w3c-fedid · npm1 · Nov 18, 2024 · Oct 2, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/spec/index.bs b/spec/index.bs
@@ -784,29 +784,26 @@ or a pair (failure, bool), where the bool indicates whether to skip delaying
 the exception thrown.
     1. Assert: These steps are running [=in parallel=].
     1. Let |mode| be |options|'s {{IdentityCredentialRequestOptions/mode}}.
-    1. If |mode| is [=active=]
-        1. If [=transient activation=] is not present, return (failure, true).
-        1. If [=transient activation=] is present and there is a pending
-            request where |mode| is [=passive=], cancel the previous request
-            as if a {{CredentialRequestOptions/signal}} of
-            [=AbortSignal/aborted=] was given to it.
+    1. If |mode| is [=active=]:
+        1. Let |W| be |globalObject|'s [=associated Window=].
+        1. If |W| does not have [=transient activation=], return (failure, true).
+        1. Otherwise, if there is a pending request where |mode| is [=passive=] on |W|'s
+            [top-level browsing context](https://html.spec.whatwg.org/#bc-traversable) or on any
+            of its nested frames, reject the pending request with a "{{NetworkError}}" {{DOMException}}.
     1. Let |loginStatus| be the result of [=get the login status=] with
         the [=/origin=] of |provider|'s {{IdentityProviderConfig/configURL}}.
     1. If |loginStatus| is [=unknown=], a user agent MAY set it to [=logged-out=].
-    1. If |loginStatus| is [=logged-out=]
-
-        1. If |mode| is [=active=],
-            [=fetch the config file=] and [=show an IDP login dialog=].
-        1. If |mode| is [=passive=], the user agent MUST do one of the following:
+    1. If |loginStatus| is [=logged-out=]:
+        1. If |mode| is [=active=], [=fetch the config file and show an IDP login dialog=]
+            with |provider| and |globalObject|.
+        1. Otherwise, the user agent MUST do one of the following:
             * Return (failure, false).
             * Prompt the user whether to continue. If the user continues, the user
                 agent SHOULD set |loginStatus| to [=unknown=]. This MAY include an
                 affordance to [=show an IDP login dialog=].
-
                 * If the user cancels this dialog, return (failure, true).
-                * If the user triggers this affordance,
-                    [=fetch the config file=] and [=show an IDP login dialog=].
-
+                * If the user triggers this affordance, [=fetch the config file and show an IDP login dialog=]
+                   with |provider| and |globalObject|.
     1. Let |requiresUserMediation| be |provider|'s {{IdentityProviderConfig/configURL}}'s [=/origin=]'s
         [=requires user mediation=].
     1. Let |mediation| be |options|'s {{CredentialRequestOptions/mediation}}.
@@ -895,7 +892,7 @@ the exception thrown.
         1. Set |account| to |accountsList|[0].
         1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns
             [=compute the connection status/connected=], show a dialog to request user permission to sign
-            in via |account|, and set the result in |permission|. The user agent SHOULD use |options|'s
+            in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
             {{IdentityCredentialRequestOptions/context}} and |options|'s
             {{IdentityCredentialRequestOptions/mode}} to customize the dialog.
         1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
@@ -1303,7 +1300,7 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
             is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of
             |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display
             the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link.
-        1. The user agent SHOULD use the
+        1. The user agent MAY use the
             {{IdentityCredentialRequestOptions/context}} and |options|'s
             {{IdentityCredentialRequestOptions/mode}} to customize the dialog shown.
     1. If the user does not grant permission, return false.
@@ -1472,6 +1469,19 @@ success or failure.
             1. Otherwise, return failure.
 </div>
 
+<div algorithm>
+To <dfn>fetch the config file and show an IDP login dialog</dfn> given an
+{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following
+steps. This returns success or failure.
+    1. Assert: these steps are running [=in parallel=].
+    1. Let |config| be the result of running [=fetch the config file=]
+              with |provider| and |globalObject|.
+    1. If |config| is failure, return failure.
+    1. [=Show an IDP login dialog=] with |config| and |provider|.
+    1. If that algorithm succeeds, return success.
+    1. Otherwise, return failure.
+</div>
+
 <!-- ============================================================ -->
 ## The IdentityProvider Interface ## {#browser-api-identity-provider-interface}
 <!-- ============================================================ -->