Support for FedCM

[ch-lepp]

Keycloak with its version 22.0.4 just released a fix for an issue regarding 3rd party cookies.

The problem is that certain oidc/oauth features require the use of cookies. In case the RP is hosted under a different domain than the IDP, those cookies are 3rd party cookies.
Due to privacy concerns, browsers implement an increasingly strict handling of 3rd party cookies, up to blocking them entirely.
This is even mentioned in the official oidc specs.

The new FedCM API is designed to help browsers mitigate this problem.
It however requires support from the IDP as well as from the RP.

So my question is: Do you have any plans for the foreseeable future to add support for the FedCM API?

[pamapa]

I have no immediate plans to implement it, but would support and appreciate if anybody would like to see what FedCM means for this library. I guess the easiest would be someone with access to that feature on IDP side...

[jonkoops]

Note we are tracking FedCM support in Keycloak (keycloak/keycloak#16834), and we intend to implement support for it relatively soon (a couple of months). It will however be behind a feature flag until the specification is finalized.

[deanmaster]

hi @pamapa
in context of this API support from Keycloak, we are using oidc-client-ts in our projects (not keycloak adapter). Do I expect to have any problem with the integration if browser is really block 3rd party cookie ?

We are having many projects using this integration (oidc-client-ts communicate with Keycloak as IDP)

@jonkoops and @pamapa thanks a lot for your answer.

[jonkoops]

It might be worth it to attempt to use this library with the cookie protection set to the strictest modes possible in respective browsers, and see if this causes any issues that might have to be documented or worked around.

Specifically, we now emit an error status in Keycloak for the Session Status iframe when we do not have access to cookies (see keycloak/keycloak#23840 for historical discussion).

[pamapa]

@jonkoops Would be great if you could elaborate a patch for this library to add support for it.

Probably something like:

public async signinSilent(args: SigninSilentArgs = {}): Promise<User | null> {
  ...
  if (this.settings.fedcm) { /* new configuration option */
   return await this._useFedCM();
  }
  ...

The fedcm part could go if larger into a new service or util file.

[jonkoops]

Yeah, I am not sure if you'd want to have FedCM part of the existing implementation like that, or if you would consider it essentially a whole separate client. I feel like it differentiates itself enough to have it's own FedCMClient or something like it, but things on the spec side are still very much work in progress.

[pamapa]

I feel like it differentiates itself enough to have it's own FedCMClient or something like it, but things on the spec side are still very much work in progress.

I would be fine with this as long as it make sense.