Implementing FedCM Login: Browser-Native Authentication Without Popups

FedCM (Federated Credential Management) is a W3C standard API that enables federated authentication through browser-native UI. Instead of popup windows or redirects, the browser itself displays an account chooser and communicates directly with the identity provider. This article explains how I implemented FedCM in the oauth2-passkey Rust library, how it differs from the traditional OAuth2 flow, and the security trade-offs involved. What is FedCM? In the traditional OAuth2 Authorization Code Flow, the RP (your app) redirects to Google's page, and after authentication, returns to a callback URL. With FedCM, you simply call navigator.credentials.get() , the browser communicates directly with Google, and returns a JWT ID token. Traditional OAuth2 Authorization Code Flow: Button click -> Popup -> Google auth page -> Redirect (with authorization code) -> Backend exchanges code with Google (server-to-server) -> Obtain ID token -> Validate -> Establish session FedCM: Button click -> navigator.

Implementing FedCM Login: Browser-Native Authentication Without Popups

Related Articles

Your Vape Wants to Know How Old You Are

Translating non-trivial codebases with Claude

Winning Without Fighting — Quiet Strength in Shared Illumination

Zero Is Initialization (ZII)

What If You Designed .NET Apps Like the .NET Runtime Team?

Related Articles

News
Your Vape Wants to Know How Old You Are
Wired • 4d ago

News
Translating non-trivial codebases with Claude
Lobsters • 4d ago

News
Winning Without Fighting — Quiet Strength in Shared Illumination
Medium Programming • 4d ago

News
Zero Is Initialization (ZII)
Medium Programming • 4d ago

News
What If You Designed .NET Apps Like the .NET Runtime Team?
Medium Programming • 4d ago