oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

Support for FedCM

Open ch-lepp opened this issue 2 years ago • 7 comments

Keycloak with its version 22.0.4 just released a fix for an issue regarding 3rd party cookies.

The problem is that certain oidc/oauth features require the use of cookies. In case the RP is hosted under a different domain than the IDP, those cookies are 3rd party cookies. Due to privacy concerns, browsers implement an increasingly strict handling of 3rd party cookies, up to blocking them entirely. This is even mentioned in the official oidc specs.

The new FedCM API is designed to help browsers mitigate this problem. It however requires support from the IDP as well as from the RP.

So my question is: Do you have any plans for the foreseeable future to add support for the FedCM API?

ch-lepp avatar Oct 05 '23 10:10 ch-lepp

I have no immediate plans to implement it, but would support and appreciate if anybody would like to see what FedCM means for this library. I guess the easiest would be someone with access to that feature on IDP side...

pamapa avatar Oct 05 '23 11:10 pamapa

Note we are tracking FedCM support in Keycloak (https://github.com/keycloak/keycloak/issues/16834), and we intend to implement support for it relatively soon (a couple of months). It will however be behind a feature flag until the specification is finalized.

jonkoops avatar Oct 10 '23 16:10 jonkoops

hi @pamapa in context of this API support from Keycloak, we are using oidc-client-ts in our projects (not keycloak adapter). Do I expect to have any problem with the integration if browser is really block 3rd party cookie ?

We are having many projects using this integration (oidc-client-ts communicate with Keycloak as IDP)

@jonkoops and @pamapa thanks a lot for your answer.

deanmaster avatar Oct 12 '23 09:10 deanmaster

It might be worth it to attempt to use this library with the cookie protection set to the strictest modes possible in respective browsers, and see if this causes any issues that might have to be documented or worked around.

Specifically, we now emit an error status in Keycloak for the Session Status iframe when we do not have access to cookies (see https://github.com/keycloak/keycloak/issues/23840 for historical discussion).

jonkoops avatar Oct 13 '23 13:10 jonkoops

@jonkoops Would be great if you could elaborate a patch for this library to add support for it.

Probably something like:

public async signinSilent(args: SigninSilentArgs = {}): Promise<User | null> {
  ...
  if (this.settings.fedcm) { /* new configuration option */
   return await this._useFedCM();
  }
  ...

The fedcm part could go if larger into a new service or util file.

pamapa avatar Oct 16 '23 08:10 pamapa

Yeah, I am not sure if you'd want to have FedCM part of the existing implementation like that, or if you would consider it essentially a whole separate client. I feel like it differentiates itself enough to have it's own FedCMClient or something like it, but things on the spec side are still very much work in progress.

jonkoops avatar Oct 16 '23 08:10 jonkoops

I feel like it differentiates itself enough to have it's own FedCMClient or something like it, but things on the spec side are still very much work in progress.

I would be fine with this as long as it make sense.

pamapa avatar Oct 19 '23 13:10 pamapa