Non-recoverable auth failure?
brad at danga.com
Fri Jun 24 10:04:24 PDT 2005
On Fri, 24 Jun 2005, Paul Crowley wrote:
> Carl Howells wrote:
> > I did understand your proposal, and realized I was modifying it slightly. The
> > reason I decided on that modification had to do with one important
> > consideration. In normal setup mode, a site knows it will be the whole browser
> > window, and will probably draw its normal site layout on the openid page, for
> > branding purposes. But if it's in an AJAX-style popup or iframe, it will
> > probably have a lot less screen real-estate available, and want to draw a
> > minimal version of its dialogs.
> That's a good reason, but I think it's a slightly excessive mechanism.
> I don't see that the server will actually want to remember anything
> about the first failed attempt while setting up the second; it just
> wants to know "have I got the full browser window, or am I in a popup"?
> So let's just tell it: to the checkid_setup request, add
We're absolutely not encouraging the use of OpenID server UIs in
consumer-initiated pop-up windows. If anything screams "phish me please!"
more, this is it.
The consumers have two choices: replace the existing window with the
setup URL, or open the setup URL in a new (full) window. Sure, they can
try and put it in a pop-up, but I'll probably do something on LiveJournal
to verify we're not in a pop-up and bitch (or pop-out) if so.
Yes, phishing will still happen, but let's not encourage it.
More information about the yadis