Non-recoverable auth failure?

Brad Fitzpatrick brad at
Tue Jun 28 19:32:16 PDT 2005

On Tue, 28 Jun 2005, Carl Howells wrote:

> Brad Fitzpatrick wrote:
> > I don't like the idea of introducing a new URL and specifying the security
> > restrictions on what that URL can be (anything under trust_root?).
> Huh?  The only change I'm proposing (at this point) is removing
> post_grant, and defining the behavior to always be what
> post_grant=return specified before.

Okay, okay, now we're talking.

That proposal I think I actually like.  (I also hate the weird
post_grant special cases, btw.)

Let me do some browser tests on some JavaScript stuff right now and get
back to you.

In particular, I want to test an automatic AJAX mode:

  -- original window opens a full-sized new window, remembering
     the new window's reference

  -- new window does identity trust, returns, finds window.opener (if it
     still exists after moving between domains?), and then completes
     transaction by talking to window.opener

If so (and I think it'll be fine) then I'm all in favor of dropping
post_grant and making the spec say it always returns.

Anybody else for/against that?

- Brad

More information about the yadis mailing list