[OpenID] Auth Request display param question

home_pw at msn.com home_pw at msn.com
Fri Mar 4 21:08:13 UTC 2016 


I can give Paul some realty specific context (since his firm gets to do the job I did till recently).


Imagine joomla has a local rp login page flow, that expects to cooperate with an idp at the end of a chain of websso handoffs.. Today it might use websso (ceding page control), but tomorrow openid connect ( keeping page control).


In the websso era, to avoid losing page control to the idp, architecture arranged for the idp to render as a (javascript) control (in some division of the rps page tree). Any websso protocol ' s (rendering) effect was thus limited to the viewport of that div. This allowed the rp "to control" the overall message (particularly when switching multiple idps).


Obviously some idp business models hated that wanting to impose (think fbi) central policy. Nothing stops a now easily manipulated rp from abandoning the protective architecture (and becoming beholden to the idp regime, to whom the economic value then flows). Silly rp, in my view, but I also no longer care...


Now with openid one can use the protocol to effect those architecture decisions (rather than kludge with Javascript controls etc).











Sent from Outlook Mobile






On Wed, Mar 2, 2016 at 3:16 PM -0800, "John Bradley" <ve7jtb at ve7jtb.com> wrote:





It has to do with the size of the display the IdP has to work within.
The RP makes the popup. This theoretically kept the user on the RP’s page.

At the time RP resisted doing full page redirects and possibly having the user loose context.

John B.

> On Mar 2, 2016, at 8:03 PM, Phil Hunt <phil.hunt at oracle.com> wrote:
>
> Wasn’t it a way to pass a value to the user interface to give a justification for the request for personal information and/or authentication?
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
>
>
>
>
>
>> On Mar 2, 2016, at 2:37 PM, John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>> wrote:
>>
>> I recall it was a early requirement from Facebook and JainRain.
>>
>> There was a popup extension for openID 2.
>> http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.html <http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.html>
>>
>> I suspect that anyone using the popup extension from openid 2 kept using the popup dimensions.
>>
>> On looking at the parameter  in the Connect Core specification it is underspecified on it’s own.
>>
>> JainRain and some others were using it.  I don’t know if there has been any real demand for it in Connect.
>> That is probably why no one has pointed it out prior to this.
>>
>> It should be fleshed out in a profile.
>>
>> John B.
>>
>>> On Mar 2, 2016, at 7:17 PM, Cal Heldenbrand <cal at fbsdata.com <mailto:cal at fbsdata.com>> wrote:
>>>
>>> Hmm, yeah you're right, now that I think about it.  There is no way to window.open() a popup from the Provider without nuking the browser's current window.  If your main authentication page is a responsive view, then the display parameter probably doesn't matter.  But maybe it's for those that might want to have a stateful knowledge before rendering the DOM that it's going to be a small view?
>>>
>>>
>>> ---------------------------------------------------------------
>>> Cal Heldenbrand
>>>    Web Operations at FBS
>>>    Creators of flexmls <http://flexmls.com/>® and Spark Platform <http://sparkplatform.com/>
>>>    cal at fbsdata.com <mailto:cal at fbsdata.com>
>>> On Wed, Mar 2, 2016 at 3:09 PM, Paul Hethmon <paul.hethmon at clareitysecurity.com <mailto:paul.hethmon at clareitysecurity.com>> wrote:
>>> So I can see that, but that would require the RP to create that pop-up window, not the OP.
>>>
>>> At the end of the day, if they reach my OP, they’ll get my login screen in a browser window (with prompt=popup), which still qualifies as meeting specification since its a SHOULD. But I hate not understanding the meaning or use case.
>>>
>>> Paul
>>>
>>>> On Mar 2, 2016, at 4:04 PM, Cal Heldenbrand <cal at fbsdata.com <mailto:cal at fbsdata.com>> wrote:
>>>>
>>>> I believe that's for an AJAX request in a popup window.  (or maybe a modal dialog?)
>>>>
>>>>
>>>> ---------------------------------------------------------------
>>>> Cal Heldenbrand
>>>>    Web Operations at FBS
>>>>    Creators of flexmls <http://flexmls.com/>® and Spark Platform <http://sparkplatform.com/>
>>>>    cal at fbsdata.com <mailto:cal at fbsdata.com>
>>>> On Wed, Mar 2, 2016 at 2:48 PM, Paul Hethmon <paul.hethmon at clareitysecurity.com <mailto:paul.hethmon at clareitysecurity.com>> wrote:
>>>> In section 3.1.2.1 of Core, it details the 4 options for the “display” parameter. While the 4 options are clear enough, I don’t get the intent of having “page” vs “popup”. If the client has been redirected to the OP for authentication, there’s a full browser window sitting there, so why ask the OP to popup something over that? I haven’t found any archived discussion or blogs on the subject and feel I must totally be missing the point here.
>>>>
>>>> Discussion here or a pointer to something is greatly appreciated.
>>>>
>>>> thanks,
>>>>
>>>> Paul
>>>>
>>>> -----
>>>> Paul Hethmon
>>>> Chief Software Architect
>>>> paul.hethmon at clareitysecurity.com <mailto:paul.hethmon at clareitysecurity.com>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net <mailto:general at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-general <http://lists.openid.net/mailman/listinfo/openid-general>
>>>>
>>>
>>> -----
>>> Paul Hethmon
>>> Chief Software Architect
>>> paul.hethmon at clareitysecurity.com <mailto:paul.hethmon at clareitysecurity.com>
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net <mailto:general at lists.openid.net>
>>> http://lists.openid.net/mailman/listinfo/openid-general <http://lists.openid.net/mailman/listinfo/openid-general>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net <mailto:general at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-general
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20160304/1f2cc22f/attachment.html>
-------------- next part --------------
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list