We are introducing a change in how the FedCM UI handles filtered-out accounts from Chrome 133.
Clearer communication about filtered-out accounts
Several cases may cause an account to be filtered out and ineligible for login:
- A Relying Party (RP) only allows accounts associated with a certain domain. See domain hint API.
- RP filters out all but returning accounts. See login hint API.
- Identity Providers (IdPs) can annotate accounts with labels so that RPs can filter them by
specifying the
configURLfor that specific label. See Custom Account Labels.
In the previous Chrome implementation, the FedCM UI didn't display accounts that were filtered out by the RP and IdPs. As a result, when a user logged in with an IdP but no accounts were available to use, the mismatch UI would be displayed every time.
To enhance the user experience, FedCM is introducing a UI change. Chrome will now show filtered-out accounts in the UI if these conditions apply:
- The user has already attempted to sign in to the IdP in a dialog and returned to the RP.
- All the fetched accounts are filtered out, and no account is available for the user to sign into this RP.
This will provide users with an understanding that some accounts, while recognized by FedCM, are not eligible for use on the current RP.
Check out our domain hint demo to test it yourself.
Key benefits
- Reduced confusion: If a user logs into an account that is filtered out, they will see the account listed and understand that it's not accepted by the RP. Before this change, the user could be confused by an infinite loop: they would try to sign in to a filtered-out account and then see the mismatched UI, which prompted them to sign in again.
- Contextual information: The UI will take into account the RP context and domain hints to provide relevant guidance to the user.
We value your feedback
We encourage you to share your thoughts and feedback on this change. You can file an issue on our issue tracker. We will continue to update the FedCM developer documentation.