Login Status API

W3C First Public Working Draft,

More details about this document
This version:
https://www.w3.org/TR/2024/WD-login-status-1-20240918/
Latest published version:
https://www.w3.org/TR/fedcm/#browser-api-login-status
Editor's Draft:
https://w3c-fedid.github.io/login-status
History:
https://www.w3.org/standards/history/login-status-1/
Test Suite:
https://github.com/web-platform-tests/wpt/tree/master/fedcm/fedcm-login-status
Feedback:
GitHub
Inline In Spec
Editors:
(Google Inc.)
(Apple Inc.)

Abstract

A Web Platform API that allows websites to notify the browser when their users login and logout.

Status of this document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Federated Identity Working Group as a First Public Working Draft using the Recommendation track. This document is intended to become a W3C Recommendation.

The (archived) public mailing list public-fedid-wg@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, please put the text “login-status” in the subject, preferably like this: “[login-status] …summary of comment…

This document is a First Public Working Draft.

Publication as a First Public Working Draft does not imply endorsement by W3C and its Members. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by the Federated Identity Working Group.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 03 November 2023 W3C Process Document.

1. Introduction

This section is non-normative.

Note: use the following introduction: https://github.com/fedidcg/login-status

2. Login Status Map

Each user agent keeps a global, persistent Login Status map, an initially empty map. The keys in this map are origin (of IDPs), and the values are enums that can be one of "unknown", "logged-in", and "logged-out".

To get the login status for an origin origin:
  1. If Login Status map[origin] exists, return it.

  2. Otherwise, return unknown.

To set the login status for an origin origin to value value:
  1. Assert that value is one of logged-in or logged-out.

  2. Set Login Status map[origin] to value.

3. Infrastructure algorithm

An environment settings object (settings) is same-site with its ancestors if the following algorithm returns true:
  1. If settings’s relevant global object has no associated Document, return false.

  2. Let document be settingsrelevant global object's associated Document.

  3. If document has no browsing context, return false.

  4. Let origin be settingsorigin.

  5. Let navigable be document’s node navigable.

  6. While navigable has a non-null parent:

    1. Set navigable to navigable’s parent.

    2. If navigable’s active document's origin is not same site with origin, return false.

  7. Return true.

4. HTTP header API

IDPs can set the login status using an HTTP response header as follows.

The HTTP header checking should move into the Fetch spec, since it affects all resource loads.

For each http-redirect fetch and http fetch's response, let value be the result of get a structured field value from the response’s header list with name "Set-Login" and type "item". If value is not null, process this header as follows:

  1. Let origin be the response’s URL's origin.

  2. Let client be the request's client.

  3. If the request’s destination is not "document":

    1. If client is null, return.

    2. If origin is not same site with the request's origin, return.

    3. If client is not same-site with its ancestors, return.

  4. Assert that value is a tuple.

  5. Let token be the first entry of value.

  6. If token is "logged-in", set the login status for origin to logged-in.

  7. If token is "logged-out", set the login status for origin to logged-out.

5. JavaScript API

IDPs can also use a JavaScript API to update the stored login status:

enum LoginStatus {
  "logged-in",
  "logged-out",
};

[Exposed=Window, SecureContext] 
interface NavigatorLogin {
  Promise<undefined> setStatus(LoginStatus status);
};

partial interface Navigator {
  [SecureContext] readonly attribute NavigatorLogin login;
};
When setStatus() is called with argument status:
  1. If the current settings object is not same-site with its ancestors, throw a SecurityError DOMException.

  2. Let origin be the current settings object's origin.

  3. Let value be logged-in if status is "logged-in" or logged-out if status is "logged-out".

  4. Set the login status for origin to value.

6. Clearing the Login Status Map data

User agents MUST also clear the Login Status map data when:

the user clears all cookies or site settings data

The user agent MUST clear the entire map.

the user clears all cookies or all site data for a specific origin

The user agent MUST remove all entries that would be affected by the deleted cookies, that is, any entry with an origin to which a deleted cookie could be sent to.

Note: For example, domain cookies may affect subdomains of the deleted origin, e.g. clearing cookies for google.com should also reset the login status for accounts.google.com, since it may rely on a domain cookie for google.com.

the user deletes individual cookies (if allowed by the user agent)

the behavior is user agent-defined.

Note: The user agent MAY want to reset the state to unknown, since is impossible to know whether this cookie affects authorization state.

the user agent receives a Clear-Site-Data header with a value of "cookies" or "*", and the request's client is not null, and the client’s origin is same origin with the top-level origin

while clearing cookies for origin it MUST remove any entries in the Login Status Map where the key is the input origin.

Once Clear-Site-Data supports partitioned cookies, this wording should be updated.

Note: Other website-initiated cookie changes should not affect this map. When IDP login state changes, it should send an explicit Set-Login header. RP state should not affect this map since it only reflects IDP state.

7. Acknowledgements

Note: write down the Acknowledgements section.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. Key words for use in RFCs to Indicate Requirement Levels

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[CLEAR-SITE-DATA]
Mike West. Clear Site Data. 30 November 2017. WD. URL: https://www.w3.org/TR/clear-site-data/
[DOM]
Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
[FETCH]
Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[INFRA]
Anne van Kesteren; Domenic Denicola. Infra Standard. Living Standard. URL: https://infra.spec.whatwg.org/
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[WEBIDL]
Edgar Chen; Timothy Gu. Web IDL Standard. Living Standard. URL: https://webidl.spec.whatwg.org/

IDL Index

enum LoginStatus {
  "logged-in",
  "logged-out",
};

[Exposed=Window, SecureContext] 
interface NavigatorLogin {
  Promise<undefined> setStatus(LoginStatus status);
};

partial interface Navigator {
  [SecureContext] readonly attribute NavigatorLogin login;
};

Issues Index

The HTTP header checking should move into the Fetch spec, since it affects all resource loads.
Once Clear-Site-Data supports partitioned cookies, this wording should be updated.