search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

Responsibilities in test OP-display-popup #45

Open marsangr opened 7 years ago

marsangr commented 7 years ago

The note in the test says "You should get a popup user agent login window".

From my point of view it is the RP (in this case, the test tool) who should be responsible for creating the popup and me, the OP, to honor the display parameter just to optimize for popups.

RATIONALE:

The spec says "The Authorization Server SHOULD display [...] CONSISTENT WITH a popup" and not "create a popup".

It looks like that "display" parameter appeared in the standard as a result of the input of this group. Look at this part of the charter:

"Although it is possible for Relying Parties to open a popup window for the user to authenticate at the OpenID Provider using the Provider's default user interface, the overall user experience can be optimized if the OP was aware that its UI was running within a popup. For instance, an OP may want to resize the popup browser window when using the popup interface, but would probably not want to resize the full browser window when using the default redirect interface. Another optimization is that the OP can close the popup, rather than return a negative assertion if the user chooses to cancel the authentication request."

So "consistent with" for me it means "to be aware of being running within a popup window that my caller created".

I would expect the test to be adjusted to do so.

zandbelt commented 7 years ago

This is more of a spec question than a certification one; @selfissued has agreed to comment.

gffletch commented 6 years ago

I agree. The RP is responsible for opening the popup window. The OP is responsible if the display=popup parameter is specified to ensure the UI works correctly within the popup window (e.g. provide scrollbars if the UI is larger than the size of the window).

travisspencer commented 6 years ago

Even if this is a test issue and not a protocol issue, it would be great to get some clarification on display=popup in the upcoming errata 2, @selfissued. The wording in the spec makes it not entirely clear who's responsible for what WRT the popup.

gnompsky commented 5 years ago

What's the status on this? I can't see how the OP is capable of opening a dialog window, let alone opening one that is an appropriate size for the RP (of which it knows nothing about). It sounds to me like this test should be opening the popup itself and that the OP should be rendering a login view that scales appropriately.