|
| 1 | +--- |
| 2 | +id: fedcm |
| 3 | +title: Federated Credential Management (FedCM) |
| 4 | +sidebar_label: FedCM |
| 5 | +--- |
| 6 | + |
| 7 | +```mdx-code-block |
| 8 | +import BrowserWindow from "@site/src/theme/BrowserWindow" |
| 9 | +``` |
| 10 | + |
| 11 | +## Overview |
| 12 | + |
| 13 | +Federated Credential Management (FedCM) is a [web API](https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API) and |
| 14 | +[standard](https://www.w3.org/TR/fedcm/) that allows users to sign in to websites using their federated identity providers (IdPs). |
| 15 | +It aims to provide a more secure and privacy-preserving way for users to authenticate with third-party services. |
| 16 | + |
| 17 | +When FedCm is set up, users will see a browser prompt asking them to use their federated identity provider to sign in to the |
| 18 | +website: |
| 19 | + |
| 20 | +```mdx-code-block |
| 21 | +<BrowserWindow url="https://cname.ory"> |
| 22 | +
|
| 23 | + |
| 24 | +
|
| 25 | +</BrowserWindow> |
| 26 | +``` |
| 27 | + |
| 28 | +## Why FedCM? |
| 29 | + |
| 30 | +FedCM is a great way to improve the login experience for your users. It allows them to sign in to your website using their |
| 31 | +existing IdP, from any content site you embed the FedCM script on. Making it easier for users to sign in can increase user trust |
| 32 | +and conversion rates. |
| 33 | + |
| 34 | +:::note |
| 35 | + |
| 36 | +Because the FedCM script needs to communicate with the Ory APIs, you need to create a custom domain and enable CORS requests to it |
| 37 | +from your content sites. |
| 38 | + |
| 39 | +::: |
| 40 | + |
| 41 | +## How It Works |
| 42 | + |
| 43 | +1. **Fetching Parameters:** Your website requests the FedCM parameters from the Ory APIs. |
| 44 | +1. **User Initiates Sign-In:** The user clicks a "Sign in with [IdP]" button on your website. |
| 45 | +1. **FedCM API Call:** The user's browser uses the FedCM API to request an identity assertion from the IdP. |
| 46 | +1. **User Consent:** The browser prompts the user to consent to sharing their identity with the relying party. |
| 47 | +1. **Identity Assertion:** The IdP provides an identity assertion to your website. |
| 48 | +1. **Authentication, Session issuance:** Your website submits the identity assertion to the Ory APIs to create an identity and |
| 49 | + session. |
| 50 | + |
| 51 | +## Setup |
| 52 | + |
| 53 | +### Configuration of the SSO providers |
| 54 | + |
| 55 | +To set up FedCM, navigate to <ConsoleLink route="project.socialSignIn" /> and set up a new social sign-in provider. FedCM is |
| 56 | +currently only supported for Google and NetID. Aside from the standard social sign-in configuration, you need to provide a |
| 57 | +`FedCM Config URL` for the IdP. For NetID, additionally supply the `FedCM Token Exchange Origin Header`, which must be one of the |
| 58 | +`origin_uris` of the NetID client. |
| 59 | + |
| 60 | +### Configuration of the custom domain |
| 61 | + |
| 62 | +In order to use FedCM with the Ory Network, it is necessary to expose the Ory Network APIs on a custom domain. To set up, navigate |
| 63 | +to <ConsoleLink route="project.cname" /> and add a new custom domain. Make sure that you enable CORS, and that each origin you |
| 64 | +want to use FedCM from is added to the list of allowed origins. |
| 65 | + |
| 66 | +### Embedding the FedCM script |
| 67 | + |
| 68 | +Next, embed the following script on each page you want to use FedCM on. In the script, replace `<YOUR CUSTOM ORY DOMAIN>` with the |
| 69 | +custom domain you created in the previous step. |
| 70 | + |
| 71 | +```javascript |
| 72 | +if ("IdentityCredential" in window) { |
| 73 | + // Fetch the OIDC provider configuration from the Ory Network. |
| 74 | + // This will only include providers for which the FedCM config URL is set. |
| 75 | + const parameters = await ( |
| 76 | + await fetch("https://<YOUR CUSTOM ORY DOMAIN>.projects.oryapis.com/self-service/fed-cm/parameters", { |
| 77 | + credentials: "include", |
| 78 | + }) |
| 79 | + ).json() |
| 80 | + |
| 81 | + // Request an identity assertion from the user's browser. |
| 82 | + // Prior to the call, you can sort or filter this list if needed. |
| 83 | + const { token } = await navigator.credentials.get({ |
| 84 | + identity: { |
| 85 | + providers: parameters.providers.map((p) => ({ |
| 86 | + configURL: p.config_url, |
| 87 | + clientId: p.client_id, |
| 88 | + nonce: p.nonce, |
| 89 | + })), |
| 90 | + }, |
| 91 | + }) |
| 92 | + |
| 93 | + // Submit the identity assertion to the Ory Network. |
| 94 | + // This will log in or register the user and issue a session. |
| 95 | + await fetch("https://<YOUR CUSTOM ORY DOMAIN>/self-service/fed-cm/token", { |
| 96 | + credentials: "include", // necessary to send the CSRF cookie |
| 97 | + method: "POST", |
| 98 | + headers: { "Content-Type": "application/json" }, |
| 99 | + body: JSON.stringify({ |
| 100 | + token, |
| 101 | + csrf_token: parameters.csrf_token, // necessary to prevent CSRF attacks |
| 102 | + }), |
| 103 | + }) |
| 104 | +} |
| 105 | +``` |
| 106 | + |
| 107 | +## Browser support |
| 108 | + |
| 109 | +Since FedCM is a relatively new standard, browser support is limited to Chrome, Edge and Opera. Firefox and Safari do not yet |
| 110 | +support FedCM. |
0 commit comments