FAPI + FedCM

There is an effort going on at W3C to define a new browser API for iDPs to provide identity information: https://fedidcg.github.io/FedCM/

There’s two things here that I think are relevant to the FAPI working group:

It is likely that at some point Browsers will break OAuth2 flows when they block the use of link decoration user tracking, and FedCM is the fix for this
The FedCM API provides some potential advantages, like we may be able to use it such that the Browser (or the OS in a native app RP) is able to display a list of banks the user has previously logged into, giving the user an easier way to select a bank than the current nascar issue of 40+ UK banks and 100+ Brazil banks.

‌

There are some slides from OSW with background on FedCM here: https://tcslides.link/OSW24-FedCM101

I think the main thing here is to raise the profile of this work within the FAPI working group. We don’t think FedCM as it is defined/implemented today quite works for the OpenBanking/FAPI type use cases, but from discussions at OAuth Security Workshop there is definitely the possibility to make some changes so it does work. One helpful thing might be if banks or fintechs would join and participate in https://www.w3.org/community/fed-id/

Comments (6)