Non-recoverable auth failure?

Brad Fitzpatrick brad at
Tue Jun 28 19:53:58 PDT 2005

On Wed, 29 Jun 2005, Martin Atkins wrote:

> Brad Fitzpatrick wrote:
> >
> >   -- new window does identity trust, returns, finds window.opener (if it
> >      still exists after moving between domains?), and then completes
> >      transaction by talking to window.opener
> >
> > If so (and I think it'll be fine) then I'm all in favor of dropping
> > post_grant and making the spec say it always returns.
> >
> > Anybody else for/against that?
> >
> > - Brad
> >
> Even if you can't do all that fancy stuff, there's no reason why you
> can't do window.close(), right? So losing the special case doesn't cost
> anything.

But if you can't communicate back to the other app, you just "spent" your
id_res signature on a window.close() page.

So the server would have to note that some previously-established session
(which is shared with the originating page) is now blessed.

Or hell, even if you can't do either of those, you can always set a cookie
from javascript.

Okay, there are now three viable options.

> I'm for. Anything to reduce the number of little wacky things that ID
> servers have to handle.


Carl, Martin -- thanks for staying on me about this.

I'll go change the specs now.  (really just delete a few sections)
Shouldn't really affect anybody.

- Brad

More information about the yadis mailing list