Non-recoverable auth failure?
Brad Fitzpatrick
brad at danga.com
Tue Jun 28 16:41:39 PDT 2005
On Wed, 29 Jun 2005, Martin Atkins wrote:
> Carl Howells wrote:
> >
> > As for the silliness you mention, having the consumer serve a page just
> > for window.close(), isn't really an accurate description of what
> > happens. First, there's a full id_res response in the returned value.
> > That means that the consumer can finish logging in the user before
> > returning any page, and without any extra redirects or requests. Second,
> > since the login has completed, the page served can include javascript to
> > inform window.opener that the login has *already* completed, and to move
> > on, as well as closing the new window. That seems like a great deal
> > more than just serving a page containing a window.close() command.
> >
>
> I agree with Carl here. It makes more sense to let the consumer do
> whatever it needs to do in response to the success, as well as allowing
> the possibility for avoiding that extra second login click from AJAX
> mode that I've always hated.
>
> This goes nicely with our new cancel mode, which can also close the
> window after sending a different message to the parent window letting it
> know about the cancellation.
So just use post_grant=return and do your magic in that.
I don't like the idea of introducing a new URL and specifying the security
restrictions on what that URL can be (anything under trust_root?).
- Brad
More information about the yadis
mailing list