-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The name "token" seem to imply that only ID Tokens can be passed back to RPs #579
Comments
I think we could do a type field to define the semantics of the |
Yeah, that's another way that this could go, but that wouldn't address the confusion created by the name "token", would it? |
Ah right. This is in the context of other artifacts like |
That should not be a big concern given how little this spec adopted by the audience you're reaching out to.
-1, the last thing I'd want is to have to wait for browsers to adopt, support, and rollout additional fields to RPs when we define a new response shapes
+1 I thought that's what |
See my comment on this giant thread here where I used this field to return an OAuth authorization code which is exchanged for actual info from the IdP server-side. |
FedCM is used in a large number of Chrome page loads, so even though the spec change would be ok to be backwards incompatible, from our perspective we want to avoid these changes if at all possible. That said, we could support passing 'token' OR 'response' if that helps with the confusion? If a developer passes both, we'd throw. |
It is still possible to make backwards compatible changes, but we don't take them lightly.
To be concrete, 0.8% of page loads in Chrome: https://twitter.com/RickByers/status/1781376930912333880 |
This is actually a very surprising number of page loads. Where is it being used? |
Every site on the web that uses these variations of Sign in with Google: |
I believe that entirely depends on what shape #578 is going to take. If it's going to define a new property (e.g. |
Ah, fair. Let me reopen this, and we can revisit as either moves along. |
Ok, I moved this a bit further in a way that I believe still makes this issue obsolete, by making the following choice:
I made a concrete proposal in the following issue and will close this one here as as obsolete by the other. Will reopen this if my proposal in the other issue falls through. |
It was raised numerous times (example) that our choice of words of token leads a reader/developer to assume that only ID Tokens can be passed back to the RP, when, in fact, it was designed to allow any arbitrary data to be passed back: it is a
USVString
, so it can be anything (e.g. a SAML XML response, a JSON.stringify(data), an access token, an mp3 file, a JPEG, whatever can be binary encoded into a string).A few options that we have on this:
token
(backwards incompatible, so a bit hard)code
(less extensible, but more interoperable?)data
orresponse
(more extensible, but less interoperable?)The text was updated successfully, but these errors were encountered: