FedCM + IdP Registration — Call to action
3 points by iinuwa
3 points by iinuwa
Maybe we should call for companies to stop gatekeeping SSO as a "enterprise" only feature and one must play $$$ for it ;(
Having worked in a small non-profit and operated an IdP for that org, I was strongly against the SSO tax, since it ballooned our costs, and it's not that hard to run an SSO RP.
However, I've heard arguments that the SSO tax is good because the less price-sensitive customers are subsidizing all the other features on the free tier, and companies requiring SSO are a good proxy for targeting those customers. (It stinks for smaller, security-minded companies or non-profits. Sometimes they'll also bundle with discounts to offset that in those situations.) So I'm still miffed, but I understand.
Yeah, maybe. But this powerful in the consumer market where users can bring their own IdP. So instead of only having "Sign in with Google," which may or may not be desirable in different communities, you could have a single sign-in button, and the browser already knows which IdPs you are signed into.
So you could imagine a community running an indie IdP (this could be a hackerspace, a small school or other community) for social login-esque scenarios, but that respects user privacy more than a Google or Facebook account might.
IdP registration in FedCM adds dynamic registration to this API. If a site trusts HTTPS and DNS, then they could delegate authentication to any IdP, with a consistent UI in the browser or platform.
This is good for decentralization, because it allows for smaller IdPs that are more user- or privacy-focused to gain traction and provide a viable alternative to larger IdPs.