On 4/1/10 5:48 PM, "Allen Tom" <a...@yahoo-inc.com> wrote:
> Websites using OpenID/OAuth/Facebook Connect/Twitter Connect often open a
> popup window to the user¹s Identity Provider for user to complete the
> AuthZ/AuthN flow rather than taking the user away from the referring site via
> a full page redirect.
>
> In the case where a popup window is used, it¹s a very good idea to require
> that that the browser¹s address bar is displayed, and that an independent
> browser window is used, rather than an inline iframe. These requirements are
> needed to help prevent the user from being phished in the case where the user
> has to enter their password, and to ensure that the user¹s consent was not
> forged via a clickjacking attack.
>
> I believe that the Web Server Flow and the Web Client Flow will often take
> place within a popup window, so it would make sense to put into the core spec
> that popups should be independent browser windows with the address bar clearly
> displayed.
It certainly belongs in the security considerations section, but unless
there is a way for the server to enforce it, a MUST directive is pointless.
An attacker will obviously not comply...
> Another missing feature in the core spec is support for multiple languages.
> Given that many Service Providers have a global userbase, client applications
> will want to have a way to specify the language to be used on the auth screen.
> While the User Agent¹s Accept-Language: HTTP header, as well as the user¹s IP
> address could be used as language hints, in practice clients will want the
> ability to specify the language.
>
> Is there consensus to get Popup Window requirements and language support into
> the OAuth2 core spec?
Don't ask. Write a proposal and send to the list for each of these items
(don't spend time on editorial or language). I'll add it to the spec and
we'll see how well it fits in. At this stage we should be liberal in what we
include so we can get the full picture. Then we will decide what to drop or
spin-off.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
