Credential Management API
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The Credential Management API lets a website store and retrieve password, public key, and federated credentials. These capabilities allow users to sign in without typing passwords, see the federated account they used to sign in to a site, and resume a session without the explicit sign-in flow of an expired session.
Concepts and usage
This API lets websites interact with a user agent's password system directly so that websites can deal in a uniform way with site credentials and user agents can provide better assistance with the management of their credentials. For example, user agents have a particularly hard time dealing with federated identity providers or esoteric sign-in mechanisms.
To address these problems, the Credential Management API provides ways for a website to store and retrieve different types of credentials. This gives users capabilities such as seeing the federated account they used to sign on to a site, or resuming a session without the explicit sign-in flow of an expired session.
Note: This API is restricted to top-level contexts. Calls to get() and store() within an <iframe> element will resolve without effect.
Subdomain-shared credentials
Later versions of the spec allow credentials to be retrieved from a different subdomain. For example, a password stored in login.example.com may be used to log in to www.example.com. To take advantage of this, a password must be explicitly stored by calling CredentialsContainer.store(). This is sometimes referred to as public suffix list (PSL) matching; however the spec only recommends using PSL to determine the effective scope of a credential. It does not require it. Hence browsers may vary in their implementation.
Interfaces
Credential-
Provides information about an entity as a prerequisite to a trust decision.
CredentialsContainer-
Exposes methods to request credentials and notify the user agent when interesting events occur such as successful sign in or sign out. This interface is accessible from
navigator.credentials. FederatedCredential-
Provides information about credentials from a federated identity provider, which is an entity that a website trusts to correctly authenticate a user, and which provides an API for that purpose. OpenID Connect is an example of such a framework.
PasswordCredential-
Provides information about a username/password pair.
Extensions to other interfaces
-
Returns the
CredentialsContainerinterface which exposes methods to request credentials and notify the user agent when interesting events occur such as successful sign in or sign out.
Specifications
| Specification |
|---|
| Credential Management Level 1 |
Browser compatibility
api.Credential
| desktop | mobile | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Credential | |||||||||||
id | |||||||||||
isConditionalMediationAvailable() static method | |||||||||||
type | |||||||||||
api.CredentialsContainer
| desktop | mobile | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
CredentialsContainer | |||||||||||
create | |||||||||||
publicKey option | |||||||||||
create() extensions | |||||||||||
appidExclude extension | |||||||||||
credProps extension | |||||||||||
credProtect extension | |||||||||||
largeBlob extension | |||||||||||
minPinLength extension | |||||||||||
payment extension | |||||||||||
publicKey_option.requireResidentKey | |||||||||||
publicKey_option.residentKey | |||||||||||
get | |||||||||||
identity option | |||||||||||
identity.context | |||||||||||
Error API | |||||||||||
identity.providers.loginHint | |||||||||||
otp option | |||||||||||
publicKey option | |||||||||||
get() extensions | |||||||||||
appid extension | |||||||||||
largeBlob extension | |||||||||||
preventSilentAccess | |||||||||||
store | |||||||||||
api.FederatedCredential
| desktop | mobile | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
FederatedCredential | |||||||||||
FederatedCredential() constructor | |||||||||||
iconURL | |||||||||||
name | |||||||||||
protocol | |||||||||||
provider | |||||||||||
api.PasswordCredential
| desktop | mobile | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
PasswordCredential | |||||||||||
PasswordCredential() constructor | |||||||||||
iconURL | |||||||||||
name | |||||||||||
password | |||||||||||