Hi team,
So we have a lot of strong opinions on this thread, which is a good thing.
Let me try to unravel/simplify a little bit. Let's keep an open mind (and
that includes me.)
First, let me try to put a couple of arguments to rest:
- changing forceIssuer for Firefox OS at this point is a no-go. Maybe in a
future version. I don't think we got this wrong, actually, but we probably
should postpone this conversation since pragmatically, we're not going to
change the course of action for the next few months.
- requiredEmail is a very different situation. We thought we had a use case
that was useful to RPs. It turns out we didn't. No RPs really needed this
feature the way we anticipated. When we killed the feature, we found out
someone was using this feature in a *completely unintended* way. Not in a
way we intended that we only partially implemented, but in a way we *never*
meant to implement and never even foresaw. So I don't think the comparison
really helps us here.
So, putting those two issues aside, we're weighing the concern of a feature
we haven't fully implemented, which might mislead RPs, vs. the concern of a
feature we're whitelisting for another Mozilla property only.
Like Jared, I've realized recently how uncomfortable I am with the notion
that we would offer a feature only to another Mozilla site. It feels quite
closed. I'm also worried that we would refuse to implement an experimental
feature until it's perfectly right, which is a very hard thing to do in
this case. In fact, it's such a huge feature to do fully right that this
approach might mean we never do it. And yet we know we have a use case,
with a number of RPs having asked for it, and it's an existing web pattern.
So, ignoring Firefox OS for a second: are we saying we just won't do this
feature ever because some RPs might get it wrong? That seems overly
conservative to me, as long as we make a real focused effort to prevent
confusion.
I think we agree that, if we can ensure RPs understand the limitation of
this feature, then it would be okay. We're mostly worried they won't get it.
What if we took this approach:
- to enable experimental API support, the RP has to call:
navigator.id.enableExperimentalAPIs();
This spits out a console warning about "be careful to consult this URL to
make sure you know what you're doing!"
- if an RP calls .request() with forceAuthentication, and the experimental
API has not been turned on, then it's a hard-fail, no popup, big error in
console.
- in any case, calling .request() with forceAuthentication spits out
warnings on the console.
- we do not commit to supporting this for any period of time.
- we take extreme care to document this only on the experimental API page,
not on the main doc page.
Would this be okay?
-Ben
> ______________________________**_________________
> dev-identity mailing list
>
dev-id...@lists.mozilla.org
>
https://lists.mozilla.org/**listinfo/dev-identity<
https://lists.mozilla.org/listinfo/dev-identity>
>