FedCM - a quick hack

elf-pavlik · mrkvon · tophcodes · elf-pavlik · commit e4b9e242b204 · 2026-01-22T11:54:21.000-06:00
Co-authored-by: mrkvon &lt;mrkvon@protonmail.com&gt;
Co-authored-by: Christopher Mühl &lt;toki@toph.so&gt;
Co-authored-by: bourgeoa &lt;alain.bourgeois10@gmail.com&gt;
diff --git a/src/core/AuthorizationCodeGrant.ts b/src/core/AuthorizationCodeGrant.ts
@@ -3,6 +3,12 @@ import { requestDynamicClientRegistration } from "./DynamicClientRegistration";
 import { ClientDetails, DynamicRegistrationClientDetails, IdentityProviderDetails, SessionInformation, TokenDetails } from "./SessionInformation";
 import { SessionDatabase } from "./SessionDatabase";
 
+// @ts-ignore
+const buildRedirectUrl = (code, state, providerUrl) => {
+  const base = window.location.href;
+  return `${base}?code=${code}&state=${state}&iss=${encodeURIComponent(providerUrl)}`;
+};
+
 /**
  * Login with the idp, using a provided `client_id` or dynamic client registration if none provided.
  *
@@ -89,7 +95,30 @@ const redirectForLogin = async (idp: string, redirect_uri: string, client_detail
     `&state=${csrf_token}` +
     `&prompt=consent`; // this query parameter value MUST be present for CSS v7 to issue a refresh token ( // TODO open issue because prompting is the default behaviour but without this query param no refresh token is provided despite the "remember this client" box being checked)
 
-  window.location.href = redirect_to_idp;
+  // do FedCM dance 💃🏻
+  // do check first!
+  const params = Object.fromEntries(new URL(redirect_to_idp).searchParams);
+  const credential = await navigator.credentials.get({
+    // @ts-ignore
+    identity: {
+      providers: [{
+        configURL: 'any',
+        clientId: params.client_id,
+        registered: true,
+        params: {
+          code_challenge: params.code_challenge,
+          code_challenge_method: params.code_challenge_method,
+          state: params.state
+        }
+      }]
+    }
+  });
+  console.log(credential)
+  // XXX: we ♥️ trailing slash errors
+  // @ts-ignore
+  const fedCMissuer = new URL(credential.configURL).origin + '/'
+  // @ts-ignore
+  return buildRedirectUrl(credential.token, params.state, fedCMissuer)
 };
 
 /**
@@ -119,8 +148,7 @@ const getPKCEcode = async () => {
  * URL contains authrization code, issuer (idp) and state (csrf token),
  * get an access token for the authrization code.
  */
-const onIncomingRedirect = async (client_details?: ClientDetails, database?: SessionDatabase) => {
-  const url = new URL(window.location.href);
+const onIncomingRedirect = async (url = new URL(window.location.href), client_details?: ClientDetails, database?: SessionDatabase) => {
   // authorization code
   const authorization_code = url.searchParams.get("code");
   // if no code, session remains unauthenticated at this point
diff --git a/src/core/Session.ts b/src/core/Session.ts
@@ -113,7 +113,8 @@ export class SessionCore extends EventTarget implements Session {
   }
 
   async login(idp: string, redirect_uri: string) {
-    await redirectForLogin(idp, redirect_uri, this.information.clientDetails)
+    const fedCMFakeUrl = await redirectForLogin(idp, redirect_uri, this.information.clientDetails)
+    await this.handleRedirectFromLogin(fedCMFakeUrl)
   }
 
   /**
@@ -122,9 +123,9 @@ export class SessionCore extends EventTarget implements Session {
    * Upon success, it tries to persist information to refresh tokens in the session database.
    * If no database was provided, no information is persisted.
    */
-  async handleRedirectFromLogin() {
+  async handleRedirectFromLogin(url?: string) {
     // Redirect after Authorization Code Grant // memory via sessionStorage
-    const newSessionInfo = await onIncomingRedirect(this.information.clientDetails, this.database);
+    const newSessionInfo = await onIncomingRedirect(url ? new URL(url) : undefined, this.information.clientDetails, this.database);
     // no session - we remain unauthenticated
     if (!newSessionInfo.tokenDetails) return;
     // we got a session
diff --git a/src/web/Session.ts b/src/web/Session.ts
@@ -7,98 +7,98 @@ import { SessionIDB } from './SessionDatabase';
 // Any provided database via SessionOptions will be ignored.
 // Database will be an IndexedDB.
 export interface WebWorkerSessionOptions extends SessionOptions {
-    workerUrl?: string | URL;
+  workerUrl?: string | URL;
 }
 
 /**
  * This Session provides background token refreshing using a Web Worker.
  */
 export class WebWorkerSession extends SessionCore {
-    private worker: SharedWorker;
+  private worker: SharedWorker;
 
-    constructor(
-        clientDetails?: DereferencableIdClientDetails | DynamicRegistrationClientDetails,
-        sessionOptions?: WebWorkerSessionOptions
-    ) {
-        const database = new SessionIDB();
-        const options = { ...sessionOptions, database };
-        super(clientDetails, options);
+  constructor(
+    clientDetails?: DereferencableIdClientDetails | DynamicRegistrationClientDetails,
+    sessionOptions?: WebWorkerSessionOptions
+  ) {
+    const database = new SessionIDB();
+    const options = { ...sessionOptions, database };
+    super(clientDetails, options);
 
-        // Allow consumer to provide worker URL, or use default
-        const workerUrl = sessionOptions?.workerUrl ?? getWorkerUrl()
-        this.worker = new SharedWorker(workerUrl, { type: 'module' });
-        this.worker.port.onmessage = (event) => {
-            this.handleWorkerMessage(event.data).catch(console.error);
-        };
-        window.addEventListener('beforeunload', () => {
-            this.worker.port.postMessage({ type: RefreshMessageTypes.DISCONNECT });
-        });
-    }
-
-    private async handleWorkerMessage(data: any) {
-        const { type, payload, error } = data;
-        switch (type) {
-            case RefreshMessageTypes.TOKEN_DETAILS:
-                const wasActive = this.isActive;
-                await this.setTokenDetails(payload.tokenDetails);
-                if (wasActive !== this.isActive)
-                    this.dispatchStateChangeEvent();
-                if (this.refreshPromise && this.resolveRefresh) {
-                    this.resolveRefresh();
-                    this.clearRefreshPromise();
-                }
-                break;
-            case RefreshMessageTypes.ERROR_ON_REFRESH:
-                if (this.isActive)
-                    this.dispatchExpirationWarningEvent();
-                if (this.refreshPromise && this.rejectRefresh) {
-                    if (this.isActive) {
-                        this.rejectRefresh(new Error(error || 'Token refresh failed'));
-                    } else {
-                        this.rejectRefresh(new Error("No session to restore"));
-                    }
-                    this.clearRefreshPromise();
-                }
-                break;
-            case RefreshMessageTypes.EXPIRED:
-                if (this.isActive) {
-                    this.dispatchExpirationEvent();
-                    await this.logout();
-                }
-                if (this.refreshPromise && this.rejectRefresh) {
-                    this.rejectRefresh(new Error(error || 'Token refresh failed'));
-                    this.clearRefreshPromise();
-                }
-                break;
-        }
+    // Allow consumer to provide worker URL, or use default
+    const workerUrl = sessionOptions?.workerUrl ?? getWorkerUrl()
+    this.worker = new SharedWorker(workerUrl, { type: 'module' });
+    this.worker.port.onmessage = (event) => {
+      this.handleWorkerMessage(event.data).catch(console.error);
     };
+    window.addEventListener('beforeunload', () => {
+      this.worker.port.postMessage({ type: RefreshMessageTypes.DISCONNECT });
+    });
+  }
 
-
-    async handleRedirectFromLogin() {
-        await super.handleRedirectFromLogin();
-        if (this.isActive) { // If login was successful, tell the worker to schedule refreshing
-            this.worker.port.postMessage({
-                type: RefreshMessageTypes.SCHEDULE,
-                payload: { ...this.getTokenDetails(), expires_in: this.getExpiresIn() }
-            });
+  private async handleWorkerMessage(data: any) {
+    const { type, payload, error } = data;
+    switch (type) {
+      case RefreshMessageTypes.TOKEN_DETAILS:
+        const wasActive = this.isActive;
+        await this.setTokenDetails(payload.tokenDetails);
+        if (wasActive !== this.isActive)
+          this.dispatchStateChangeEvent();
+        if (this.refreshPromise && this.resolveRefresh) {
+          this.resolveRefresh();
+          this.clearRefreshPromise();
+        }
+        break;
+      case RefreshMessageTypes.ERROR_ON_REFRESH:
+        if (this.isActive)
+          this.dispatchExpirationWarningEvent();
+        if (this.refreshPromise && this.rejectRefresh) {
+          if (this.isActive) {
+            this.rejectRefresh(new Error(error || 'Token refresh failed'));
+          } else {
+            this.rejectRefresh(new Error("No session to restore"));
+          }
+          this.clearRefreshPromise();
+        }
+        break;
+      case RefreshMessageTypes.EXPIRED:
+        if (this.isActive) {
+          this.dispatchExpirationEvent();
+          await this.logout();
         }
+        if (this.refreshPromise && this.rejectRefresh) {
+          this.rejectRefresh(new Error(error || 'Token refresh failed'));
+          this.clearRefreshPromise();
+        }
+        break;
     }
+  };
 
-    async restore() {
-        if (this.refreshPromise) {
-            return this.refreshPromise;
-        }
-        this.refreshPromise = new Promise((resolve, reject) => {
-            this.resolveRefresh = resolve;
-            this.rejectRefresh = reject;
-        });
-        this.worker.port.postMessage({ type: RefreshMessageTypes.REFRESH });
-        return this.refreshPromise;
+
+  async handleRedirectFromLogin(url: string) {
+    await super.handleRedirectFromLogin(url);
+    if (this.isActive) { // If login was successful, tell the worker to schedule refreshing
+      this.worker.port.postMessage({
+        type: RefreshMessageTypes.SCHEDULE,
+        payload: { ...this.getTokenDetails(), expires_in: this.getExpiresIn() }
+      });
     }
+  }
 
-    async logout() {
-        this.worker.port.postMessage({ type: RefreshMessageTypes.STOP });
-        await super.logout();
+  async restore() {
+    if (this.refreshPromise) {
+      return this.refreshPromise;
     }
+    this.refreshPromise = new Promise((resolve, reject) => {
+      this.resolveRefresh = resolve;
+      this.rejectRefresh = reject;
+    });
+    this.worker.port.postMessage({ type: RefreshMessageTypes.REFRESH });
+    return this.refreshPromise;
+  }
 
-}
+  async logout() {
+    this.worker.port.postMessage({ type: RefreshMessageTypes.STOP });
+    await super.logout();
+  }
+
+}
