Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
navigator.id.logout doesn't trigger onlogout if user doesn't have a Persona session
44 views
Skip to first unread message
Michael Kelly
May 8, 2013, 3:50:16 PM5/8/13
to dev-id...@lists.mozilla.org
(Posted at the behest of callahad after I tested it)
So Flicks ran into an issue recently where users would log into Flicks,
then log out of another Persona-enabled site and lose their Persona
session. When they went back to Flicks, they would be logged into Flicks
and see a Sign Out button, but when the button was clicked and ran
navigator.id.logout, the onlogout handler wasn't executed and nothing
would happen.
The bug was in Flicks; it wasn't correctly passing the user's email to
navigator.id.watch. When set up correctly, watch should've automatically
logged them out as soon as they hit the page. However, this brought up a
state in which Persona's behavior was undefined: If the user does not
have an active Persona session, navigator.id.logout will not trigger the
onlogout handler.
I don't have a specific question or request for myself, this is more of
a note of what I found. However, it does raise the question of what
Persona should do in odd edge cases like this. My personal choice would
be to make onlogout ALWAYS be called after navigator.id.logout, because
otherwise I have no reliable way to run code after that function is
called in case it fails.
Thanks!
-Mike Kelly
So Flicks ran into an issue recently where users would log into Flicks,
then log out of another Persona-enabled site and lose their Persona
session. When they went back to Flicks, they would be logged into Flicks
and see a Sign Out button, but when the button was clicked and ran
navigator.id.logout, the onlogout handler wasn't executed and nothing
would happen.
The bug was in Flicks; it wasn't correctly passing the user's email to
navigator.id.watch. When set up correctly, watch should've automatically
logged them out as soon as they hit the page. However, this brought up a
state in which Persona's behavior was undefined: If the user does not
have an active Persona session, navigator.id.logout will not trigger the
onlogout handler.
I don't have a specific question or request for myself, this is more of
a note of what I found. However, it does raise the question of what
Persona should do in odd edge cases like this. My personal choice would
be to make onlogout ALWAYS be called after navigator.id.logout, because
otherwise I have no reliable way to run code after that function is
called in case it fails.
Thanks!
-Mike Kelly
Sean McArthur
May 8, 2013, 9:19:44 PM5/8/13
to Michael Kelly, dev-id...@lists.mozilla.org
Semantically, it feels like it's working as intended. `onlogout` should
only be called if there was a session that Persona is terminating. And as
you pointed out, it was a bug that Flicks wasn't filling in the
loggedInUser.
Still, I sympathize...
only be called if there was a session that Persona is terminating. And as
you pointed out, it was a bug that Flicks wasn't filling in the
loggedInUser.
Still, I sympathize...
Peter Santoro
May 29, 2013, 3:28:40 PM5/29/13
to
I have a related question. Here's the scenario:
A web server uses the Remote Verification API to verify an assertion. The verification succeeds, but it is determined that the user is not allowed to use the service. Should the web server then simply redirect the client to another url that automatically calls navigator.id.logout directly? If so, is it necessary to call navigator.id.watch to setup loggedInUser, onlogin, and onlogout for that url? Is there a better way to handle this scenario?
Thank you,
Peter
A web server uses the Remote Verification API to verify an assertion. The verification succeeds, but it is determined that the user is not allowed to use the service. Should the web server then simply redirect the client to another url that automatically calls navigator.id.logout directly? If so, is it necessary to call navigator.id.watch to setup loggedInUser, onlogin, and onlogout for that url? Is there a better way to handle this scenario?
Thank you,
Peter
Peter Santoro
May 30, 2013, 10:15:34 AM5/30/13
to
I think I figured this out. Since the server is called via an XMLHttpRequest in the navigator.id.watch onlogin function, the server can return a flag indicating whether to accept the login or not. The navigator.id.watch onlogin function can then call navigator.id.logout if needed. I tested this and it seems to work fine. Calling navigator.id.logout in this manner also appears to trigger the navigator.id.watch onlogout function to execute.
Is this an acceptable way to deny users from logging in via Persona?
Thank you,
Peter
Is this an acceptable way to deny users from logging in via Persona?
Thank you,
Peter
Sean McArthur
Jul 10, 2013, 6:29:36 PM7/10/13
to Peter Santoro, dev-id...@lists.mozilla.org
Sounds reasonable to me, it's how I would do it.
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>
0 new messages