Non-recoverable auth failure?

Brad Fitzpatrick brad at
Tue Jun 28 16:41:39 PDT 2005

On Wed, 29 Jun 2005, Martin Atkins wrote:

> Carl Howells wrote:
> >
> > As for the silliness you mention, having the consumer serve a page just
> > for window.close(), isn't really an accurate description of what
> > happens.  First, there's a full id_res response in the returned value.
> > That means that the consumer can finish logging in the user before
> > returning any page, and without any extra redirects or requests. Second,
> > since the login has completed, the page served can include javascript to
> > inform window.opener that the login has *already* completed, and to move
> > on, as well as closing the new window.  That seems like a great deal
> > more than just serving a page containing a window.close() command.
> >
> I agree with Carl here. It makes more sense to let the consumer do
> whatever it needs to do in response to the success, as well as allowing
> the possibility for avoiding that extra second login click from AJAX
> mode that I've always hated.
> This goes nicely with our new cancel mode, which can also close the
> window after sending a different message to the parent window letting it
> know about the cancellation.

So just use post_grant=return and do your magic in that.

I don't like the idea of introducing a new URL and specifying the security
restrictions on what that URL can be (anything under trust_root?).

- Brad

More information about the yadis mailing list