diff --git a/spec/index.bs b/spec/index.bs
index e27d516e..820f554f 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -358,13 +358,18 @@ This specification introduces a new type of {{Credential}}, called an {{Identity
[Exposed=Window, SecureContext]
interface IdentityCredential : Credential {
readonly attribute USVString? token;
+ readonly attribute USVString providerConfigURL;
};
+ IdentityCredential includes CredentialUserData;
: {{IdentityCredential/token}}
:: The {{IdentityCredential/token}}'s attribute getter returns the value it is set to.
It represents the minted {{IdentityProviderToken/token}} provided by the [=IDP=].
+ : {{IdentityCredential/providerConfigURL}}
+ :: The {{IdentityCredential/providerConfigURL}}'s attribute getter returns the value it is set to.
+ It holds the value of the chosen [=IDP=]'s {{IdentityProviderConfig/configURL}}.
The main entrypoint in this specification is through the entrypoints exposed
@@ -819,6 +824,9 @@ To fetch an identity assertion given an [=AccountState=] |accountStat
1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderToken}}, |token|.
1. Let |credential| be a new {{IdentityCredential}} given |globalObject|'s
realm.
+ 1. Set |credential|'s {{CredentialUserData/iconURL}} to a [=implementation-defined=] value.
+ 1. Set |credential|'s {{CredentialUserData/name}} to a [=implementation-defined=] value.
+ 1. Set |credential|'s {{IdentityCredential/providerConfigURL}} to |provider|'s {{IdentityProviderConfig/configURL}}.
1. Set |credential|'s {{IdentityCredential/token}} to |token|.
1. Wait for |credential| to be set.
1. Return |credential|.
@@ -948,6 +956,92 @@ To select an account given an |accountsList|, run the following steps
1. Return |account|.
+
+### The \[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) internal method ### {#browser-api-collect-credential}
+
+
+
+ \[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)
+ is called with an [[origin]] (|origin|), a {{CredentialRequestOptions}} (|options|),
+ and a boolean which is `true` iff the calling context is [=same-origin with its ancestors=]
+ (|sameOriginWithAncestors|).
+ The algorithm returns a set of {{Credential}} objects from
+ the [=credential store=]. If no matching {{Credential}} objects are available, the returned set
+ will be empty.
+
+ The algorithm will throw a `NotAllowedError` if |sameOriginWithAncestors| is not `true`.
+
+
+ 1. Assert: |options|["{{CredentialRequestOptions/identity}}"] [=map/exists=].
+
+ 2. If |sameOriginWithAncestors| is `false`, throw a "{{NotAllowedError}}" {{DOMException}}.
+
+ 3. Return the empty set if |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"] is empty.
+
+ 4. Return the result of retrieving
+ credentials from the [=credential store=] that match the following filter:
+
+ 1. The credential is an {{IdentityCredential}}
+ 2. The credential's {{Credential/[[origin]]}} is the [=same origin=] as |origin|.
+ 3. The credential's {{IdentityCredential/providerConfigURL}} is equal to the {{IdentityProviderConfig/configURL}} of one of the entries in |options|["{{CredentialRequestOptions/identity}}"]["{{IdentityCredentialRequestOptions/providers}}"].
+
+
+
+### The \[[Store]](credential, sameOriginWithAncestors) internal method ### {#browser-api-store-credential}
+
+
+
+ \[[Store]](credential, sameOriginWithAncestors) is
+ called with a {{IdentityCredential}} (|credential|), and a boolean which is `true` iff the calling
+ context is [=same-origin with its ancestors=] (|sameOriginWithAncestors|). The algorithm returns
+ `undefined` once |credential| is persisted to the [=credential store=].
+
+ The algorithm will return a `NotAllowedError` if |sameOriginWithAncestors| is not `true`.
+
+
+ 1. Throw a "{{NotAllowedError}}" {{DOMException}} without altering the user agent's
+ [=credential store=] if |sameOriginWithAncestors| is `false`.
+
+ 2. If the user agent's [=credential store=] contains a {{IdentityCredential}} (|stored|)
+ whose {{Credential/id}} attribute is |credential|'s {{Credential/id}} and whose
+ {{[[origin]]}} slot is the [=same origin=] as |credential|'s {{Credential/[[origin]]}},
+ then:
+
+ 1. If the user grants permission to update credentials (as discussed when defining
+ [=user mediation=]), then:
+
+ 1. Set |stored|'s `token` to |credential|'s
+ `token`.
+
+ 2. Set |stored|'s {{CredentialUserData/name}} to |credential|'s
+ {{CredentialUserData/name}}.
+
+ 3. Set |stored|'s {{CredentialUserData/iconURL}} to |credential|'s
+ {{CredentialUserData/iconURL}}.
+
+ Otherwise, if the user grants permission to store credentials (as discussed when
+ defining [=user mediation=], then:
+
+ 1. Store a {{IdentityCredential}} in the [=credential store=] with the following
+ properties:
+
+ : {{Credential/id}}
+ :: |credential|'s {{Credential/id}}
+ : {{CredentialUserData/name}},
+ :: |credential|'s {{CredentialUserData/name}}
+ : {{CredentialUserData/iconURL}}
+ :: |credential|'s {{CredentialUserData/iconURL}}
+ : {{Credential/[[origin]]}}
+ :: |credential|'s {{Credential/[[origin]]}}
+ : `token`
+ :: |credential|'s `token`
+ : `providerConfigURL`
+ :: |credential|'s `providerConfigURL`
+
+ 3. Return `undefined`.
+
+
+
# Identity Provider HTTP API # {#idp-api}