Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Logging into Persona in an iframe

97 views
Skip to first unread message

Shane Tomlinson

unread,
Feb 6, 2013, 4:24:06 AM2/6/13
to dev-id...@lists.mozilla.org
On 04/02/2013 20:23, Dirkjan Ochtman wrote:
> Hi,
>
> After some procrastination and figuring some stuff out with their API,
> I'm finally getting to the part where I can actually look into how I
> can integrate Persona into Disqus (per David Ascher's request on this
> list from a while ago).
>
> It looks like their setup is such that I provide a URL to them, they
> then open a pop-up window where the login flow can happen, I close the
> window when the login is complete, and they reload the page.
>
> I guess I could open a Persona pop-up on top of the thing they pop up,
> but that seems ugly. Jared suggested on IRC that it might be possible
> to hack up some of the Persona login stuff such that it works in an
> iframe, so that I can effectively make the Disqus-invoked pop-up
> window pretend to be the Persona pop-up, except with a little bit of
> extra script.
>
> Would something like that be possible somehow? I'm guessing this might
> also be interesting in the context of the recent "pop-ups suck"
> feedback.
>
> Cheers,
>
> Dirkjan
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

Hi Dirkjan,
We explicitly forbid Persona from being run inside of an IFRAME using
the x-frame-options header. We want users to be assured they are
visiting Persona and not a phishing site. Even though there is strong
evidence to suggests that users rarely look at the URL bar, we want this
basic level of assurance for those that do.

What is the goal of what you are trying to do, and what is the initial
flow that you are considering? We might be able to figure out another
way of solving this problem.

Shane

Dirkjan Ochtman

unread,
Feb 6, 2013, 4:49:52 AM2/6/13
to Shane Tomlinson, dev-id...@lists.mozilla.org
Hi Shane,

On Wed, Feb 6, 2013 at 10:24 AM, Shane Tomlinson <stoml...@mozilla.com> wrote:
> What is the goal of what you are trying to do, and what is the initial flow
> that you are considering? We might be able to figure out another way of
> solving this problem.

That makes sense.

My goal is to enable Persona authentication for Disqus, via their
optional, paid-for SSO API. That API allows me to give them a URL
which their code will open in a pop-up; their code will continue as
soon as the pop-up is closed. It seems ugly to then open another
pop-up on top of that for the Persona stuff, so I was wondering if
there is some other way.

Cheers,

Dirkjan

Ben Adida

unread,
Feb 11, 2013, 12:23:06 AM2/11/13
to Dirkjan Ochtman, Shane Tomlinson, dev-id...@lists.mozilla.org
Could this be helped by allowing disqus.com as an embedder of persona code?
I'm not suggesting we do that immediately, just trying to get a more
complete understanding of the problem.

-Ben

Lloyd Hilaiel

unread,
Feb 11, 2013, 10:57:27 AM2/11/13
to Ben Adida, Dirkjan Ochtman, Shane Tomlinson, dev-id...@lists.mozilla.org
Could the idea of a re-direct flow for persona solve this?

1. disqus opens popup to persona-discuss-bridge.org
2. popup re-directs to login.persona.org/redirect_signin
3. a new page we write (redirect_signin) detects referer and initiates normal sign-in flow
4. upon completion, redirect back to persona-discuss-bridge.org
5. watch() api returns assertion, persona-discuss-bridge.org checks, user is authenticated.

We've talked about this in the past. Would this work here? Would this also give people who hate popups a way around them?

lloyd

Dirkjan Ochtman

unread,
Feb 11, 2013, 11:03:31 AM2/11/13
to Lloyd Hilaiel, Ben Adida, Shane Tomlinson, dev-id...@lists.mozilla.org
On Mon, Feb 11, 2013 at 4:57 PM, Lloyd Hilaiel <ll...@mozilla.com> wrote:
> Could the idea of a re-direct flow for persona solve this?
>
> 1. disqus opens popup to persona-discuss-bridge.org
> 2. popup re-directs to login.persona.org/redirect_signin
> 3. a new page we write (redirect_signin) detects referer and initiates normal sign-in flow
> 4. upon completion, redirect back to persona-discuss-bridge.org
> 5. watch() api returns assertion, persona-discuss-bridge.org checks, user is authenticated.
>
> We've talked about this in the past. Would this work here? Would this also give people who hate popups a way around them?

How does my code (the stuff that redirected to redirect_signin at the
start) get the assertion?

And, I guess for the popup-haters to like this, it would have to run
in a modal dialog iframe or some such. I guess that could work?

Cheers,

Dirkjan

Lloyd Hilaiel

unread,
Feb 11, 2013, 11:09:30 AM2/11/13
to Dirkjan Ochtman, Ben Adida, Shane Tomlinson, dev-id...@lists.mozilla.org
On Feb 11, 2013, at 9:03 AM, Dirkjan Ochtman <dir...@ochtman.nl> wrote:

> On Mon, Feb 11, 2013 at 4:57 PM, Lloyd Hilaiel <ll...@mozilla.com> wrote:
>> Could the idea of a re-direct flow for persona solve this?
>>
>> 1. disqus opens popup to persona-discuss-bridge.org
>> 2. popup re-directs to login.persona.org/redirect_signin
>> 3. a new page we write (redirect_signin) detects referer and initiates normal sign-in flow
>> 4. upon completion, redirect back to persona-discuss-bridge.org
>> 5. watch() api returns assertion, persona-discuss-bridge.org checks, user is authenticated.
>>
>> We've talked about this in the past. Would this work here? Would this also give people who hate popups a way around them?
>
> How does my code (the stuff that redirected to redirect_signin at the
> start) get the assertion?

Theory is that inside the popup, upon completion, the user would be redirected to the bridge, the bridge would call watch, and get an assertion, then authenticate and close itself, passing control back over to disqus.

> And, I guess for the popup-haters to like this, it would have to run
> in a modal dialog iframe or some such. I guess that could work?

So this is a good point. I was not proposing we allow persona to be embedded in iframes.

Would your average popup hater be happier with a redirect flow? Or are redirects as distasteful as popups?

IOW, is all the popup hatred fundamentally about having another party in the authentication flow or is it about a Window Popping Up?

lloyd

> Cheers,
>
> Dirkjan

Dirkjan Ochtman

unread,
Feb 12, 2013, 4:04:20 AM2/12/13
to Lloyd Hilaiel, Ben Adida, Shane Tomlinson, dev-id...@lists.mozilla.org
On Mon, Feb 11, 2013 at 5:09 PM, Lloyd Hilaiel <ll...@mozilla.com> wrote:
>>> 1. disqus opens popup to persona-discuss-bridge.org
>>> 2. popup re-directs to login.persona.org/redirect_signin
>>> 3. a new page we write (redirect_signin) detects referer and initiates normal sign-in flow
>>> 4. upon completion, redirect back to persona-discuss-bridge.org
>>> 5. watch() api returns assertion, persona-discuss-bridge.org checks, user is authenticated.
>>>
>>> We've talked about this in the past. Would this work here? Would this also give people who hate popups a way around them?
>>
>> How does my code (the stuff that redirected to redirect_signin at the
>> start) get the assertion?
>
> Theory is that inside the popup, upon completion, the user would be redirected to the bridge, the bridge would call watch, and get an assertion, then authenticate and close itself, passing control back over to disqus.

Yeah; but I think the idea is that Disqus, after that, just reloads
the page, which I'm then supposed to make sure contains the
credentials (some form of HMAC'ed JSON). I'm not sure how the
assertion gets to my backend so that I can create the credentials
thingy?

>> And, I guess for the popup-haters to like this, it would have to run
>> in a modal dialog iframe or some such. I guess that could work?
>
> So this is a good point. I was not proposing we allow persona to be embedded in iframes.
>
> Would your average popup hater be happier with a redirect flow? Or are redirects as distasteful as popups?
>
> IOW, is all the popup hatred fundamentally about having another party in the authentication flow or is it about a Window Popping Up?

I would guess redirects are worse than popups. For me, it's just about
UX; keeping the login flow connected to the tab where I'm actually
login is just nicer (but perhaps someone more knowledgeable about UX
should speak up here).

Cheers,

Dirkjan

Lloyd Hilaiel

unread,
Feb 12, 2013, 1:29:02 PM2/12/13
to Dirkjan Ochtman, Ben Adida, Shane Tomlinson, dev-id...@lists.mozilla.org
On Feb 12, 2013, at 2:04 AM, Dirkjan Ochtman <dir...@ochtman.nl> wrote:
>>
>> Theory is that inside the popup, upon completion, the user would be redirected to the bridge, the bridge would call watch, and get an assertion, then authenticate and close itself, passing control back over to disqus.
>
> Yeah; but I think the idea is that Disqus, after that, just reloads
> the page, which I'm then supposed to make sure contains the
> credentials (some form of HMAC'ed JSON). I'm not sure how the
> assertion gets to my backend so that I can create the credentials
> thingy?

I'm suggesting your backend would be the "bridge". So in the window, after auth, redirect would happen to client code served by your backend, it would then do an XHR with an assertion that it gets from watch, you would create the credentials thingy.

>> So this is a good point. I was not proposing we allow persona to be embedded in iframes.
>>
>> Would your average popup hater be happier with a redirect flow? Or are redirects as distasteful as popups?
>>
>> IOW, is all the popup hatred fundamentally about having another party in the authentication flow or is it about a Window Popping Up?
>
> I would guess redirects are worse than popups. For me, it's just about
> UX; keeping the login flow connected to the tab where I'm actually
> login is just nicer (but perhaps someone more knowledgeable about UX
> should speak up here).

Yeah, this is interesting. There is clear "popup hatred" but I think it means different things to different people.

lloyd

David Ascher

unread,
Feb 12, 2013, 1:32:21 PM2/12/13
to Lloyd Hilaiel, Ben Adida, Dirkjan Ochtman, Shane Tomlinson, dev-id...@lists.mozilla.org
>> I would guess redirects are worse than popups. For me, it's just about
>> UX; keeping the login flow connected to the tab where I'm actually
>> login is just nicer (but perhaps someone more knowledgeable about UX
>> should speak up here).
>
> Yeah, this is interesting. There is clear "popup hatred" but I think it means different things to different people.

I have a nagging suspicion that popups & redirects have different UX impact on different platform (i.e. mobile vs. desktop, android vs iOS, …)

--da

Crystal Beasley

unread,
Feb 14, 2013, 10:28:24 PM2/14/13
to David Ascher, Ben Adida, Dirkjan Ochtman, Lloyd Hilaiel, Shane Tomlinson, dev-id...@lists.mozilla.org
I would second ascher's suspicion that student form factors have
significant differences in the preferred interaction pattern.

For the record, I am no lover of popups. They have many problems. However...

The existing design was vetted extensively by many rounds of user testing
on desktop. I believe they are the best *fallback* solution to the problem,
given the considerations around phishing, building brand recognition around
Persona and the cross platform limitations.

I have only a heuristics review on mobile, an obvious area for further
exploration. My plan for our new headcount, once they are hired, I'd to set
them on improving the mobile and native flows both of which having their
own set of restrictions and opportunities.

There is no question that we could make the persona flow more transparent
to the user by integrating in an iframe, but it doesn't satisfy all of our
broader picture requirements. Our upcoming efforts this year in leveraging
the native platforms to introduce and reinforce the persona brand will
greatly improve overall ux for the sign into web piece.

C

mish...@gmail.com

unread,
Oct 25, 2013, 4:20:12 AM10/25/13
to
Hi,
I'm building a mobile web app and I integrate Persona authentication. The thing is... a new popup in mobile browser leads to entirely new tab. And that's a problem. Is there some way authentication to be made more user friendly, without going to another tab? Is there really no chance to open it in iframe? What are the best practices when developing a mobile app?

Regards,
Mihail

Shane Tomlinson

unread,
Oct 25, 2013, 5:59:39 AM10/25/13
to dev-id...@lists.mozilla.org
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>

Hi Mihail,
The popup vs iframe vs redirect question is frequently asked, so much so
that we should probably create some wiki documentation for it.

One of the reasons we do not allow sites to specifically request
redirect/iframes is that Persona itself is a shimmed implementation of
the BrowserID protocol, it is *not* the one true BrowserID
implementation. Once BrowserID is built into the browser, the only way
to access a BrowserID based authentication system will be how the
browser allows you to.

The second reason we do not allow IFRAMEing of the Persona dialog is
just as important - security. Not all sites have good intentions. The
URL bar is the easiest way for users to ensure the site they are
entering their authentication details on the site they know and trust.
An IFRAME has no URL bar, giving users no visible mechanism to ensure
they are not being phished. A final attack that we are trying to avoid
is a site that embeds Persona, but then overlays an invisible layer on
top that captures all the user's key strokes, acting as a keylogger.

Shane

Jonathan Brown

unread,
Oct 26, 2013, 6:47:36 AM10/26/13
to Shane Tomlinson, mish...@gmail.com, dev-id...@lists.mozilla.org
Note that if you sign in with Facebook, Twitter or Google, you also get a
modal signin window. You can try all three at https://disqus.com/


On Fri, Oct 25, 2013 at 11:59 AM, Shane Tomlinson <stoml...@mozilla.com>wrote:

> On 25/10/2013 09:20, mish...@gmail.com wrote:
>
>> ______________________________**_________________
>> dev-identity mailing list
>> dev-id...@lists.mozilla.org
>> https://lists.mozilla.org/**listinfo/dev-identity<https://lists.mozilla.org/listinfo/dev-identity>
>>
>>
> Hi Mihail,
> The popup vs iframe vs redirect question is frequently asked, so much so
> that we should probably create some wiki documentation for it.
>
> One of the reasons we do not allow sites to specifically request
> redirect/iframes is that Persona itself is a shimmed implementation of the
> BrowserID protocol, it is *not* the one true BrowserID implementation. Once
> BrowserID is built into the browser, the only way to access a BrowserID
> based authentication system will be how the browser allows you to.
>
> The second reason we do not allow IFRAMEing of the Persona dialog is just
> as important - security. Not all sites have good intentions. The URL bar is
> the easiest way for users to ensure the site they are entering their
> authentication details on the site they know and trust. An IFRAME has no
> URL bar, giving users no visible mechanism to ensure they are not being
> phished. A final attack that we are trying to avoid is a site that embeds
> Persona, but then overlays an invisible layer on top that captures all the
> user's key strokes, acting as a keylogger.
>
> Shane
>
>
> ______________________________**_________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/**listinfo/dev-identity<https://lists.mozilla.org/listinfo/dev-identity>
>
0 new messages