Non-recoverable auth failure?
Carl Howells
chowells at janrain.com
Fri Jun 24 10:02:32 PDT 2005
Paul Crowley wrote:
> Carl Howells wrote:
>
>> I did understand your proposal, and realized I was modifying it
>> slightly. The
>> reason I decided on that modification had to do with one important
>> consideration. In normal setup mode, a site knows it will be the
>> whole browser
>> window, and will probably draw its normal site layout on the openid
>> page, for
>> branding purposes. But if it's in an AJAX-style popup or iframe, it will
>> probably have a lot less screen real-estate available, and want to draw a
>> minimal version of its dialogs.
>
>
> That's a good reason, but I think it's a slightly excessive mechanism. I
> don't see that the server will actually want to remember anything about
> the first failed attempt while setting up the second; it just wants to
> know "have I got the full browser window, or am I in a popup"? So let's
> just tell it: to the checkid_setup request, add
>
> openid.displayhints=popup
(I just did it again. I really need to learn to use my "reply all" button.)
Not a bad approach. And it would simplify things to not have two
different code paths that essentially differ only in whether they add
something equivalent to that parameter or not, on the server side.
Brad, have you got a decision on this? It really would be nice to be
able to simplify the server logic significantly, and the change to the
consumer logic should be minimal.
Carl
More information about the yadis
mailing list