This is a Stage 1 proposal of the FedID CG to extend FedCM to allow RPs to make custom requests to the IdP.
- @cbiesinger
FedCM’s account chooser and disclosure dialog only allows asking for permission to share standard claims (e.g. user’s name, email address and profile picture). However, commonly Identity Providers (IdPs) need to ask for additional information before returning the token to the relying party (RP), such as requesting re-authentication, scopes beyond standard claims (e.g. API access), verifying up-to-date contact information, parental controls, etc.
There is currently no mechanism that an IdP can use to use their own words to request their user's permission before returning a token to the RP.
The proposal is to introduce:
- The API affordance that allow RPs to pass custom requests to IdPs
- The API affordance that allows IdPs to continue and finish the request in a popup window
- The API affordance that allow RPs to select which attributes of the user's profile they are looking for