Reflections on FedID Community and Working Group Activities at W3C TPAC 2024
The recent W3C TPAC meeting brought together members of the Federated Identity (FedID) Community Group (CG) and Working Group (WG) (and interested observers) for discussions on our ongoing efforts in federated authentication and credential management. Despite facing some unexpected logistical challenges—a major power outage and persistent construction noise—we had productive sessions over the course of two days. ICYMI, here are some of the key takeaways from the meetings.
Day 1: CG-WG Process and Feature Demos
Day 1 was dedicated to reviewing our CG-WG processes and demos from people who have implemented FedCM, including Shopify and Google Identity. As part of our introduction, we took this time to clarify the working relationship between the Community Group and the Working Group, highlighting pathways for ideas to progress from concept to recommendation. We want people to have a better sense for what stage of maturity any particular issue or proposal is in the process; looking from the outside, that’s sometimes difficult to figure out! We also want a way for Developers to indicate that a feature is of sufficient interest and meets a need such that it should be made part of the web platform.
The community-driven aspects of our work continue to be a critical factor in the success of the Federated Credential Management (FedCM) initiative, and we saw that in the quality of the demos presented. Diving into those discussions (when we weren’t drowned out by the noise of jackhammers) made for an interesting and extended set of conversations, pushing some of what we wanted to discuss into Day 2.
As always, the key focus was on understanding how new proposals can enhance user experience without compromising privacy or introducing unnecessary complexity.
Day 2: Reviewing Proposals and Moving Forward
Day 2 saw us combining the canceled morning session with the afternoon time slot, but we made considerable progress on several important topics. We started with a demo and discussion around Lightweight FedCM, which is still in Stage 1. From there, we focused on multiple proposals specifically related to the main FedCM API that are currently in Stage 1, assessing their readiness to move to Stage 2 based on explainers, considerations of alternatives, and demonstration of developer need/fitness for purpose. Notably, the following proposals reached consensus for advancement:
- Active Mode (Issue 442)
- Continuation API (Issue 555)
- Account Labels API (Issue 553)
- Multiple configURLs API (Issue 552)
- Multi-IdP API (Issue 319)
- SAA Autogrant (Issue 467)
These proposals are crucial to furthering the capabilities of FedCM, particularly in managing multiple identity providers, improving user interaction with federated login flows, and enhancing the overall flexibility of identity management solutions. We have asked the community to review these decisions and provide feedback via pull requests if there are any additions or corrections to be made. You can find more details and follow the discussions on the Status of FPWD-identified Issues page.
It’s worth noting that moving items into Stage 2 does not mean they are complete and ready for standardization. It means we have the shape of the idea sorted out enough to start writing specification text instead of just explainers; final approvals for a full Candidate Recommendation happen later in our process while entering Stage 3.
Discussions Beyond the Meeting: Login Status API
One of the topics that generated extensive discussion was the Login Status proposal, which carried on beyond the working session itself. The question was if and/or how to merge the Login Status API repository in the Privacy CG with the Login Status API repo in the FedID WG. There is now a dedicated GitHub issue (Login Status Issue #8) that outlines possible next steps. If you’re involved in this aspect of the project, please contribute your thoughts to help us build consensus around the best path forward. To summarize this one, we are keeping both the Privacy CG and the FedID WG repositories for now, as they are focused on slightly different things (verified login status vs self-asserted login status). The repository in the FedID WG will continue to be developed, but the editors are going to keep compatibility with the goals of the Privacy CG’s original work in mind.
FedCM Breakout Session: A Deeper Dive
At TPAC, we also held an in-depth breakout session focused on the implementation of FedCM by Shopify. This session explored some of the challenges and opportunities in deploying FedCM, particularly in environments with multiple identity providers and complex configuration needs. The discussion notes from this session are available here, and they provide a great overview of how we’re navigating the technical complexities that arise when implementing a federated approach to identity.
Looking Ahead
In addition to advancing specific proposals, we also discussed a procedural clarification aimed at streamlining how we reach consensus on pull requests and proposal advancements. During the meeting, we made provisional decisions on how editors and chairs could be empowered to make real-time consensus calls without always needing a follow-up call to the mailing list. This change could significantly improve our ability to respond quickly to emerging ideas and developments, while still ensuring transparency and accountability. We are currently seeking feedback on this proposed change—if you have concerns, please let us know.
Moving forward, we’re committed to driving progress in federated identity solutions that prioritize user privacy, security, and usability. We encourage all members to stay involved—whether by reviewing meeting notes, contributing to GitHub issues, or participating in future discussions. Your insights and contributions are vital as we refine and expand the FedCM specification and work toward broader adoption.
If you have feedback or wish to contribute, please engage with us through GitHub, where the minutes from TPAC have been posted:
Finally, we’d like to extend our thanks to everyone who participated in the TPAC meetings. Despite the challenges we faced, we were able to hold meaningful discussions that helped us advance critical proposals and processes. We look forward to your continued support and contributions!