Skip to content

FedCM - a quick hack #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
elf-pavlik wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

FedCM - a quick hack #30

elf-pavlik wants to merge 3 commits into from

Conversation

@elf-pavlik
Copy link

@elf-pavlik elf-pavlik commented Jan 22, 2026
edited
Loading

Followup to #29
We made it today with @mrkvon @tophcodes, and @bourgeoa
heavily copy & paste from https://github.com/Liquid-Surf/fedcm-demo/tree/main/packages/client by @thhck

I will push later code using it but in short

const client_id = 'https://zestful-keely-sootily.ngrok-free.dev/id.jsonld'
const redirect_uri = 'https://zestful-keely-sootily.ngrok-free.dev/'
const session = new Session({ client_id })
await session.login(idp, redirect_uri)

idp is not used by FedCM and is later extracted from what browser API returns, for now we still passed it to avoid making more changes

  const idp = 'https://fedcm-server.liquid.surf/'

It only works with URL Client ID in our case

{
  "@context": [
    "https://www.w3.org/ns/solid/oidc-context.jsonld"
  ],
  "client_id": "https://zestful-keely-sootily.ngrok-free.dev/id.jsonld",
  "client_name": "Solid Chess",
  "logo_uri": "https://robohash.org/aHR0cHM6Ly92dWVqZWN0cm9uLmRvY2tlcg?set=set3",
  "redirect_uris": ["https://zestful-keely-sootily.ngrok-free.dev/"],
  "grant_types": ["refresh_token", "authorization_code"]
}

It took us last 30 min to cheat our way out of trailing / errors 🤦

@elf-pavlik elf-pavlik marked this pull request as draft January 22, 2026 17:57
@elf-pavlik
Copy link
Author

elf-pavlik commented Jan 22, 2026

We should probably keep https://github.com/aaronpk/oauth-fedcm-profile in mind.

elf-pavlik
elf-pavlik commented Jan 22, 2026
View reviewed changes
src/core/AuthorizationCodeGrant.ts Outdated
// @ts-ignore
const fedCMissuer = new URL(credential.configURL).origin + '/'
// @ts-ignore
return buildRedirectUrl(credential.token, params.state, fedCMissuer)
Copy link
Author

@elf-pavlik elf-pavlik Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using state this way clearly makes no sense, something we need to investigate.

@elf-pavlik @mrkvon
@tophcodes @bourgeoa
FedCM - a quick hack
5a0cd00 
Co-authored-by: mrkvon <mrkvon@protonmail.com>
Co-authored-by: Christopher Mühl <toki@toph.so>
Co-authored-by: bourgeoa <alain.bourgeois10@gmail.com>
@elf-pavlik
Copy link
Author

elf-pavlik commented Jan 22, 2026
edited
Loading

@uvdsl what do you think about refactoring your code in a way that allows creating separate package, for example solid-oidc-fedcm-rp which has this package as dependency.

As we see here the difference is using redirect vs. using FedCM api in the browser. It should be possible to isolate the redirect logic in a way that the other package uses browser api instead of the redirect 🤔

EDIT: fedcm-rp package should still allow to use the original redirect flow as a fallback!

@elf-pavlik
Copy link
Author

elf-pavlik commented Jan 22, 2026

9de4229 improves a bit to

const client_id = 'https://zestful-keely-sootily.ngrok-free.dev/id.jsonld'
const session = new Session({ client_id })
await session.fedCM()

@elf-pavlik
Copy link
Author

elf-pavlik commented Jan 23, 2026
edited
Loading

ccd2f0c untangles FedCM further, I'll leave it here unti further feedback

I don't think this projet has any formatter, recently I started using https://oxc.rs/#feature-formatter

It should be easy to test it with https://github.com/elf-pavlik/mallory/tree/fedcm/cuckoo
One needs to change ngrok auth token, since the commited one is revoked
also hardcoded client_id needs to be updated, should be only in index.ts

image

On success nothing visible happen, but one can reload to see mallory message that it aborted the exploit attempt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elf-pavlik