[OpenID] XAuth critiques

Ben Laurie benl at google.com
Wed Jun 9 08:58:42 UTC 2010


On 8 June 2010 18:38, John Panzer <jpanzer at google.com> wrote:
> On Tue, Jun 8, 2010 at 7:07 AM, Peter Watkins <peterw at tux.org> wrote:
>> This is a great example of why this should be in-browser. With an
>> in-browser
>> solution, a user could be prompted each time an RP asks for XAuth tokens,
>> and could decide at that time which IdP tokens to reveal, and whether to
>> always reveal the same set to that RP, etc. Users would only be prompted
>> about the tokens they actually possess, and the RP sites they actually
>> viist -- solving the privacy/disclosure NASCAR problem efficiently.
>
> I think this would be a poor UI too -- it's well known that most users will
> simply end up clicking "OK" in this situation, and the experience is worse.
>  But without getting into that argument:  You could implement essentially
> the same UX using JS -- the RP doesn't get the data sent back via
> postMessage() unless the xauth.org JS says it can.  You could probably have
> a better UX with an in-browser solution, but not a qualitatively different
> one.  In other words, this is not a strong differentiator for in-browser vs.
> JS solutions.


I don't quite understand what you mean by "click OK" in this case? The
user will be presented with a choice of IdPs and will have to choose
one - there is no "OK" to click. However, having the user choose which
IdP to present to the RP seems like a win to me, regardless of whether
this is in-browser or xauth JS. See http://www.links.org/?p=938.


More information about the specs mailing list