W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Credentials Management API & multiple-credentials.

From: <rektide@voodoowarez.com>
Date: Tue, 10 Feb 2015 14:26:18 -0500
To: public-webappsec@w3.org
Message-ID: <20150210192618.GC29049@voodoowarez.com>

Two use cases for Credentials Management API that I would appreciate someone taking up:

1. As a website, I'd like to permit my user to present me multiple credentials. If they
want to tie their Altavista, Hotbot, Myspace, and Audioscrobbler accounts to my service,
that would be fantastic. 

I don't see any direct clashes that would prevent my site from issuing a slew of 
`navigator.credential.request()` options, but, there are very few words about the user-
agent's responsibility for displaying post-sign-in confirmation, which is a core function
of this spec yet described only in one place:

Recommendation: make explicit that the notify{SignedIn,FailedSignIn,SignedOut} cases
are things a browser might have to do multiple times. Include references to these function
in the Algorithms section (current un-referenced):

2. if I'm Yoyodyne Enterprises, a worldwide megacorp, and I have subsidiary corporations
using my SSO, I might want to issue multiple signin credentials. Kerberos for example
gets me access to over three different credentials at work.

currently only permits the user-agent to present a single credential to the client code.

Recommendation: turn .pending into an array of PendingCredentials.

Are these sensible use cases? What would help me articulate their need better, if anything?
What follow-up do you recommend I puruse to make sure these use cases are supported? If you
are unsure whether these use cases make sense, what is it that causes you doubt or what do
you not have confidence about in here?

Received on Tuesday, 10 February 2015 19:26:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC