From bfa0a09eb651f51ad4c6769abf0ac86f02a4e265 Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@chromium.org>
Date: Tue, 8 Oct 2024 13:52:27 -0400
Subject: [PATCH 1/4] Specify the params API (#661)

* Specify the params API

Bug: w3c-fedid/custom-requests#2

* Update spec/index.bs

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>

* any

---------

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 spec/index.bs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/spec/index.bs b/spec/index.bs
index b2462419..e102209b 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -653,6 +653,7 @@ dictionary IdentityProviderRequestOptions : IdentityProviderConfig {
   USVString nonce;
   DOMString loginHint;
   DOMString domainHint;
+  any params;
 };
 </xmp>
 
@@ -1198,12 +1199,17 @@ To <dfn>fetch an identity assertion</dfn> given a {{USVString}}
     1. Let |tokenUrl| be the result of [=computing the manifest URL=] given |provider|,
         |config|["{{IdentityProviderAPIConfig/id_assertion_endpoint}}"], and |globalObject|.
     1. If |tokenUrl| is failure, return failure.
-    1. Let |requestBody| be the result of running [=urlencoded serializer=] with a list containing:
+    1. Let |list| be a list with the following entries:
         1. ("client_id", |provider|'s {{IdentityProviderConfig/clientId}})
         1. ("nonce", |provider|'s {{IdentityProviderRequestOptions/nonce}})
         1. ("account_id",  |accountId|)
         1. ("disclosure_text_shown", |disclosureTextShown|)
         1. ("is_auto_selected", |isAutoSelected|)
+    1. If |provider|'s {{IdentityProviderRequestOptions/params}} is not empty:
+        1. Let |json| be the result of [=serializing a JavaScript value to a JSON string=]
+            with |provider|'s {{IdentityProviderRequestOptions/params}}.
+        1. Append ("params", |json|) to |list|.
+    1. Let |requestBody| be the result of running [=urlencoded serializer=] with |list|.
     1. Let |request| be a new <a spec=fetch for=/>request</a> as follows:
 
         :  [=request/url=]

From 026dbaafd4a850bdf76ff51eae73112b45d9dd22 Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@chromium.org>
Date: Mon, 28 Oct 2024 15:02:33 -0400
Subject: [PATCH 2/4] Handle errors from JSON serialization. (#666)

---
 spec/index.bs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/spec/index.bs b/spec/index.bs
index e102209b..9ee1e37f 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -1208,6 +1208,7 @@ To <dfn>fetch an identity assertion</dfn> given a {{USVString}}
     1. If |provider|'s {{IdentityProviderRequestOptions/params}} is not empty:
         1. Let |json| be the result of [=serializing a JavaScript value to a JSON string=]
             with |provider|'s {{IdentityProviderRequestOptions/params}}.
+        1. If serializing threw an exception, return failure.
         1. Append ("params", |json|) to |list|.
     1. Let |requestBody| be the result of running [=urlencoded serializer=] with |list|.
     1. Let |request| be a new <a spec=fetch for=/>request</a> as follows:

From 042beec519387789884be08a34ea3f9a85df7d35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a=20Moreno?= <npm@chromium.org>
Date: Thu, 7 Nov 2024 15:47:06 -0500
Subject: [PATCH 3/4] Update build-validate-publish.yaml (#683)

Switch to ubuntu-latest to try to unblock bikeshed
---
 .github/workflows/build-validate-publish.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-validate-publish.yaml b/.github/workflows/build-validate-publish.yaml
index 7d089db9..243daff3 100644
--- a/.github/workflows/build-validate-publish.yaml
+++ b/.github/workflows/build-validate-publish.yaml
@@ -7,7 +7,7 @@ on:
 jobs:
   run:
     name: Build, Validate, and Publish
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - uses: w3c/spec-prod@v2

From e6ce2888548e692d67ffc57186316f27b53d7fee Mon Sep 17 00:00:00 2001
From: Zachary Tan <tanzachary@chromium.org>
Date: Mon, 18 Nov 2024 17:01:52 +0000
Subject: [PATCH 4/4] Specify the mode API (#660)

* Add mode for FedCM

Fixes https://github.com/w3c-fedid/active-mode/issues/2

* Update index.bs

* Update index.bs

* Lint index.bs

* Update spec/index.bs

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>

* Update index.bs

* Update spec/index.bs

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

* Update index.bs

---------

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 spec/index.bs | 77 ++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 54 insertions(+), 23 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index 9ee1e37f..94576348 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -623,8 +623,11 @@ This specification introduces an extension to the {{CredentialRequestOptions}} o
 The {{IdentityCredentialRequestOptions}} contains a list of
 {{IdentityProviderConfig}}s that the [=RP=] supports and has
 pre-registered with (i.e. the [=IDP=] has given the [=RP=] a `clientId`).
-The {{IdentityCredentialRequestOptions}} also contains a {{IdentityCredentialRequestOptionsContext}}
-which the user agent can use to provide a more meaningful dialog to users.
+The {{IdentityCredentialRequestOptions}} also contains an
+{{IdentityCredentialRequestOptionsContext}}, which the user agent can use to
+provide a more meaningful dialog to users, and an
+{{IdentityCredentialRequestOptionsMode}}, which the user agent can use to
+specify different behaviors or dialog types.
 
 <xmp class=idl>
 enum IdentityCredentialRequestOptionsContext {
@@ -634,9 +637,15 @@ enum IdentityCredentialRequestOptionsContext {
   "continue"
 };
 
+enum IdentityCredentialRequestOptionsMode {
+  "active",
+  "passive"
+};
+
 dictionary IdentityCredentialRequestOptions {
   required sequence<IdentityProviderRequestOptions> providers;
   IdentityCredentialRequestOptionsContext context = "signin";
+  IdentityCredentialRequestOptionsMode mode = "passive";
 };
 </xmp>
 
@@ -775,27 +784,34 @@ To <dfn>create an IdentityCredential</dfn> given an {{IdentityProviderRequestOpt
 or a pair (failure, bool), where the bool indicates whether to skip delaying
 the exception thrown.
     1. Assert: These steps are running [=in parallel=].
+    1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}.
+    1. If |mode| is [=active=]:
+        1. Let |W| be |globalObject|'s [=associated Window=].
+        1. If |W| does not have [=transient activation=], return (failure, true).
+        1. Otherwise, if there is a pending request where |mode| is [=passive=]
+            on |W|'s [=Window/navigable=]'s [=navigable/top-level traversable=]
+            or on any of its descendants, reject the pending request with a
+            "{{NetworkError}}" {{DOMException}}.
     1. Let |loginStatus| be the result of [=get the login status=] with
         the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}.
     1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=].
-    1. If |loginStatus| is [=logged-out=], the user agent MUST do one of the following:
-
-        * Return (failure, false).
-        * Prompt the user whether to continue. If the user continues, the user
-            agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an
-            affordance to [=show an IDP login dialog=].
-
-            * If the user cancels this dialog, return (failure, true).
-            * If the user triggers this affordance:
-                1. Let |config| be the result of running [=fetch the config file=]
-                    with |provider| and |globalObject|.
-                1. If |config| is failure, return (failure, true).
-                1. [=Show an IDP login dialog=] with |config| and |provider|.
-                1. If that algorithm returns failure, return (failure, true).
-
-        Issue: We should perhaps provide a way to let the [=RP=] request that
-            the second option is provided, possibly gated on a user gesture.
-            See [this issue](https://github.com/fedidcg/FedCM/issues/442) for discussion.
+    1. If |loginStatus| is [=logged-out=]:
+        1. If |mode| is [=active=]: 
+            1. Let |result| be the result of running
+                [=fetch the config file and show an IDP login dialog=] with
+                |provider| and |globalObject|.
+            1. If |result| is failure, return (failure, true).
+        1. Otherwise, the user agent MUST do one of the following:
+            * Return (failure, false).
+            * Prompt the user whether to continue. If the user continues, the user
+                agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an
+                affordance to [=show an IDP login dialog=].
+                * If the user cancels this dialog, return (failure, true).
+                * If the user triggers this affordance:
+                    1. Let |result| be the result of running
+                        [=fetch the config file and show an IDP login dialog=]
+                        with |provider| and |globalObject|.
+                    1. If |result| is failure, return (failure, true).
     1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s
         [=requires user mediation=].
     1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}.
@@ -885,7 +901,8 @@ the exception thrown.
         1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns
             [=compute the connection status/connected=], show a dialog to request user permission to sign
             in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
-            {{IdentityCredentialRequestOptions/context}} to customize the dialog.
+            {{IdentityCredentialRequestOptions/context}} and |options|'s
+            {{IdentityCredentialRequestOptions/mode}} to customize the dialog.
         1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
             algorithm with |account|, |config|, |provider|, and |globalObject|. Also set
             |disclosureTextShown| to true.
@@ -1297,8 +1314,9 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
             is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of
             |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display
             the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link.
-        1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} to customize the
-            dialog shown.
+        1. The user agent MAY use the
+            {{IdentityCredentialRequestOptions/context}} and |options|'s
+            {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
     1. If the user does not grant permission, return false.
     1. [=Create a connection between the RP and the IdP account=] with |provider|, |account|, and
         |globalObject|.
@@ -1465,6 +1483,19 @@ success or failure.
             1. Otherwise, return failure.
 </div>
 
+<div algorithm>
+To <dfn>fetch the config file and show an IDP login dialog</dfn> given an
+{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following
+steps. This returns success or failure.
+    1. Assert: these steps are running [=in parallel=].
+    1. Let |config| be the result of running [=fetch the config file=]
+              with |provider| and |globalObject|.
+    1. If |config| is failure, return failure.
+    1. [=Show an IDP login dialog=] with |config| and |provider|.
+    1. If that algorithm succeeds, return success.
+    1. Otherwise, return failure.
+</div>
+
 <!-- ============================================================ -->
 ## The IdentityProvider Interface ## {#browser-api-identity-provider-interface}
 <!-- ============================================================ -->