Non-recoverable auth failure?
Brad Fitzpatrick
brad at danga.com
Tue Jun 28 19:53:58 PDT 2005
On Wed, 29 Jun 2005, Martin Atkins wrote:
> Brad Fitzpatrick wrote:
> >
> > -- new window does identity trust, returns, finds window.opener (if it
> > still exists after moving between domains?), and then completes
> > transaction by talking to window.opener
> >
> > If so (and I think it'll be fine) then I'm all in favor of dropping
> > post_grant and making the spec say it always returns.
> >
> > Anybody else for/against that?
> >
> > - Brad
> >
>
> Even if you can't do all that fancy stuff, there's no reason why you
> can't do window.close(), right? So losing the special case doesn't cost
> anything.
But if you can't communicate back to the other app, you just "spent" your
id_res signature on a window.close() page.
So the server would have to note that some previously-established session
(which is shared with the originating page) is now blessed.
Or hell, even if you can't do either of those, you can always set a cookie
from javascript.
Okay, there are now three viable options.
> I'm for. Anything to reduce the number of little wacky things that ID
> servers have to handle.
Agreed.
Carl, Martin -- thanks for staying on me about this.
I'll go change the specs now. (really just delete a few sections)
Shouldn't really affect anybody.
- Brad
More information about the yadis
mailing list