New web standard proposed by Google for slicker Sign-In-With buttons props up Big Tech and undermines the independent social net. Let's fix that.


TL;DR: Web identity and open-tech activists needed to steer new Sign-In-With standard FedCM to support user choice of identity provider.

For the attention of federated systems developers, including Matrix, Fediverse and others.

It may be good to know about an issue going on with FedCM “Federated Credential Management” draft spec. Liquid Surf brings it to the attention of all federated systems fans in their blog post: Can FedCM improve the user experience of decentralized ecosystem ? . In short, the spec aims to make a slicker browser flow for the Sign-In-With-Xxx buttons.

To us who care about federated computer infrastructure, introduction of a new standard to streamline the sign-in flow might seem minor and remote, but there is a catch.

What Is FedCM?

FedCM, short for Federated Credential Management, is a new draft specification for web browsers, published by the Federated Identity Community Group and strongly driven by teams from Google. It represents an advancement in how websites manage user logins, when logging in through different identity providers (such as “Sign in with GitHub/Google/etc.”) while preserving user privacy... — Liquid Surf: Can FedCM improve the user experience of decentralized ecosystem ?

The Catch

The critical issue is, at present, the draft standard is likely to cement the monopolies of the big providers (like Google and Facebook) and leave out small providers. In short, the problem is the draft spec says the site we're logging into (called the RP) solely dictates what list of identity providers should be offered to the user. What will happen in that case? Most sites will offer only the BigTech identity providers. Read the blog post and the issue Allow IDP registration #240 for details.

... End Users looking to opt out of the limited federated identity login options available today are required to significantly compromise convenience because they are forced to manage a new set of credentials directly with the relying party, creating friction and usability challenges.

... Currently the proposed FedCM API ... assumes the relying party specifies a set of IDPs it supports login from. This model is largely a continuation of that described above and in many respects is just a browser mediated version of what we see most commonly on the web today.

What to do about it?

The proposal in Allow IDP registration #240 is, in short, not to have the RP site solely dictate what list of identity providers should be offered, but also to let the browser register the user's chosen identity providers and present those as options when a new login is requested.

... instead of the Relying Party specifying the IDPs it supports in the federation request, it communicates the capabilities it supports such as signature schemes, assertion formats and response modes. End-Users can then register providers they wish to use with the browser, which are then available as options to present to the End-User ...

Why Do We Need to Help?

(As I responded to '@thhck' in #fediverse:pixie.town)

The proposing team are saying lack of feedback from developers is holding back the acceptance of this extension.

Decentralising ID providers is key to the whole decentralised movement, including Fediverse, Matrix, self-hosters as well as the ability for independent businesses to provide comprehensive IT services without one of the tech giants playing gatekeeper.

We, all of us who care about federated/decentralised infrastructure, now need to push the draft Federated Credential Management “FedCM” standard to support “Sign In With” the user's choice of identity provider (which may be small, local, independent, hosted by one's school or enterprise or self, and so on). If this extension to the proposal does not get enough support to be accepted, we might get a standard that perpetuates the status quo of sites only offering Sign In With the giants like Google/Github/Facebook, ugh. That would be another death blow for user agency and privacy and variety.

Get Involved

Fedi devs, let's demo this truly user-centric version of FedCM, show us how awesome it is! Fedi fans, this might seem remote from our viewpoint but it's important for our future. Let's share this issue more widely among Fedi projects!

Please join us to discuss this:

See contributing to FedCM and the Meetings of W3C Federated Identity CG. Agendas and minutes are public, and interested parties are being invited to present their case for making this extension.

Read more:

[EDITS: removed announcement of past meetings; added logo, quotes, TL;DR, call-outs, links; many text edits]

[Image source file, as Inkscape SVG: fedcm-my-choice-1.svg]


Android or iPhone — either Google or Apple delivers our messages — surely? You don't accept that?

Time I Learned: there are freedom-respecting phones.

People who do not want to depend on Google or have them control our devices are using android-compatible but not google-controlled phones, a.k.a. “degoogled phones”. We have been asking (ourselves) for several years if we can have google-free push notifications. Thanks to the developers of the UnifiedPush standard, the answer is now, “yes!”

But why?


UnifiedPush open-standard push messaging complements degoogled android-compatible phone OS's such as LineageOS.

People who do not want to depend on Google or have them control our devices are using android-compatible but not google-controlled phones, a.k.a. “degoogled phones”. We have been asking (ourselves) for several years if we can have google-free push notifications. Thanks to the developers of the UnifiedPush standard, the answer is now, “yes!”

The open standard UnifiedPush.org has now been created. While not a large number yet, a useful handful of apps already support UnifiedPush, including several matrix and fediverse apps. For its servers and the associated client-side “distributor” component, there are multiple successful implementations deployed.


Nice campaign page! Fedigov.EU


Federated communication for public authorities

Communicate confidently and respectfully with the public

Congratulations to GNU/Linux.ch and FSFE-CH for this initiative! I love what you're doing here. I think maybe I want to get involved.

I'm a FLOSS dev and thinker, and recently blogged about how we need to be doing exactly this kind of campaign. I'm delighted that you are! Though I'm no PR expert I have some ideas. In my Social Media Links for A People-Centred Community, the messaging I made up begins,


You! You, university! You, sports club! You, local library, city council, school, church, youth group! Your social media links could look like this:

Join us in our own spaces! — [Mastodon] – [Pixelfed] – [Friendica] – [PeerTube] ... — [Blog] – [Fediverse] – [Matrix] ... open-media-icons-p1.png We are also on commercial media: — [G] [A] [F] [A] [M] ... social-media-icons-n1.png

with an explanatory footnote or pop-up:


In a discussion room about the Fediverse, bkil drew my attention to “The age of average” by Alex Murrell, and questions whether like cars, cities and coffee shops, all social media posts should end up looking the same. Why not let the senders and recipients style them?

Should we not expect and enjoy seeing messages or “posts” reflecting the creative expression of the different individuals and groups we interact with — our friends, family, colleagues, employers?

Yes, yes, YES! I've been thinking the same for Matrix, and it applies of course equally to the (ActivityPub) Fediverse too. But it's so “radical” to many people's ears today, accustomed to the strictly limited silo offerings from Big Tech.

I think the way I would explain is with Real World analogies like this: When I hear from my friend D, it's usually a picture-postcard and their writing is scrawly and fills all the space including the margins. When I hear from my friend E, it's usually a tidy note on posh quality off-white paper, with their logo in the corner.

I would LOVE to be able to receive the same richness in indie social protocols, for more than just aesthetic reasons.