The Login Status API and its use in FedCM

Category: Miscellaneous
Type: New or changed feature
Status: Enabled by default (Chrome 120)
Intent stage: Origin Trial

Summary

The Login Status API [1] (formerly IdP Sign-in Status API) allows identity providers to signal to the browser when their users are logging-in/out. Our goal is to open this up to other websites in the future. This signal, in this intent, is used by FedCM to address a silent timing attack, and in doing so, allows FedCM to operate without third party cookies altogether. This update would address the last remaining backwards incompatible changes we had previously identified in the original I2S of FedCM [2] as part of our scope of work. In the future, we expect that the Login Status API may also be used outside of FedCM (e.g. the Storage Access API [3]) and may be useful for websites that are not identity providers (e.g. extending browser storage [4]). [1] https://github.com/fedidcg/login-status [2] https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/E9pgS7GEBAAJ [3] https://github.com/fedidcg/login-status#storage-access-api [4] https://github.com/fedidcg/login-status#extending-site-data-storage

Motivation

FedCM has a known and open timing attack problem [1], which the IdP Login Status API is intended to resolve. It addresses the problem by exposing the ability for the IdP to indicate if their users are logged in or not, and in doing so increasing the privacy guarantees that FedCM can make. [1] https://github.com/fedidcg/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%20(8_16_2022).pdf

Standards & signals

Specification: https://github.com/fedidcg/FedCM/pull/436
Firefox: Under consideration — We have been working with the Firefox team for the last year or so on this API (e.g. TPAC 2022 [1]). We generally agree on the shape of the solution and we are working with them to write the spec in a way that allows Chrome and Firefox to implement FedCM in an interoperable way. (Firefox has asked us [2] to rely on PR comments instead of filing standards positions for these FedCM extensions) [1] https://github.com/fedidcg/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%20(8_16_2022).pdf [2] https://github.com/fedidcg/FedCM/issues/431#issuecomment-1425025469
Safari: No signal — Safari has so far shown overall support for FedCM [1], but haven't yet formed a position on this specific extension of FedCM [2]. We are generally in agreement of the API shape using the Login Status API [3], but we haven't yet gotten signals from them on how FedCM, specifically, is going to be using this signal. [1] https://lists.webkit.org/pipermail/webkit-dev/2022-March/032162.html [2] https://github.com/WebKit/standards-positions/issues/250 [3] https://github.com/privacycg/is-logged-in/issues/53
Web developers: Positive — We have been working with the FedID CG to develop this API and running experiments with the Google Identity Services team.
Tracking bug: https://crbug.com/1451396

Explainers: https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md https://developer.chrome.com/blog/fedcm-chrome-116-updates/#idp-signin-status

View on chromestatus.com