Building a better login
with the credential management API
James Allardice
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3584641/orangejellyfish-square.png)
Evolution of login
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680459/Screenshot_2017-04-07_07.51.50.png)
Username/password forms
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680462/Screenshot_2017-04-07_07.54.39.png)
Stored credentials
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680465/Screenshot_2017-04-07_07.56.47.png)
Autofill
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680471/Screenshot_2017-04-07_08.01.23.png)
You can sync passwords across devices.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680478/Screenshot_2017-04-07_08.10.05.png)
Federated identity providers
The Credential Management API
- Spec work started early 2015 [1]
- Championed by Mike West at Google [2]
-
Provides 2 key mechanisms
- Help the user authenticate by providing access to credentials
- Help the browser store credentials provided by the user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3677793/Screenshot_2017-04-06_16.00.13.png)
Assertion about an entity which enables a trust decision
Browser support
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3984029/Screen_Shot_2017-07-13_at_07.52.47.png)
Demo!
Demo!
Demo!
Demo!
⚠️
The code you're about to see is
likely to change soon!
https://developers.google.com/web/updates/2017/06/credential-management-updates
navigator.credentials
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3539743/Screenshot_2017-02-28_15.18.14.png)
const credentials = new PasswordCredential({
id: username,
password: password,
});
fetch('/login', {
method: 'POST',
headers: {
Accept: 'application/json',
},
credentials: passwordCredentials,
});
navigator.credentials.store(credentials)
.then(() => {
// Done
});
// Ask the browser for the stored password credential.
navigator.credentials.get({
password: true,
})
.then((credentials) => {
// Make request.
});
// Prevent automatic logins for the rest of the session.
navigator.credentials.requireUserMediation()
.then(() => {
// Redirect to login page.
});
Security
- Page must be served from a secure origin (HTTPS)
- Credentials for other origins not available
- Stored passwords not exposed to JavaScript
- Stored passwords are encrypted
Questions?
Thank you!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/49778/images/3680513/Screenshot_2017-04-07_08.31.11.png)
@james_allardice
Building a better login (FullStack 2017)
By James Allardice
Building a better login (FullStack 2017)
- 1,160