At its core, FedCM "only" passes a string from the IdP to the SP in a secure and privacy preserving manner. To use FedCM in production, there needs to be a layer that builds on FedCM to define the content of the token. One example of this is FedCM for OAuth by aaronpk .

However, as far as I am aware there is currently no formal documentation about what functionalities should be implemented by FedCM and what is left to these profiles. Similarly, there is no clear information about which parts of the FedCM specification are meant as extension points for profiles.

These questions need to be answered, as both #761 and #762 are at the line between the responsibility of FedCM and protocols building on it.

Additionally, it might be a good idea to link to these profiles from the FedCM specification or repository. Currently, FedCM for OAuth is often linked to in comments, but there are no "official" references to it. As it is necessary to consider these profiles for a productive implementation, in my opinion it would be a good idea to reference them for example in the Readme file. This has become more relevant with the Multi-IdP API, as it improves the compatibility of tokens provided by different IdPs.