This folder contains the implementation of the browser side logic for the FedCM feature. It is responsible for making all of the network requests needed to implement a FedCM request and also controls what UI and at which point in the process is shown to the user.
A FedCM request is initiated by a Relying Party (RP) in order to perform a federated identity related operation e.g., authenticate, logout etc., with an Identity Provider (IDP).
While RP and IDP could belong to the same site (or origin) the most interesting and common case is when the RP and IDP belong to different sites and thus this operation is a cross-site communication and subject to additional scrutiny by the browser.
Here is the basic process in Chromium for a FedCM request:
The RP renderer process creates a new request via async JavaScript APIs which return a promise.
Renderer process passes this request to the browser process via the federated_auth_request.mojo
mojo interface.
Browser process handles the requests. This handling often requires multiple fetch requests to the IDP and showing appropriate UI (e.g., account chooser, permission dialog) to the user. Most of the implementation of this step lives in this directory.
A successful authentication request often results in an OIDC token being generated by the IDP. This token is then passed to the RP renderer process via the mojo interface.
A failed request often results in passing an appropriate error message to the RP renderer process via the mojo interface.
The RP renderer process resolves or rejects the returned promise based on the response that it receives from the browser process and completes the request.
As explained before, the cross-site nature of FedCM communication means that there is additional scrutiny and enforcement for them by the browser. These enforcements occur in the browser process so that they cannot be side-stepped by a malicious renderer process. This is why all of FedCM network requests occur in the browser process.
TODO: Explain various fetches that occur in idp_network_request_manager.h in particular which storage partition are used for them, any special caching logic, or request parameter processing.
As part of the FedCM request flow the user often has to grant the RP and IDP special permissions to allow cross-site communications. This exact UX for granting of these permissions depends on the mode that is used.
Here are the permissions that are currently used:
Note: The account identifier used by the account specific sharing permission comes from the user selection in the account selector UI in the browser. This is a reasonable choice. However it is possible for the final id token generated by the IDP to be for a different account (as denoted by its subject
field in the OIDC). This is considered a bug and it is because the browser currently does not have any enforcement to ensure these two accounts are the same. The browser may (and probably will) add such enforcements after its starts inspecting the returned token so this behavior should not be relied upon.
There are currently two different modes supported for FedCM with their own specific UX and UI: permission-oriented mode, and mediation-oriented mode.
At the moment the mediation UI is only implemented on Android and on Desktop platforms no UI is shown and instead we pretend that the first account is selected.
In contrast the permission UI is only implemented for Desktop platforms but not on Android.
FederatedAuthRequestImpl
: Concrete implementation of the mojo interface to initiate a FedCM request. It contains most of the business logic and state necessary for FedCM requests.IdPNetworkRequestManager
: Handles all fetches needed for FedCM. It ensures we use the right storage partition and cookie jar for each request. This class is stateless itself.