From 388a506f79da5aad06c8f1ee2d75763d1df27341 Mon Sep 17 00:00:00 2001 From: Benjamin VanderSloot Date: Wed, 18 Sep 2024 09:48:59 -0400 Subject: [PATCH] Actually make it part of the store, not the get --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bd36e8c..9c226bc 100644 --- a/README.md +++ b/README.md @@ -290,14 +290,13 @@ let credential = await navigator.credentials.get({ origin: "https://login.idp.net", loginURL: "https://bounce.example.com/?u=https://login.idp.net/login.html?r=https://rp.net/", loginTarget: "redirect", - tokenURL: "https://auth.login.net/api/v1/refresh_token", }, ] } }); ``` -This example shows the use perfect for a "Log in with Foo" button, where one identity provider is presented, and if the user has not already logged in, they may be redirected to that provider's login page. This redirect behavior is only permitted when there is only one provider in the list. A provider with `loginURL` field indicates that this is the expected mode. If `loginURL` is present, but `origin` is not, its value can be inferred as the origin of the link. Regardless of how it gets there, when the credential is to be returned to the user, if it is present the browser fetches the `tokenURL` (which must be in the same origin as `origin`) with unpartitioned cookies to populate the `Credential`'s `token` member. +This example shows the use perfect for a "Log in with Foo" button, where one identity provider is presented, and if the user has not already logged in, they may be redirected to that provider's login page. This redirect behavior is only permitted when there is only one provider in the list. A provider with `loginURL` field indicates that this is the expected mode. If `loginURL` is present, but `origin` is not, its value can be inferred as the origin of the link. Another use example, provided below, shows how to request a credential from one of many IDPs the user may have already linked to this page. @@ -377,6 +376,7 @@ let cred = await navigator.credentials.create({ effectiveOrigins: ["https://rp1.biz", "https://rp2.info"], // optional effectiveQueryURL: "https://api.login.idp.net/v1/foo", // optional effectiveType: "example-string-to-match", // optional + tokenURL: "https://auth.login.net/api/v1/refresh_token", // optional } }); await navigator.credentials.store(cred); @@ -386,6 +386,8 @@ This allows the identity provider to be used without a redirect flow if the user This reduces the need for NASCAR pages. Since we allow identity providers to declare themselves and several that are unlinked to be included in the same credential chooser, we remove the need for NASCAR pages where a user has visited the identity provider before. In those cases where there are no registered identity providers or there are none that are acceptable to a user, the relying party can show fallback content that presents a set of candidate identity providers. Because the choice is not shown to users until obtaining a credential is unsuccessful, the added complexity of the interface might be easier for sites to manage. +Additionally, by if a `tokenURL` is storeed on the credential, when the credential is to be returned to the user, if it is present the browser fetches the `tokenURL` with the identity provider's unpartitioned cookies to populate the returned `Credential`'s `token` member. + ## Identity Provider API, Attaching Account Information to a Credential We add optional fields to facilitate the user's selection of the credential from the credential chooser. These match the fields in the `CredentialDataMixin` from the `Credential Management Level 1` spec.