Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Does Persona depend on JavaScript?
35 views
Skip to first unread message
Denis Washington
Nov 14, 2012, 1:41:38 PM11/14/12
to dev-id...@lists.mozilla.org
Hi,
One problem I see with Persona is that, at least in its current state
(AFAIK), needs a JavaScript interpreter to make sense of the IdP's
"provision" and "authentication" endpoints.
Is this dependency intended? I guess it's not that bad because you can
embed a WebView / JS interpreter everywhere these days and it allows for
a great deal of flexibility for the IdP (it can decide on its own how
credentials are checked etc.), but it may be a problem for some use
cases. It's also a potential security risk, (in the sense that
*everything* Turing-complete is a security risk).
Denis
One problem I see with Persona is that, at least in its current state
(AFAIK), needs a JavaScript interpreter to make sense of the IdP's
"provision" and "authentication" endpoints.
Is this dependency intended? I guess it's not that bad because you can
embed a WebView / JS interpreter everywhere these days and it allows for
a great deal of flexibility for the IdP (it can decide on its own how
credentials are checked etc.), but it may be a problem for some use
cases. It's also a potential security risk, (in the sense that
*everything* Turing-complete is a security risk).
Denis
Dan Callahan
Nov 14, 2012, 2:23:04 PM11/14/12
to
On 11/14/12 12:41 PM, Denis Washington wrote:
> One problem I see with Persona is that, at least in its current state
> (AFAIK), needs a JavaScript interpreter to make sense of the IdP's
> "provision" and "authentication" endpoints.
That's correct. Persona, right now, is fundamentally designed for the
> One problem I see with Persona is that, at least in its current state
> (AFAIK), needs a JavaScript interpreter to make sense of the IdP's
> "provision" and "authentication" endpoints.
web, so we expect the ability to execute JavaScript and render web pages.
Does that design prevent you from using Persona? What would you propose
as an alternative?
There are huge benefits to current the design for both the end-user
experience and the identity provider. Given the ability to completely
control the authentication context, an identity provider is free to use
whatever form of authentication they want (password, smartcard,
biometric, etc), and they can present a familiar interface to users.
This does, however, restrict where Persona is applicable: it would be
hard to build a command-line client that could authenticate with Persona.
I believe some folks on the team have been trying to flesh out how the
protocol would need to change to support REST-ful, JS-free
authentication, but I don't recall what the exact state of that is. It
should be readily discoverable in the mailing list archives.
Cheers,
-Callahad
Denis Washington
Nov 14, 2012, 2:32:49 PM11/14/12
to dev-id...@lists.mozilla.org
Am 14.11.2012 20:23, schrieb Dan Callahan:
> On 11/14/12 12:41 PM, Denis Washington wrote:
>> One problem I see with Persona is that, at least in its current state
>> (AFAIK), needs a JavaScript interpreter to make sense of the IdP's
>> "provision" and "authentication" endpoints.
>
> That's correct. Persona, right now, is fundamentally designed for the
> web, so we expect the ability to execute JavaScript and render web pages.
>
> Does that design prevent you from using Persona? What would you propose
> as an alternative?
It doesn't prevent me from doing anything. I would use Persona on my web
> On 11/14/12 12:41 PM, Denis Washington wrote:
>> One problem I see with Persona is that, at least in its current state
>> (AFAIK), needs a JavaScript interpreter to make sense of the IdP's
>> "provision" and "authentication" endpoints.
>
> That's correct. Persona, right now, is fundamentally designed for the
> web, so we expect the ability to execute JavaScript and render web pages.
>
> Does that design prevent you from using Persona? What would you propose
> as an alternative?
pages without a thought. I am just reflecting on the design, and making
sure I understand everything correctly, as I'll present Persona in ~15
hours in a University class.
> There are huge benefits to current the design for both the end-user
> experience and the identity provider. Given the ability to completely
> control the authentication context, an identity provider is free to use
> whatever form of authentication they want (password, smartcard,
> biometric, etc), and they can present a familiar interface to users.
> This does, however, restrict where Persona is applicable: it would be
> hard to build a command-line client that could authenticate with Persona.
>
> I believe some folks on the team have been trying to flesh out how the
> protocol would need to change to support REST-ful, JS-free
> authentication, but I don't recall what the exact state of that is. It
> should be readily discoverable in the mailing list archives.
easier to integrate into existing infrastructure, so I absolutely see
where you're coming from. Thanks. :)
Denis
Dan Callahan
Nov 14, 2012, 2:45:02 PM11/14/12
to
On 11/14/12 1:32 PM, Denis Washington wrote:
> I am just reflecting on the design, and making
> sure I understand everything correctly, as I'll present Persona in ~15
> hours in a University class.
Ah! Right! You're that same Denis! Hooray! :)
> I am just reflecting on the design, and making
> sure I understand everything correctly, as I'll present Persona in ~15
> hours in a University class.
Let us know if you have any other questions, and please share your
presentation and the feedback you gather from it.
Cheers,
-Callahad
Denis Washington
Nov 14, 2012, 3:02:41 PM11/14/12
to dev-id...@lists.mozilla.org
I can translate it afterwards.
By the way: thanks for everyone involved in the design of the Persona
website and related architecture / protocol flow diagrams. There is a
lot I could build into my presentation. (Specifically, the slides are
HTML5/reveal.js-based with the persona.org background and font, and I
used the protocol flow diagrams Ben Adida used in the slides he uploaded
to his GitHub repo.) Thanks to you my slides look great! :)
Regards,
Denis
0 new messages