kiootic
commented
4 years ago Regarding FB messenger: a quick search shows this: https://stackoverflow.com/a/44234694
Open louischan-oursky opened 4 years ago
kiootic
commented
4 years ago Regarding FB messenger: a quick search shows this: https://stackoverflow.com/a/44234694
louischan-oursky
commented
4 years ago I guess we will stick with the spec and use iframe and postMessage.
kiootic
commented
4 years ago I think it's not that simple. The main problem here is showing the authentication status of a user on a page controlled by an OIDC client unauthorized by the user. In this case, we can solve it in these ways:
louischan-oursky
commented
4 years ago The main problem here is showing the authentication status of a user on a page controlled by an OIDC client unauthorized by the user. In this case, we can solve it in these ways
I got what you meant. However, the spec has an assumption that the RP page has ID token so it assumes that the user has already authorized the RP. Your scenario assumes the user has not yet authorized the RP so the spec simply does not apply.
have a way to designate a specific registered OIDC client as first-party client, so that it is treated implicitly authorized by all users (and the OIDC session management API can be used)
Maybe the way to go.
provide a page to be embedded as iframe in the OIDC client page, displaying the authentication status message and link to authentication flow entry.
I thought of this too, but it is impossible because we enforce PKCE so the flow must be triggered by the client.
Description
Implement OpenID Connect Session Management 1.0
Investigate a implementation (maybe proprietary) that supports the Facebook Messenger authentication flow.
Continue as <me>buttonBlog Post Specification
Blog Post of the Feature Release
Open Questions
Put a list of open questions here before a complete design / specification is decided
Related Issues