Add FedCM (Federated Credential Management) support#299
Merged
Conversation
Implements FedCM for IndieAuth as specified at indieweb.org/FedCM_for_IndieAuth New endpoints: - GET /indieauth/1.0/fedcm/config.json - IdP configuration - GET /indieauth/1.0/fedcm/accounts - User accounts list - GET /indieauth/1.0/fedcm/client_metadata - Client metadata - POST /indieauth/1.0/fedcm/assertion - Authorization code issuance Features: - Well-known web-identity endpoint (/.well-known/web-identity) - Login Status API integration (Set-Login headers) - Automatic IdP registration via IdentityProvider.register() - PKCE support for all FedCM flows - CORS headers for cross-origin requests - Sec-Fetch-Dest validation for security
Member
|
I'm going to love reading this. |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request implements FedCM (Federated Credential Management) support for IndieAuth, enabling browser-native authentication without popups or redirects. The implementation adds four new REST API endpoints for FedCM IdP functionality, a well-known discovery endpoint, Login Status API integration, and automatic IdP registration.
Key Changes
- New FedCM REST API endpoints (config, accounts, client_metadata, assertion) with security validations
- Well-known endpoint handler for FedCM discovery at
/.well-known/web-identity - Login Status API integration via Set-Login headers on login/logout events
- Client-side JavaScript for automatic IdP registration in the browser
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| js/fedcm-register.js | Client-side script that registers the site as a FedCM Identity Provider using the IdentityProvider API |
| indieauth.php | Updated plugin initialization to load new FedCM classes and flush rewrite rules on activation |
| includes/class-indieauth-webidentity.php | Handles the /.well-known/web-identity endpoint for FedCM discovery with proper CORS headers |
| includes/class-indieauth-fedcm-endpoint.php | Core FedCM implementation with four REST endpoints, security validations, PKCE enforcement, and authorization code issuance |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use absolute URLs in config endpoint instead of relative paths - Add validation/sanitization for account_id parameter - Sanitize nonce parameter with sanitize_text_field() - Validate code_challenge_method is S256 - Sanitize code_challenge and code_challenge_method from params - Use filemtime() for dynamic script versioning - Add JSON decode error checking for params
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 16 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Tests cover: - Config endpoint returns valid configuration with absolute URLs - Accounts endpoint requires Sec-Fetch-Dest header - Accounts endpoint requires authentication - Accounts endpoint returns user data when authenticated - Client metadata endpoint returns data for known clients - Assertion endpoint requires Sec-Fetch-Dest header - Assertion endpoint requires matching Origin header - Assertion endpoint requires authentication - Assertion endpoint requires PKCE parameters - Assertion endpoint requires S256 code_challenge_method - Assertion endpoint rejects invalid JSON in params - Assertion endpoint issues valid authorization codes - Assertion endpoint verifies account_id matches current user - Assertion endpoint stores nonce in authorization code - FedCM-issued codes are marked with fedcm flag
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Change generic 'Invalid request' to 'Missing or invalid Sec-Fetch-Dest header' - Add scheme validation to Origin check (prevents http/https mismatch) - Remove redundant Content-Type headers (WP_REST_Server sets automatically) - Add scope flexibility with indieauth_fedcm_scope filter - Add console.debug logging for registration failures - Fix activation hook to load class file before checking existence - Improve params type validation with explicit error for invalid format - Add test for Origin scheme mismatch
dshanske
reviewed
Jan 10, 2026
dshanske
reviewed
Jan 10, 2026
…ation - Use 'urn:ietf:wg:oauth:2.0:oob' for redirect_uri since FedCM doesn't redirect - Add CORS headers to config.json endpoint per FedCM spec requirement - Add port validation to Origin check (scheme + host + port must all match) - Add test case for port mismatch in Origin validation
- Add 'required' => true to params arg to fail early if PKCE params missing - Add sanitize_callback for nonce in route definition for consistency
- Fix wp-env mapping for tests to include vendor directory - Fix package.json test script path - Fix composer.json script typo and macOS cp compatibility - Update FedCM tests to include params and handle account_id validation - Update test-functions.php to handle URL validation in test environment - Add .phpunit.result.cache to .gitignore
Updated .gitignore to exclude the .claude file from version control.
dshanske
approved these changes
Jan 11, 2026
Member
dshanske
left a comment
dshanske
left a comment
There was a problem hiding this comment.
Looks good. I'm a Firefox user so I need to try this with a Chrome build I suppose
Resolve conflicts keeping trunk's updated tooling (WPCS 3.0, phpcsextra, restructured tests, .gitattributes replacing .distignore) while preserving FedCM endpoint and WebIdentity class additions.
…omments - Add validate_params callback to assertion route for early PKCE validation (addresses dshanske's review: fail at route level, not deep in callback) - Move test file to tests/phpunit/tests/includes/class-test-fedcm-endpoint.php to match restructured test directory and phpunit.xml.dist testsuite config - Add file doc comments to test file for PHPCS compliance - Remove duplicate @Package tags from class-level doc comments - Use user_email instead of URL for FedCM account email field
- Fix allow_test_user_identifier filter to only clear account_id errors when it's the sole invalid param, preserving params validation errors - Update test assertions to match OAuth error response format (error key)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements FedCM for IndieAuth as specified at https://indieweb.org/FedCM_for_IndieAuth
This enables seamless browser-native sign-in without pop-ups or redirects for supporting browsers.
New Endpoints
GET /indieauth/1.0/fedcm/config.json- IdP configurationGET /indieauth/1.0/fedcm/accounts- Returns logged-in user accountsGET /indieauth/1.0/fedcm/client_metadata- Client privacy/terms URLsPOST /indieauth/1.0/fedcm/assertion- Issues authorization codes with PKCEFeatures
/.well-known/web-identityfor FedCM discoverySet-Loginheaders on login/logoutIdentityProvider.register()when user visits adminSec-Fetch-Dest: webidentityheader and Origin matchingNew Files
includes/class-indieauth-fedcm-endpoint.php- FedCM REST API endpointsincludes/class-indieauth-webidentity.php- Well-known handlerjs/fedcm-register.js- Browser IdP registration scriptTest Plan
/.well-known/web-identityreturns correct provider URL