As long as your in a hidden iframe, I haven't really had a problem detecting whether an OP is "up". I just send a checkid_immediate their way an a hidden iframe, and if the iframe never gets redirected back to the RP, then the OP is "down". There's a timeout after which the RP's javascript decides "ah, the OP is down or too slow to wait".<div>
<br></div><div>The only problem this has is that some OPs break the rules and show UI even for checkid_immediate. But since the iframe is hidden, this just results in a timeout closing the iframe.<br clear="all">--<br>Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/7/13 SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
To use a hidden iframe at the RP to attempt the checkid_immediate could result in something like the Facebook auto-login experience where the user sees the Facebook login page for a few seconds and then is automatically dragged into his account, which met with some "what the heck just happened?" questions from users.<br>
</blockquote>
<br>
It would be nice if the top-level page could detect whether the framed page had been accessed successfully or not, and then respond to it by informing the user and, if necessary, asking what to do next. Would the document.domain setting allow for this?<br>
<a href="http://www.dyn-web.com/tutorials/iframes/" target="_blank">http://www.dyn-web.com/tutorials/iframes/</a><br>
But then we don't want to send the user to *log in* at their OP right away, since their OP probably doesn't want to let arbitrary RP's see the page they're presenting to a known user; still, we don't need to, as we can redirect them that way *after* they've confirmed that they can *see* the OP. So, perhaps a page at the OP that ignores any identifying information the user may send along with a request, and is able to set document.domain for the purpose of letting RP's see that the user can indeed *visit* that OP?<br>
<br>
-Shade<br>
</blockquote></div><br></div>