Non-recoverable auth failure?
brad at danga.com
Tue Jun 28 19:53:58 PDT 2005
On Wed, 29 Jun 2005, Martin Atkins wrote:
> Brad Fitzpatrick wrote:
> > -- new window does identity trust, returns, finds window.opener (if it
> > still exists after moving between domains?), and then completes
> > transaction by talking to window.opener
> > If so (and I think it'll be fine) then I'm all in favor of dropping
> > post_grant and making the spec say it always returns.
> > Anybody else for/against that?
> > - Brad
> Even if you can't do all that fancy stuff, there's no reason why you
> can't do window.close(), right? So losing the special case doesn't cost
But if you can't communicate back to the other app, you just "spent" your
id_res signature on a window.close() page.
So the server would have to note that some previously-established session
(which is shared with the originating page) is now blessed.
Or hell, even if you can't do either of those, you can always set a cookie
Okay, there are now three viable options.
> I'm for. Anything to reduce the number of little wacky things that ID
> servers have to handle.
Carl, Martin -- thanks for staying on me about this.
I'll go change the specs now. (really just delete a few sections)
Shouldn't really affect anybody.
More information about the yadis