Non-recoverable auth failure?

Brad Fitzpatrick brad at
Fri Jun 24 10:04:24 PDT 2005

On Fri, 24 Jun 2005, Paul Crowley wrote:

> Carl Howells wrote:
> > I did understand your proposal, and realized I was modifying it slightly.  The
> > reason I decided on that modification had to do with one important
> > consideration.  In normal setup mode, a site knows it will be the whole browser
> > window, and will probably draw its normal site layout on the openid page, for
> > branding purposes.  But if it's in an AJAX-style popup or iframe, it will
> > probably have a lot less screen real-estate available, and want to draw a
> > minimal version of its dialogs.
> That's a good reason, but I think it's a slightly excessive mechanism.
> I don't see that the server will actually want to remember anything
> about the first failed attempt while setting up the second; it just
> wants to know "have I got the full browser window, or am I in a popup"?
>   So let's just tell it: to the checkid_setup request, add
> openid.displayhints=popup


We're absolutely not encouraging the use of OpenID server UIs in
consumer-initiated pop-up windows.  If anything screams "phish me please!"
more, this is it.

The consumers have two choices:  replace the existing window with the
setup URL, or open the setup URL in a new (full) window.  Sure, they can
try and put it in a pop-up, but I'll probably do something on LiveJournal
to verify we're not in a pop-up and bitch (or pop-out) if so.

Yes, phishing will still happen, but let's not encourage it.

- Brad

More information about the yadis mailing list