[FedCM] Replace the scopes API with the fields API

This implements the new proposal here: https://github.com/fedidcg/FedCM/issues/559 If one or two but not all of ["name", "email", "picture"] are requested, we reject the promise. Otherwise, we show the disclosure text if either field is not specified or contains the three default fields. All specified fields are passed to the server in the "fields" parameter; if fields was unspecified we pass the default fields here. All this is for forwards compatibility. Bug: 40262526 Change-Id: I13833691e5f2851f0dc8e9568d007e57a47b8127
web-platform-tests · May 9, 2024 · d0ed8f1 · d0ed8f1
1 parent 452afc7
commit d0ed8f1
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/credential-management/fedcm-authz/fedcm-disclosure-text-shown.https.html b/credential-management/fedcm-authz/fedcm-disclosure-text-shown.https.html
@@ -16,10 +16,42 @@
 fedcm_test(async t => {
   let options = request_options_with_mediation_required("manifest_check_disclosure_shown_false.json");
   options.identity.providers[0].clientId = "0";
-  options.identity.providers[0].scope = ["non_default_scope"];
+  options.identity.providers[0].fields = ["non_default_field"];
+  options.identity.providers[0].nonce = "non_default_field";
   const cred = await fedcm_get_and_select_first_account(t, options);
   assert_equals(cred.token, "token");
   assert_equals(cred.isAutoSelected, false);
-}, "We should send disclosure_text_shown=false when custom scopes are passed.");
+}, "We should send disclosure_text_shown=false when custom fields are passed.");
+
+fedcm_test(async t => {
+  let options = request_options_with_mediation_required("manifest_check_disclosure_shown_false.json");
+  options.identity.providers[0].clientId = "0";
+  options.identity.providers[0].fields = [];
+  options.identity.providers[0].nonce = "";
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "We should send disclosure_text_shown=false when an empty custom fields array is passed.");
+
+
+fedcm_test(async t => {
+  let options = request_options_with_mediation_required("manifest_check_disclosure_shown_true.json");
+  options.identity.providers[0].clientId = "0";
+  options.identity.providers[0].nonce = "name,email,picture";
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "We should send disclosure_text_shown=true when no custom fields are passed.");
+
+fedcm_test(async t => {
+  let options = request_options_with_mediation_required("manifest_check_disclosure_shown_true.json");
+  options.identity.providers[0].clientId = "0";
+  options.identity.providers[0].fields = ["name", "email", "picture", "locale"];
+  options.identity.providers[0].nonce = "name,email,picture,locale";
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "We should send disclosure_text_shown=true when custom fields are passed in addition to standard fields.");
+
 
 </script>
diff --git a/credential-management/support/fedcm/manifest_check_disclosure_shown_true.json b/credential-management/support/fedcm/manifest_check_disclosure_shown_true.json
@@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_check_disclosure_shown_true.py",
+  "login_url": "login.html"
+}
+
diff --git a/credential-management/support/fedcm/token_check_disclosure_shown_false.py b/credential-management/support/fedcm/token_check_disclosure_shown_false.py
@@ -6,8 +6,13 @@ def main(request, response):
   if (request_error):
     return request_error
 
+  nonce = request.POST.get(b"nonce") or b""
   if request.POST.get(b"disclosure_text_shown") != b"false":
     return (560, [], "disclosure_text_shown is not false")
+  if request.POST.get(b"disclosure_shown_for") != b"":
+    return (561, [], "disclosure_shown_for is not empty")
+  if request.POST.get(b"fields") != nonce:
+    return (562, [], "fields does not match nonce")
 
   response.headers.set(b"Content-Type", b"application/json")
   response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))

diff --git a/credential-management/support/fedcm/token_check_disclosure_shown_true.py b/credential-management/support/fedcm/token_check_disclosure_shown_true.py
@@ -0,0 +1,21 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+
+  nonce = request.POST.get(b"nonce") or b""
+  if request.POST.get(b"disclosure_text_shown") != b"true":
+    return (560, [], "disclosure_text_shown is not true")
+  if request.POST.get(b"disclosure_shown_for") != b"name,email,picture":
+    return (561, [], "disclosure_shown_for is not name,email,picture")
+  if request.POST.get(b"fields") != nonce:
+    return (562, [], "fields does not match nonce")
+
+  response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+  return "{\"token\": \"token\"}"