Re: Proposal for User Agent Augmented Authorization from Mike West on 2014-08-06 (public-webapps@w3.org from July to September 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 6 Aug 2014 11:46:34 +0200
To: Sam Penrose <spenrose@mozilla.com>
Cc: Webapps WG <public-webapps@w3.org>
Message-ID: <CAKXHy=cpQnB8VRvUz30b37k1uNJTdYo12G10kWRUeUpwCguSyw@mail.gmail.com>

Hey Sam, this looks interesting indeed!

It's not clear to me how this proposal interacts with the credential
management proposal I sent out last week. Does the following more or less
describe the integration you're thinking about, or have I completely
misunderstood the proposal?

```
navigator.credentials.request({ federations: ['https://idp1.net/', '
https://idp2.net' ] }).then(function(c) {
  // If the user picks a supported IDP, authenticate:
  if (c && c instanceof FederatedCredential) {
    navigator.auth.authenticate({
      authURL: ...,
      returnURL: ...
    });
  }
});
```

I was hoping that we could find a way to hide some of that magic behind the
initial call to `.request()`. If the user picks a stored credential from
IDP #1, it seems like we'd be able to come up with a system that returned
whatever IDP-specific tokens directly as part of resolving the promise.
That is, rather than popping up one picker, then resolving the promise,
returning control to the website, and then popping up some additional UI,
we could handle the IDP-side authentication process in the browser before
returning a credential.

We could, for instance, remove the need for parameters to `authenticate` by
defining suitable attributes in an IDP manifest, as sketched out at
http://projects.mikewest.org/credentialmanagement/spec/#identity-provider-manifest
.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Aug 6, 2014 at 5:25 AM, Sam Penrose <spenrose@mozilla.com> wrote:

> We think that users could be well served by providing simple ways for user
> agents and authentication protocols (specifically Oauth, we hope others) to
> support each other:
>
>   https://github.com/SamPenrose/ua-augmented-auth
>
> Web apps suffer particularly due to non-http URIs and cookie segregation.
> We would like feedback on the specific APIs suggested, as well as the
> overall problem framing. Thank you for your consideration.
>
> -- Sam
>
>
>

Received on Wednesday, 6 August 2014 09:47:23 UTC