From c0c03d3662da20f4db6f09b6c0a582698bf5d9ca Mon Sep 17 00:00:00 2001 From: Benjamin VanderSloot Date: Mon, 13 Feb 2023 13:17:53 -0500 Subject: [PATCH] Make IdentityCredential Storable --- spec/index.bs | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/spec/index.bs b/spec/index.bs index e27d516eb..820f554fd 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -358,13 +358,18 @@ This specification introduces a new type of {{Credential}}, called an {{Identity [Exposed=Window, SecureContext] interface IdentityCredential : Credential { readonly attribute USVString? token; + readonly attribute USVString providerConfigURL; }; + IdentityCredential includes CredentialUserData;
: {{IdentityCredential/token}} :: The {{IdentityCredential/token}}'s attribute getter returns the value it is set to. It represents the minted {{IdentityProviderToken/token}} provided by the [=IDP=]. + : {{IdentityCredential/providerConfigURL}} + :: The {{IdentityCredential/providerConfigURL}}'s attribute getter returns the value it is set to. + It holds the value of the chosen [=IDP=]'s {{IdentityProviderConfig/configURL}}.
The main entrypoint in this specification is through the entrypoints exposed @@ -819,6 +824,9 @@ To fetch an identity assertion given an [=AccountState=] |accountStat 1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderToken}}, |token|. 1. Let |credential| be a new {{IdentityCredential}} given |globalObject|'s realm. + 1. Set |credential|'s {{CredentialUserData/iconURL}} to a [=implementation-defined=] value. + 1. Set |credential|'s {{CredentialUserData/name}} to a [=implementation-defined=] value. + 1. Set |credential|'s {{IdentityCredential/providerConfigURL}} to |provider|'s {{IdentityProviderConfig/configURL}}. 1. Set |credential|'s {{IdentityCredential/token}} to |token|. 1. Wait for |credential| to be set. 1. Return |credential|. @@ -948,6 +956,92 @@ To select an account given an |accountsList|, run the following steps 1. Return |account|. + +### The \[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) internal method ### {#browser-api-collect-credential} + + + + \[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) + is called with an [[origin]] (|origin|), a {{CredentialRequestOptions}} (|options|), + and a boolean which is `true` iff the calling context is [=same-origin with its ancestors=] + (|sameOriginWithAncestors|). + The algorithm returns a set of {{Credential}} objects from + the [=credential store=]. If no matching {{Credential}} objects are available, the returned set + will be empty. + + The algorithm will throw a `NotAllowedError` if |sameOriginWithAncestors| is not `true`. + +
    + 1. Assert: |options|["{{CredentialRequestOptions/identity}}"] [=map/exists=]. + + 2. If |sameOriginWithAncestors| is `false`, throw a "{{NotAllowedError}}" {{DOMException}}. + + 3. Return the empty set if |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"] is empty. + + 4. Return the result of retrieving + credentials from the [=credential store=] that match the following filter: + + 1. The credential is an {{IdentityCredential}} + 2. The credential's {{Credential/[[origin]]}} is the [=same origin=] as |origin|. + 3. The credential's {{IdentityCredential/providerConfigURL}} is equal to the {{IdentityProviderConfig/configURL}} of one of the entries in |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"]. +
+ + +### The \[[Store]](credential, sameOriginWithAncestors) internal method ### {#browser-api-store-credential} + + + + \[[Store]](credential, sameOriginWithAncestors) is + called with a {{IdentityCredential}} (|credential|), and a boolean which is `true` iff the calling + context is [=same-origin with its ancestors=] (|sameOriginWithAncestors|). The algorithm returns + `undefined` once |credential| is persisted to the [=credential store=]. + + The algorithm will return a `NotAllowedError` if |sameOriginWithAncestors| is not `true`. + +
    + 1. Throw a "{{NotAllowedError}}" {{DOMException}} without altering the user agent's + [=credential store=] if |sameOriginWithAncestors| is `false`. + + 2. If the user agent's [=credential store=] contains a {{IdentityCredential}} (|stored|) + whose {{Credential/id}} attribute is |credential|'s {{Credential/id}} and whose + {{[[origin]]}} slot is the [=same origin=] as |credential|'s {{Credential/[[origin]]}}, + then: + + 1. If the user grants permission to update credentials (as discussed when defining + [=user mediation=]), then: + + 1. Set |stored|'s `token` to |credential|'s + `token`. + + 2. Set |stored|'s {{CredentialUserData/name}} to |credential|'s + {{CredentialUserData/name}}. + + 3. Set |stored|'s {{CredentialUserData/iconURL}} to |credential|'s + {{CredentialUserData/iconURL}}. + + Otherwise, if the user grants permission to store credentials (as discussed when + defining [=user mediation=], then: + + 1. Store a {{IdentityCredential}} in the [=credential store=] with the following + properties: + + : {{Credential/id}} + :: |credential|'s {{Credential/id}} + : {{CredentialUserData/name}}, + :: |credential|'s {{CredentialUserData/name}} + : {{CredentialUserData/iconURL}} + :: |credential|'s {{CredentialUserData/iconURL}} + : {{Credential/[[origin]]}} + :: |credential|'s {{Credential/[[origin]]}} + : `token` + :: |credential|'s `token` + : `providerConfigURL` + :: |credential|'s `providerConfigURL` + + 3. Return `undefined`. + +
+ # Identity Provider HTTP API # {#idp-api}