No subject
Wed Mar 4 18:19:19 UTC 2009
Flash based objects are an important part of "BoA" SiteKey. The role of fla=
sh objects is well understood in a client auth role (when combined with oth=
er mechanisms).
One still needs server auth, of course - which needs to be independent of "=
browser" constructs (like address bars). But, I don't think there is any po=
int arguing that here : they are decided that the address bar is magical. A=
ssume one part of the brain for recognition, rather than the part that site=
key uses.
Peter.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Beh=
alf Of Michael Graves
Sent: Friday, March 20, 2009 11:28 AM
To: general at openid.net
Subject: [OpenID] Flash based authentication?
Pete,
We've done a lot of work with Flash (AS3) widget machinery and OpenID authe=
ntication, and we expect to have a Flash component added to the RPX service=
we run, facilitating the kinds of interactions you're talking about here.
First, as you point out, any embedded Flash object is subject to the scope =
of its container (an HTML page, or maybe a Flash/Flex container inside an H=
TML page) -- when the top level browser location changes, you're done. Sinc=
e the browser handles redirects, persisting the Flash object is not an opti=
on, and when you go from "submit" to "handle an authenticated sign in" redi=
rect, you're starting from scratch. Typically, that's OK, since that is a m=
ove from anonymous/guest mode to a "signed in" mode where the authenticated=
user's profile data has been summoned from the database and is used to "pe=
rsonalize" the page, and possibly the flash content, via flashvars.
Anyway, the idea I wanted to raise is using Flash's "Shared Object", their =
private "cookie" system, built into the player. If I understand you, that m=
ay be a useful way to "bridge" the sessions when filling out big forms. The=
amount of storage is limited (but can be substantial, ~100k is not uncommo=
n) and is controlled by the user. But having wrestled with this problem a b=
it, that works well -- when the user needs to "refresh" their session, you =
may be able to just store all the work in progress for the form in a Flash =
shared object and send the user on their way to be directed to an OP, and r=
edirected back with a freshly authenticated session. When the user returns,=
the saved form data will still be available in the stored shared object, e=
nabling the form to be "reconstituted" to the state it was in previously, p=
artially filled out by the user.
If I'm off base as to the amount of data you need to save (big uploads, etc=
., more than Flash shared objects will store for that user), then this won'=
t help. Just wanted to point that out, as that's been a very useful featur=
e in our work on Flash-enabled OpenID apps. Flash player 10 also has local =
file system access now, which is another option, and wouldn't be subject to=
the user-set storage limits of the shared object.
Best,
-Mike
Yeah thanks for that.
This is the one reference I have seen to someone using OpenID in a flash
context (and even better for me, a flex component).
However, the live example he has I can't seem to get to load properly in
my browser, and the demo says this upon submission of my identity:
"Ideally, this is the handler where you send "ivt.com.au/openid/peter<http:=
//ivt.com.au/openid/peter>"
for discovery to your backend. You could then call
OpenIDLoginWindow.closeLogin(), use the response from discovery along
with ExternalInterface.call() to communicate this URL with javascript so
that the browser window is redirected there."
The key phrase being "so that the browser window is redirected there",
which will:
a) break my requirement for not destroying the flash session (need to
keep the player instance open so that everything stays in memory).
b) Quite possibly cause problems with pop-up blockers.
cheers,
Pete
--_000_BFBC0F17A99938458360C863B716FE46398DCA87F7simmbox01rapn_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>From another Peter:<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>Flash based objects are an important part of “BoA̶=
1; SiteKey.
The role of flash objects is well understood in a client auth role (when
combined with other mechanisms). <o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>One still needs server auth, of course – which needs t=
o be
independent of “browser” constructs (like address bars). But, I=
don’t
think there is any point arguing that here : they are decided that the addr=
ess
bar is magical. Assume one part of the brain for recognition, rather than t=
he
part that sitekey uses.<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>Peter.<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt'>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'>
<p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-family:"Tahoma=
","sans-serif"'>From:</span></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces at openid.net [mailto:general-bounces at openid.net] <b>On Behalf=
Of </b>Michael
Graves<br>
<b>Sent:</b> Friday, March 20, 2009 11:28 AM<br>
<b>To:</b> general at openid.net<br>
<b>Subject:</b> [OpenID] Flash based authentication?<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<div>
<p class=3DMsoNormal>Pete,<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>We've done a lot of work with Flash (AS3) widget machi=
nery
and OpenID authentication, and we expect to have a Flash component added to=
the
RPX service we run, facilitating the kinds of interactions you're talking a=
bout
here. <o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>First, as you point out, any embedded Flash object is
subject to the scope of its container (an HTML page, or maybe a Flash/Flex
container inside an HTML page) -- when the top level browser location chang=
es,
you're done. Since the browser handles redirects, persisting the Flash obje=
ct
is not an option, and when you go from "submit" to "handle a=
n
authenticated sign in" redirect, you're starting from scratch. Typical=
ly,
that's OK, since that is a move from anonymous/guest mode to a "signed
in" mode where the authenticated user's profile data has been summoned
from the database and is used to "personalize" the page, and poss=
ibly
the flash content, via flashvars.<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>Anyway, the idea I wanted to raise is using Flash's
"Shared Object", their private "cookie" system, built i=
nto
the player. If I understand you, that may be a useful way to "bridge&q=
uot;
the sessions when filling out big forms. The amount of storage is limited (=
but
can be substantial, ~100k is not uncommon) and is controlled by the user. B=
ut
having wrestled with this problem a bit, that works well -- when the user n=
eeds
to "refresh" their session, you may be able to just store all the
work in progress for the form in a Flash shared object and send the user on
their way to be directed to an OP, and redirected back with a freshly
authenticated session. When the user returns, the saved form data will stil=
l be
available in the stored shared object, enabling the form to be
"reconstituted" to the state it was in previously, partially fill=
ed
out by the user.<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>If I'm off base as to the amount of data you need to s=
ave
(big uploads, etc., more than Flash shared objects will store for that user=
),
then this won't help. Just wanted to point that out, as that's been a
very useful feature in our work on Flash-enabled OpenID apps. Flash player =
10
also has local file system access now, which is another option, and wouldn'=
t be
subject to the user-set storage limits of the shared object.<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>Best,<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal>-Mike<o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal> <o:p></o:p></p>
</div>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>Yeah thanks for that.<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>This is the one reference I have seen to someone using
OpenID in a flash<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>context (and even better for me, a flex component).<o:=
p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>However, the live example he has I can't seem to get t=
o load
properly in<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>my browser, and the demo says this upon submission of =
my
identity:<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>"Ideally, this is the handler where you send &quo=
t;<a
href=3D"http://ivt.com.au/openid/peter">ivt.com.au/openid/peter</a>"<o=
:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>for discovery to your backend. You could then call<o:p=
></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>OpenIDLoginWindow.closeLogin(), use the response from
discovery along<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>with ExternalInterface.call() to communicate this URL =
with
javascript so<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>that the browser window is redirected there."<o:p=
></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>The key phrase being "so that the browser window =
is
redirected there",<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>which will:<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>a) break my requirement for not destroying the flash s=
ession
(need to<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>keep the player instance open so that everything stays=
in
memory).<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>b) Quite possibly cause problems with pop-up blockers.=
<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>cheers,<o:p></o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=3DMsoNormal>Pete<o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>
--_000_BFBC0F17A99938458360C863B716FE46398DCA87F7simmbox01rapn_--
More information about the general
mailing list