Websites using OpenID/OAuth/Facebook Connect/Twitter Connect often open a popup window to the user¹s Identity Provider for user to complete the AuthZ/AuthN flow rather than taking the user away from the referring site via a full page redirect.
In the case where a popup window is used, it¹s a very good idea to require that that the browser¹s address bar is displayed, and that an independent browser window is used, rather than an inline iframe. These requirements are needed to help prevent the user from being phished in the case where the user has to enter their password, and to ensure that the user¹s consent was not forged via a clickjacking attack. I believe that the Web Server Flow and the Web Client Flow will often take place within a popup window, so it would make sense to put into the core spec that popups should be independent browser windows with the address bar clearly displayed. Another missing feature in the core spec is support for multiple languages. Given that many Service Providers have a global userbase, client applications will want to have a way to specify the language to be used on the auth screen. While the User Agent¹s Accept-Language: HTTP header, as well as the user¹s IP address could be used as language hints, in practice clients will want the ability to specify the language. Is there consensus to get Popup Window requirements and language support into the OAuth2 core spec? Allen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
