Design Review #1074

#1074: FedCM: Alternative Fields in Account Selection

Opened Mar 27, 2025

こんにちは TAG-さん!

I'm requesting an early TAG design review of I'm requesting a TAG review of FedCM: Alternative Fields in Account Selection.

Support phone numbers and usernames in addition to email and names for accounts in FedCM, and only require one of these identifiers.

Explainer¹: https://github.com/w3c-fedid/FedCM/issues/435#issuecomment-2718856194
User research: n/a
Security and Privacy self-review²: url: same as the general one for FedCM
GitHub repo: https://github.com/w3c-fedid/FedCM
Primary contacts:
- Christian Biesinger (@cbiesinger), Google Chrome, proposal author
- Nicolás Peña Moreno (@npm1), Google Chrome, Spec editor
- Yi Gu (@yi-gu), Google Chrome
- Sam Goto (@samuelgoto, Google Chrome)
Organization/project driving the design: Google Chrome
This work is being funded by: Google Chrome
Incubation and standards groups that have discussed the design: Federated Identity Working/Community Group
- https://github.com/fedidcg/meetings/blob/main/2025/2025-03-18-notes.md
Standards group(s) that you expect to discuss and/or adopt this work when it's ready: Federated Identity Working Group
Multi-stakeholder feedback³:
- Chromium comments: n/a
- Mozilla comments: No comments yet
- WebKit comments: No comments yet
- Web developers have requested this (see e.g. https://github.com/w3c-fedid/FedCM/issues/435 and https://github.com/w3c-fedid/FedCM/issues/317) but have not yet given feedback on the specific proposal
Major unresolved issues with or opposition to this design:
I have reviewed the TAG's Web Platform Design Principles

You should also know that...

The primary aspect I would like to get feedback on is the naming of the new keywords ("phone", "username"). There is precedence in other specs (e.g. HTML5 form types or OAuth) but they don't agree with each other.

Discussions

Discussed Apr 1, 2025 (See Github)

Hadley: I agreed with Jeffrey's thoughts on this.

Jeffrey: They've asked us a question. They're adding fields to what FedCM allows identiy providers send to the browser. They're adding phone number & username, they exist in HTML autocomplete and Open ID Connect (OIDC) they have different names in both places, these folks have chosen a 3rd name and want advice from us. FedCM could be used for autocomplete by letting ID providers go into vouched fields and checking, I think it's a good idea to match naming to HTML autocomplete.

Hadley: Open ID Connect is an authenticcation protocol built on top of OAUTH.

Jeffrey to write closing comment, post in slack, then post later this week.

Comment by @cbiesinger Apr 16, 2025 (See Github)

Apologies, I meant OIDC when I wrote OAuth. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Comment by @jyasskin Apr 18, 2025 (See Github)

Thank you for sending us this question! We think the overall capability makes sense, and we're glad to see it proceeding through the FedID WG.

On the naming question, we think it's important that FedCM pick one of the existing sets of names, and re-use those names instead of inventing its own. (Even if both existing options for a name are objectively bad in certain ways.) Because there's a proposal to use FedCM fields to populate form autofill (https://github.com/w3c-fedid/FedCM/issues/694), we're inclined toward matching the HTML autocomplete names.

We also note that the tel autocomplete field describes a canonical format of "ASCII digits and U+0020 SPACE characters, prefixed by a U+002B PLUS SIGN character (+)" (e.g. "+1 617 253 5702"), while the OIDC phone_number field recommends to use the E.164 format (e.g. "+1 (425) 555-1212"). Your eventual spec should say what's expected and whether and how UAs are supposed to convert them.