[security] "AJAX"-style setups?
Johannes Berg
johannes at sipsolutions.net
Wed Nov 1 01:58:29 PST 2006
Hi,
After reading the specs, mailing list archives and other things for a
while I still haven't found anything resembling "best-practise" for an
ajax-style setup.
The draft says:
> While nothing in the protocol requires JavaScript or modern browsers,
> the authentication scheme plays nicely with "AJAX"-style setups, so an
> End User can prove their Identity to a Relying Party without having to
> leave the page they are on.
At first I thought this was to imply that, for example, a RP could
handle authentication inside of an (i)frame or similar and the user
authenticates to his IdP in there, so never visibly leaving the RP's
site. That, however, has the major flaw of not allowing the user to
verify that the credentials she's entering are really sent to IdP. It of
course would work when she authenticates to the IdP by way of an
existing session cookie because that cookie would only be sent to the
real IdP. But then again, except for showing a blank page for a short
period of time this is the same when not using (i)frames.
Could someone clarify? Maybe it's not a security issue at all because
something else is intended by the quoted paragraph above?
Thanks,
Johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
Url : http://openid.net/pipermail/security/attachments/20061101/f2be4704/attachment.pgp
More information about the security
mailing list