# FedCM "any" mode concerns: * privacy * spam * interop types * "any" * any IdP within some constraints (e.g. "I need an EU verified identity") * linked to an OpenID Federation * only one IdP in an enterprise network * IdP might reject the login request * what happens if no IdP from the list/federation is found? starting point for a federation? * current federation behavior differs Browser notification prompt spam * requiring user interaction did lower the number of rejected notification prompts could make registering as a FedCM IdP work only after the user has done something that looks like login, e.g. there is a passkey for the site passkeys - prompt the user proactively if they have a passkey for the site to reduce the chance of creating a new account why did openid 1.0 fail? the user had to remember the URL. were there other reasons? * BOOK: Why We Fail * URLs as iddentities * RPs wanting to limit the commuinties they connect to * trying to apply the model to enterprise * authentication only, no user attributes like email * web only Why did Persona fail? what about malicious IdPs? can FedCM return an ID Token? is the ID token enough? * yes but the RP might also need more? * should we realy be encouraging sending ID tokens to backends? * maybe this should return an authorization code instead? What about an IdP allowing arbitrary clients? * the IdP would need to opt in to "any" mode Actually maybe "any" is the wrong term, maybe "open"? Intentionally only opting in to IdPs that allow unregistered clients Terms of service - in "open" mode needs to come from RP website rather than IdP IdP needs to treat origin as the client ID?