On Wed, Jun 9, 2010 at 1:58 AM, Ben Laurie <span dir="ltr"><<a href="mailto:benl@google.com">benl@google.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 8 June 2010 18:38, John Panzer <<a href="mailto:jpanzer@google.com">jpanzer@google.com</a>> wrote:<br>
> On Tue, Jun 8, 2010 at 7:07 AM, Peter Watkins <<a href="mailto:peterw@tux.org">peterw@tux.org</a>> wrote:<br>
</div><div class="im">>> This is a great example of why this should be in-browser. With an<br>
>> in-browser<br>
>> solution, a user could be prompted each time an RP asks for XAuth tokens,<br>
>> and could decide at that time which IdP tokens to reveal, and whether to<br>
>> always reveal the same set to that RP, etc. Users would only be prompted<br>
>> about the tokens they actually possess, and the RP sites they actually<br>
>> viist -- solving the privacy/disclosure NASCAR problem efficiently.<br>
><br>
> I think this would be a poor UI too -- it's well known that most users will<br>
> simply end up clicking "OK" in this situation, and the experience is worse.<br>
> But without getting into that argument: You could implement essentially<br>
> the same UX using JS -- the RP doesn't get the data sent back via<br>
> postMessage() unless the <a href="http://xauth.org" target="_blank">xauth.org</a> JS says it can. You could probably have<br>
> a better UX with an in-browser solution, but not a qualitatively different<br>
> one. In other words, this is not a strong differentiator for in-browser vs.<br>
> JS solutions.<br>
<br>
<br>
</div>I don't quite understand what you mean by "click OK" in this case? The<br>
user will be presented with a choice of IdPs and will have to choose<br>
one - there is no "OK" to click. However, having the user choose which<br>
IdP to present to the RP seems like a win to me, regardless of whether<br>
this is in-browser or xauth JS. See <a href="http://www.links.org/?p=938" target="_blank">http://www.links.org/?p=938</a>.<br>
</blockquote></div><br><div>My interpretation: In the common case, the user would have exactly one IdP and would be choosing whether to tell the RP about it -- so in effect it'd be an OK button. </div>