredentialRequestOptionsMode mode = "passive"; }; @@ -777,24 +784,27 @@ the exception thrown. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. + 1. Let |showIdpLoginDialog| be an affordance to [=show an IDP login dialog=]: + 1. Let |config| be the result of running [=fetch the config file=] + with |provider| and |globalObject|. + 1. If |config| is failure, return (failure, true). + 1. [=Show an IDP login dialog=] with |config| and |provider|. + 1. If that algorithm returns failure, return (failure, true). 1. If |loginStatus| is [=logged-out=], the user agent MUST do one of the following: * Return (failure, false). * Prompt the user whether to continue. If the user continues, the user - agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an - affordance to [=show an IDP login dialog=]. + agent SHOULD set |loginStatus| to [=unknown=]. This MAY include |showIdpLoginDialog| affordance. * If the user cancels this dialog, return (failure, true). - * If the user triggers this affordance: - 1. Let |config| be the result of running [=fetch the config file=] - with |provider| and |globalObject|. - 1. If |config| is failure, return (failure, true). - 1. [=Show an IDP login dialog=] with |config| and |provider|. - 1. If that algorithm returns failure, return (failure, true). - - Issue: We should perhaps provide a way to let the [=RP=] request that - the second option is provided, possibly gated on a user gesture. - See [this issue](https://github.com/fedidcg/FedCM/issues/442) for discussion. + * If the user continues, trigger |showIdpLoginDialog|. + * Trigger |showIdpLoginDialog| directly. The user agent SHOULD set |loginStatus| to [=unknown=]. + + * Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. + * If |mode| is [=passive=], return (failure, true). + * If |mode| is [=active=] and user gesture is not present, return (failure, true). + * If |mode| is [=active=] and user gesture is present, trigger |showIdpLoginDialog|. + 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. 1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}. @@ -884,7 +894,8 @@ the exception thrown. 1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns [=compute the connection status/connected=], show a dialog to request user permission to sign in via |account|, and set the result in |permission|. The user agent MAY use |options|'s - {{IdentityCredentialRequestOptions/context}} to customize the dialog. + {{IdentityCredentialRequestOptions/context}} and |options|'s + {{IdentityCredentialRequestOptions/mode}} to customize the dialog. 1. Otherwise, let |permission| be the result of running [=request permission to sign-up=] algorithm with |account|, |config|, |provider|, and |globalObject|. Also set |disclosureTextShown| to true. @@ -1290,8 +1301,8 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link. - 1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} to customize the - dialog shown. + 1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} and |options|'s + {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown. 1. If the user does not grant permission, return false. 1. [=Create a connection between the RP and the IdP account=] with |provider|, |account|, and |globalObject|. From 4fd24dadf1f51c88cff38f4c2ad7a621a4e818cc Mon Sep 17 00:00:00 2001 From: Zachary Tan Date: Thu, 3 Oct 2024 15:59:18 -0400 Subject: [PATCH 02/15] Update index.bs --- spec/index.bs | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index ef364ca2..95e5470d 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -623,8 +623,8 @@ This specification introduces an extension to the {{CredentialRequestOptions}} o The {{IdentityCredentialRequestOptions}} contains a list of {{IdentityProviderConfig}}s that the [=RP=] supports and has pre-registered with (i.e. the [=IDP=] has given the [=RP=] a `clientId`). -The {{IdentityCredentialRequestOptions}} also contains a {{IdentityCredentialRequestOptionsContext}} -which the user agent can use to provide a more meaningful dialog to users and {{IdentityCredentialRequestOptionsMode}} +The {{IdentityCredentialRequestOptions}} also contains an {{IdentityCredentialRequestOptionsContext}}, +which the user agent can use to provide a more meaningful dialog to users, and an {{IdentityCredentialRequestOptionsMode}}, which the user agent can use to specify different behaviors or dialog types. @@ -781,29 +781,21 @@ To <dfn>create an IdentityCredential</dfn> given an {{IdentityProviderRequestOpt or a pair (failure, bool), where the bool indicates whether to skip delaying the exception thrown. 1. Assert: These steps are running [=in parallel=]. + 1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. + 1. If |mode| is [=active=] + 1. If [=transient activation=] is not present, return (failure, true). + 1. If [=transient activation=] is present and if there is a pending request where |mode| is [=passive=], return (failure, true) for the pending request. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. - 1. Let |showIdpLoginDialog| be an affordance to [=show an IDP login dialog=]: - 1. Let |config| be the result of running [=fetch the config file=] - with |provider| and |globalObject|. - 1. If |config| is failure, return (failure, true). - 1. [=Show an IDP login dialog=] with |config| and |provider|. - 1. If that algorithm returns failure, return (failure, true). - 1. If |loginStatus| is [=logged-out=], the user agent MUST do one of the following: + 1. If |loginStatus| is [=logged-out=], the user agent SHOULD set |loginStatus| to [=unknown=] and MUST do one of the following: * Return (failure, false). - * Prompt the user whether to continue. If the user continues, the user - agent SHOULD set |loginStatus| to [=unknown=]. This MAY include |showIdpLoginDialog| affordance. + * Prompt the user whether to continue. This MAY include having to [=allow an affordance to show an IDP login dialog=]. * If the user cancels this dialog, return (failure, true). - * If the user continues, trigger |showIdpLoginDialog|. - * Trigger |showIdpLoginDialog| directly. The user agent SHOULD set |loginStatus| to [=unknown=]. - - * Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. - * If |mode| is [=passive=], return (failure, true). - * If |mode| is [=active=] and user gesture is not present, return (failure, true). - * If |mode| is [=active=] and user gesture is present, trigger |showIdpLoginDialog|. + * If the user continues, trigger [=allow an affordance to show an IDP login dialog=]. + * If |mode| is [=active=] and [=transient activation=] is present, trigger [=show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. @@ -1469,6 +1461,18 @@ success or failure. 1. Otherwise, return failure. </div> +<div algorithm> +To <dfn>allow an affordance to show an IDP login dialog</dfn> given an {{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns +success or failure. + 1. Assert: these steps are running [=in parallel=]. + 1. Let |config| be the result of running [=fetch the config file=] + with |provider| and |globalObject|. + 1. If |config| is failure, return failure. + 1. [=Show an IDP login dialog=] with |config| and |provider|. + 1. If that algorithm succeeds, return success. + 1. Otherwise, return failure. +</div> + <!-- ============================================================ --> ## The IdentityProvider Interface ## {#browser-api-identity-provider-interface} <!-- ============================================================ --> From d34ecd005ea33609db1e561c5abc751d9486e0f8 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Thu, 3 Oct 2024 16:16:27 -0400 Subject: [PATCH 03/15] Update index.bs --- spec/index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 95e5470d..3802ebff 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -791,11 +791,11 @@ the exception thrown. 1. If |loginStatus| is [=logged-out=], the user agent SHOULD set |loginStatus| to [=unknown=] and MUST do one of the following: * Return (failure, false). - * Prompt the user whether to continue. This MAY include having to [=allow an affordance to show an IDP login dialog=]. + * Prompt the user whether to continue. This MAY include an affordance to [=show an IDP login dialog=]. * If the user cancels this dialog, return (failure, true). - * If the user continues, trigger [=allow an affordance to show an IDP login dialog=]. - * If |mode| is [=active=] and [=transient activation=] is present, trigger [=show an IDP login dialog=]. + * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=]. + * If |mode| is [=active=] and [=transient activation=] is present, [=fetch the config file and show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. @@ -1462,7 +1462,7 @@ success or failure. </div> <div algorithm> -To <dfn>allow an affordance to show an IDP login dialog</dfn> given an {{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns +To <dfn>fetch the config file and show an IDP login dialog</dfn> given an {{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns success or failure. 1. Assert: these steps are running [=in parallel=]. 1. Let |config| be the result of running [=fetch the config file=] From ce8f11e2dc49540d7a40a89adba348c3dcf9c821 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Thu, 3 Oct 2024 18:55:25 -0400 Subject: [PATCH 04/15] Lint index.bs --- spec/index.bs | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 3802ebff..f531520d 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -623,9 +623,11 @@ This specification introduces an extension to the {{CredentialRequestOptions}} o The {{IdentityCredentialRequestOptions}} contains a list of {{IdentityProviderConfig}}s that the [=RP=] supports and has pre-registered with (i.e. the [=IDP=] has given the [=RP=] a `clientId`). -The {{IdentityCredentialRequestOptions}} also contains an {{IdentityCredentialRequestOptionsContext}}, -which the user agent can use to provide a more meaningful dialog to users, and an {{IdentityCredentialRequestOptionsMode}}, -which the user agent can use to specify different behaviors or dialog types. +The {{IdentityCredentialRequestOptions}} also contains an +{{IdentityCredentialRequestOptionsContext}}, which the user agent can use to +provide a more meaningful dialog to users, and an +{{IdentityCredentialRequestOptionsMode}}, which the user agent can use to +specify different behaviors or dialog types. <xmp class=idl> enum IdentityCredentialRequestOptionsContext { @@ -784,18 +786,24 @@ the exception thrown. 1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. 1. If |mode| is [=active=] 1. If [=transient activation=] is not present, return (failure, true). - 1. If [=transient activation=] is present and if there is a pending request where |mode| is [=passive=], return (failure, true) for the pending request. + 1. If [=transient activation=] is present and if there is a pending + request where |mode| is [=passive=], return (failure, true) for the + pending request. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. - 1. If |loginStatus| is [=logged-out=], the user agent SHOULD set |loginStatus| to [=unknown=] and MUST do one of the following: + 1. If |loginStatus| is [=logged-out=], the user agent SHOULD set + |loginStatus| to [=unknown=] and MUST do one of the following: * Return (failure, false). - * Prompt the user whether to continue. This MAY include an affordance to [=show an IDP login dialog=]. + * Prompt the user whether to continue. This MAY include an affordance + to [=show an IDP login dialog=]. * If the user cancels this dialog, return (failure, true). - * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=]. - * If |mode| is [=active=] and [=transient activation=] is present, [=fetch the config file and show an IDP login dialog=]. + * If the user triggers this affordance, + [=fetch the config file and show an IDP login dialog=]. + * If |mode| is [=active=] and [=transient activation=] is present, + [=fetch the config file and show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. @@ -1293,7 +1301,8 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link. - 1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} and |options|'s + 1. The user agent MAY use the + {{IdentityCredentialRequestOptions/context}} and |options|'s {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown. 1. If the user does not grant permission, return false. 1. [=Create a connection between the RP and the IdP account=] with |provider|, |account|, and From 2a289954977a1b9cd178bcd3e96710149ff008ef Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Mon, 7 Oct 2024 14:13:56 -0400 Subject: [PATCH 05/15] Update spec/index.bs Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com> --- spec/index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.bs b/spec/index.bs index f531520d..4f546f5b 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -786,7 +786,7 @@ the exception thrown. 1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. 1. If |mode| is [=active=] 1. If [=transient activation=] is not present, return (failure, true). - 1. If [=transient activation=] is present and if there is a pending + 1. If [=transient activation=] is present and there is a pending request where |mode| is [=passive=], return (failure, true) for the pending request. 1. Let |loginStatus| be the result of [=get the login status=] with From d8488b8cffb961f0111f80ef638c8de4fe03fe81 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Tue, 8 Oct 2024 10:55:22 -0400 Subject: [PATCH 06/15] Update index.bs --- spec/index.bs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 4f546f5b..ea238652 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -787,8 +787,9 @@ the exception thrown. 1. If |mode| is [=active=] 1. If [=transient activation=] is not present, return (failure, true). 1. If [=transient activation=] is present and there is a pending - request where |mode| is [=passive=], return (failure, true) for the - pending request. + request where |mode| is [=passive=], cancel the previous request + as if a {{CredentialRequestOptions/signal}} was given to it and + was [=AbortSignal/aborted=]. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. @@ -802,7 +803,7 @@ the exception thrown. * If the user cancels this dialog, return (failure, true). * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=]. - * If |mode| is [=active=] and [=transient activation=] is present, + * If |mode| is [=active=], [=fetch the config file and show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s From 1e0d0be348b495a74b3a75bef4bac81bd427f572 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Tue, 8 Oct 2024 13:11:01 -0400 Subject: [PATCH 07/15] Update spec/index.bs Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com> --- spec/index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index ea238652..f67a73d1 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -788,8 +788,8 @@ the exception thrown. 1. If [=transient activation=] is not present, return (failure, true). 1. If [=transient activation=] is present and there is a pending request where |mode| is [=passive=], cancel the previous request - as if a {{CredentialRequestOptions/signal}} was given to it and - was [=AbortSignal/aborted=]. + as if a {{CredentialRequestOptions/signal}} of + [=AbortSignal/aborted=] was given to it. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. From a47797532088f46be70da5b62ff678d33a4bda5b Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Tue, 15 Oct 2024 12:53:56 -0400 Subject: [PATCH 08/15] Update index.bs --- spec/index.bs | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index f67a73d1..a7fcbc28 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -802,9 +802,9 @@ the exception thrown. * If the user cancels this dialog, return (failure, true). * If the user triggers this affordance, - [=fetch the config file and show an IDP login dialog=]. + [=fetch the config file=] and [=show an IDP login dialog=]. * If |mode| is [=active=], - [=fetch the config file and show an IDP login dialog=]. + [=fetch the config file=] and [=show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. @@ -894,7 +894,7 @@ the exception thrown. 1. Set |account| to |accountsList|[0]. 1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns [=compute the connection status/connected=], show a dialog to request user permission to sign - in via |account|, and set the result in |permission|. The user agent MAY use |options|'s + in via |account|, and set the result in |permission|. The user agent SHOULD use |options|'s {{IdentityCredentialRequestOptions/context}} and |options|'s {{IdentityCredentialRequestOptions/mode}} to customize the dialog. 1. Otherwise, let |permission| be the result of running [=request permission to sign-up=] @@ -1302,7 +1302,7 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link. - 1. The user agent MAY use the + 1. The user agent SHOULD use the {{IdentityCredentialRequestOptions/context}} and |options|'s {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown. 1. If the user does not grant permission, return false. @@ -1471,18 +1471,6 @@ success or failure. 1. Otherwise, return failure. </div> -<div algorithm> -To <dfn>fetch the config file and show an IDP login dialog</dfn> given an {{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns -success or failure. - 1. Assert: these steps are running [=in parallel=]. - 1. Let |config| be the result of running [=fetch the config file=] - with |provider| and |globalObject|. - 1. If |config| is failure, return failure. - 1. [=Show an IDP login dialog=] with |config| and |provider|. - 1. If that algorithm succeeds, return success. - 1. Otherwise, return failure. -</div> - <!-- ============================================================ --> ## The IdentityProvider Interface ## {#browser-api-identity-provider-interface} <!-- ============================================================ --> @@ -2907,4 +2895,3 @@ Note: The WG has labeled the following issues as critical open issues that must </ul> </body> </html> - From c4c3d5bf4746f01f981d0411c6fbeaedf9154629 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Tue, 15 Oct 2024 12:55:28 -0400 Subject: [PATCH 09/15] Update index.bs --- spec/index.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/index.bs b/spec/index.bs index a7fcbc28..c1b95eef 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -2895,3 +2895,4 @@ Note: The WG has labeled the following issues as critical open issues that must </ul> </body> </html> + From 400ac7f38008c38a1c240eaba8f29cfb77d6e8ba Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Thu, 17 Oct 2024 23:33:27 -0400 Subject: [PATCH 10/15] Update index.bs --- spec/index.bs | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index c1b95eef..5da8bab6 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -793,18 +793,19 @@ the exception thrown. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. - 1. If |loginStatus| is [=logged-out=], the user agent SHOULD set - |loginStatus| to [=unknown=] and MUST do one of the following: + 1. If |loginStatus| is [=logged-out=] - * Return (failure, false). - * Prompt the user whether to continue. This MAY include an affordance - to [=show an IDP login dialog=]. - - * If the user cancels this dialog, return (failure, true). - * If the user triggers this affordance, - [=fetch the config file=] and [=show an IDP login dialog=]. - * If |mode| is [=active=], + 1. If |mode| is [=active=], [=fetch the config file=] and [=show an IDP login dialog=]. + 2. If |mode| is [=passive=], the user agent MUST do one of the following: + * Return (failure, false). + * Prompt the user whether to continue. If the user continues, the user + agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an + affordance to [=show an IDP login dialog=]. + + * If the user cancels this dialog, return (failure, true). + * If the user triggers this affordance, + [=fetch the config file=] and [=show an IDP login dialog=]. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. From cbaa2d28a8ff6736a39ed1d3344021b69192af73 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Thu, 17 Oct 2024 23:34:17 -0400 Subject: [PATCH 11/15] Update index.bs --- spec/index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.bs b/spec/index.bs index 5da8bab6..9e7d1131 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -797,7 +797,7 @@ the exception thrown. 1. If |mode| is [=active=], [=fetch the config file=] and [=show an IDP login dialog=]. - 2. If |mode| is [=passive=], the user agent MUST do one of the following: + 1. If |mode| is [=passive=], the user agent MUST do one of the following: * Return (failure, false). * Prompt the user whether to continue. If the user continues, the user agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an From 0247dd2263ba2245c980406aeebb1b5981caa81d Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Wed, 23 Oct 2024 11:41:30 -0400 Subject: [PATCH 12/15] Update index.bs --- spec/index.bs | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 9e7d1131..d8dee0ef 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -784,28 +784,36 @@ or a pair (failure, bool), where the bool indicates whether to skip delaying the exception thrown. 1. Assert: These steps are running [=in parallel=]. 1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. - 1. If |mode| is [=active=] - 1. If [=transient activation=] is not present, return (failure, true). - 1. If [=transient activation=] is present and there is a pending - request where |mode| is [=passive=], cancel the previous request - as if a {{CredentialRequestOptions/signal}} of - [=AbortSignal/aborted=] was given to it. + 1. Let |globalObject| be the [=current global object=]. + 1. Let |W| be |globalObject|'s [=associated Window=]. + 1. If |mode| is [=active=]: + 1. If |W| does not have [=transient activation=], return (failure, true). + 1. Otherwise, and if there is a pending request on |W|'s top-level browsing + context where |mode| is [=passive=], reject the previous request. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. - 1. If |loginStatus| is [=logged-out=] - - 1. If |mode| is [=active=], - [=fetch the config file=] and [=show an IDP login dialog=]. - 1. If |mode| is [=passive=], the user agent MUST do one of the following: + 1. If |loginStatus| is [=logged-out=]: + + 1. If |mode| is [=active=]: + 1. Let |config| be the result of running [=fetch the config file=] + with |provider| and |globalObject|. + 1. If |config| is failure, return (failure, true). + 1. [=Show an IDP login dialog=] with |config| and |provider|. + 1. If that algorithm returns failure, return (failure, true). + 1. Otherwise, the user agent MUST do one of the following: * Return (failure, false). * Prompt the user whether to continue. If the user continues, the user agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an affordance to [=show an IDP login dialog=]. * If the user cancels this dialog, return (failure, true). - * If the user triggers this affordance, - [=fetch the config file=] and [=show an IDP login dialog=]. + * If the user triggers this affordance: + 1. Let |config| be the result of running [=fetch the config file=] + with |provider| and |globalObject|. + 1. If |config| is failure, return (failure, true). + 1. [=Show an IDP login dialog=] with |config| and |provider|. + 1. If that algorithm returns failure, return (failure, true). 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. @@ -895,7 +903,7 @@ the exception thrown. 1. Set |account| to |accountsList|[0]. 1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns [=compute the connection status/connected=], show a dialog to request user permission to sign - in via |account|, and set the result in |permission|. The user agent SHOULD use |options|'s + in via |account|, and set the result in |permission|. The user agent MAY use |options|'s {{IdentityCredentialRequestOptions/context}} and |options|'s {{IdentityCredentialRequestOptions/mode}} to customize the dialog. 1. Otherwise, let |permission| be the result of running [=request permission to sign-up=] @@ -1303,7 +1311,7 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link. - 1. The user agent SHOULD use the + 1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} and |options|'s {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown. 1. If the user does not grant permission, return false. From 71e585bcba9cd35e23f5f9e06ef99a853a2281b3 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Wed, 23 Oct 2024 11:45:07 -0400 Subject: [PATCH 13/15] Update index.bs --- spec/index.bs | 3 --- 1 file changed, 3 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index d8dee0ef..f74e95b5 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -794,7 +794,6 @@ the exception thrown. the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. 1. If |loginStatus| is [=logged-out=]: - 1. If |mode| is [=active=]: 1. Let |config| be the result of running [=fetch the config file=] with |provider| and |globalObject|. @@ -806,7 +805,6 @@ the exception thrown. * Prompt the user whether to continue. If the user continues, the user agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an affordance to [=show an IDP login dialog=]. - * If the user cancels this dialog, return (failure, true). * If the user triggers this affordance: 1. Let |config| be the result of running [=fetch the config file=] @@ -814,7 +812,6 @@ the exception thrown. 1. If |config| is failure, return (failure, true). 1. [=Show an IDP login dialog=] with |config| and |provider|. 1. If that algorithm returns failure, return (failure, true). - 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. 1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}. From 4bf692f9ae183e404a54a5e35a16a5f98a5362c6 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Wed, 30 Oct 2024 22:31:48 -0400 Subject: [PATCH 14/15] Update index.bs --- spec/index.bs | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index f74e95b5..a8185479 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -784,34 +784,27 @@ or a pair (failure, bool), where the bool indicates whether to skip delaying the exception thrown. 1. Assert: These steps are running [=in parallel=]. 1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}. - 1. Let |globalObject| be the [=current global object=]. - 1. Let |W| be |globalObject|'s [=associated Window=]. 1. If |mode| is [=active=]: + 1. Let |W| be |globalObject|'s [=associated Window=]. 1. If |W| does not have [=transient activation=], return (failure, true). - 1. Otherwise, and if there is a pending request on |W|'s top-level browsing - context where |mode| is [=passive=], reject the previous request. + 1. Otherwise, if there is a pending request where |mode| is [=passive=] on |W|'s + [top-level browsing context](https://html.spec.whatwg.org/#bc-traversable) or on any + of its nested frames, reject the pending request with a "{{NetworkError}}" {{DOMException}}. 1. Let |loginStatus| be the result of [=get the login status=] with the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}. 1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=]. 1. If |loginStatus| is [=logged-out=]: - 1. If |mode| is [=active=]: - 1. Let |config| be the result of running [=fetch the config file=] - with |provider| and |globalObject|. - 1. If |config| is failure, return (failure, true). - 1. [=Show an IDP login dialog=] with |config| and |provider|. - 1. If that algorithm returns failure, return (failure, true). + 1. If |mode| is [=active=], [=fetch the config file and show an IDP login dialog=] + with |provider| and |globalObject|. 1. Otherwise, the user agent MUST do one of the following: * Return (failure, false). * Prompt the user whether to continue. If the user continues, the user agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an affordance to [=show an IDP login dialog=]. * If the user cancels this dialog, return (failure, true). - * If the user triggers this affordance: - 1. Let |config| be the result of running [=fetch the config file=] - with |provider| and |globalObject|. - 1. If |config| is failure, return (failure, true). - 1. [=Show an IDP login dialog=] with |config| and |provider|. - 1. If that algorithm returns failure, return (failure, true). + * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=] + with |provider| and |globalObject|. + |provider| and |globalObject|. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. 1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}. @@ -1477,6 +1470,19 @@ success or failure. 1. Otherwise, return failure. </div> +<div algorithm> +To <dfn>fetch the config file and show an IDP login dialog</dfn> given an +{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following +steps. This returns success or failure. + 1. Assert: these steps are running [=in parallel=]. + 1. Let |config| be the result of running [=fetch the config file=] + with |provider| and |globalObject|. + 1. If |config| is failure, return failure. + 1. [=Show an IDP login dialog=] with |config| and |provider|. + 1. If that algorithm succeeds, return success. + 1. Otherwise, return failure. +</div> + <!-- ============================================================ --> ## The IdentityProvider Interface ## {#browser-api-identity-provider-interface} <!-- ============================================================ --> From e58507b80633a1b34c9857d3345be2d8b18fe7f0 Mon Sep 17 00:00:00 2001 From: Zachary Tan <tanzachary@chromium.org> Date: Wed, 30 Oct 2024 22:37:50 -0400 Subject: [PATCH 15/15] Update index.bs --- spec/index.bs | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/index.bs b/spec/index.bs index a8185479..48eb453b 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -804,7 +804,6 @@ the exception thrown. * If the user cancels this dialog, return (failure, true). * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=] with |provider| and |globalObject|. - |provider| and |globalObject|. 1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s [=requires user mediation=]. 1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}.