Non-recoverable auth failure?

Martin Atkins mart at degeneration.co.uk
Tue Jun 21 16:10:10 PDT 2005


Carl Howells wrote:
> One thing currently absent in the protocol is some form of
> non-recoverable authentication failure.  The only response for failing
> to authenticate that's in the spec is to give the user some chance to
> authenticate.  But that doesn't seem like it will always be sufficient.
> 

Two chains of events...

Basic redirect mode:
* User logs in as lockedaccount.com
* ID server returns setup URL
* Consumer redirects to setup URL
* setup URL says "Sorry, I'm not going to let you log in."

AJAX mode:
* User logs in as lockedaccount.com
* ID server returns setup URL
* Consumer provides link to setup URL
* User clicks link
* setup URL says "Sorry, I'm not going to let you log in."

The AJAX version is a little convulted, as you have to click a link to
find out that you are denied. I think this is a quirk of the AJAX mode
in general, though. Indeed, I was talking about fixing it in another
thread recently:
    <http://comments.gmane.org/gmane.comp.web.openid.general/569>

I think a concern (albeit a small one) here is that the consumer gets to
see that the account is blocked for some reason. Consumers might then
start doing nasty things like storing the fact that someone was blocked
and using it against them later; they may take such blocking as an
excuse to block the identity indefinitely themselves.

Slim chance perhaps, but the principle of giving as little as possible
away leads me to the conclusion that it's better to let the ID server
display the error message. The ID server can probably display a better
error message than the consumer could anyway. ("You have been banned for
five days" vs. "Your login was rejected.")



More information about the yadis mailing list