FedCM Demo

FedCM is a browser API that enables federated identity (single sign-on) without third-party cookies. It allows Relying Parties (RP) to sign users in via an Identity Provider (IdP) in a privacy-preserving way. The browser mediates the entire flow, showing a native UI so users know exactly which account they're sharing. It's part of Google's Privacy Sandbox initiative and is supported in Chrome 108+ and Edge 108+.

FedCM protects privacy in several ways: (1) The browser shows a native UI so users explicitly consent to sharing identity. (2) The IdP cannot track users across sites without their knowledge. (3) No third-party cookies are used. (4) The RP only receives a token, never raw user credentials. (5) Users can revoke consent at any time. (6) The API requires HTTPS for all endpoints.

Currently Chrome 108+ and Edge 108+ support FedCM. Firefox has expressed positive interest and is expected to implement it. Safari has not yet committed to support. You can check support by looking for window.IdentityCredential or using the status detector in this demo tool.

This is a JSON file that the IdP must host at /.well-known/web-identity. It contains a provider_urls array pointing to the IdP's FedCM configuration file. The browser fetches this first to discover the IdP's endpoints. Example: {"provider_urls":["https://idp.example.com/fedcm.json"]}. The fedcm.json then specifies accounts_endpoint, id_assertion_endpoint, branding, etc.

FedCM is not a replacement for OAuth/OIDC. It's a browser-level API that mediates the identity flow. OAuth/OIDC can still be used as the underlying protocol between RP and IdP. FedCM handles the front-channel (what the user sees), while OAuth/OIDC handles the back-channel (token exchange). Many IdPs implement FedCM on top of their existing OIDC infrastructure.

The IdP must provide:
1. /.well-known/web-identity — discovery file
2. Accounts Endpoint — returns list of signed-in accounts (with CORS)
3. ID Assertion Endpoint — returns a signed token for the selected account
4. Client Metadata Endpoint (optional) — RP-specific metadata
5. Login URL (optional) — fallback for users with no session

FedCM works on localhost without HTTPS. You can: (1) Run a local IdP server with the required .well-known endpoints. (2) Use Chrome flags: chrome://flags#fedcm-without-third-party-cookies to test without 3PC blocking. (3) Use Chrome DevTools to inspect FedCM requests under the Application panel. (4) This demo tool provides a simulated environment to understand the flow before deploying real endpoints.

Active mode (mode: 'active'): The browser always shows the FedCM UI, even if the user has no session. Good for explicit sign-in buttons.
Passive mode (mode: 'passive'): The browser only shows UI if the user already has an active IdP session. If no session exists, it fails silently. Good for auto-sign-in scenarios.