Non-recoverable auth failure?

Carl Howells chowells at
Fri Jun 24 10:02:32 PDT 2005

Paul Crowley wrote:
> Carl Howells wrote:
>> I did understand your proposal, and realized I was modifying it 
>> slightly.  The
>> reason I decided on that modification had to do with one important
>> consideration.  In normal setup mode, a site knows it will be the 
>> whole browser
>> window, and will probably draw its normal site layout on the openid 
>> page, for
>> branding purposes.  But if it's in an AJAX-style popup or iframe, it will
>> probably have a lot less screen real-estate available, and want to draw a
>> minimal version of its dialogs.
> That's a good reason, but I think it's a slightly excessive mechanism. I 
> don't see that the server will actually want to remember anything about 
> the first failed attempt while setting up the second; it just wants to 
> know "have I got the full browser window, or am I in a popup"?  So let's 
> just tell it: to the checkid_setup request, add
> openid.displayhints=popup

(I just did it again.  I really need to learn to use my "reply all" button.)

Not a bad approach.  And it would simplify things to not have two 
different code paths that essentially differ only in whether they add 
something equivalent to that parameter or not, on the server side.

Brad, have you got a decision on this?  It really would be nice to be 
able to simplify the server logic significantly, and the change to the 
consumer logic should be minimal.


More information about the yadis mailing list