Open cbiesinger opened 6 months ago
samuelgoto
commented
6 months ago Maybe we should only make requests to IdPs with a logged-in status for the registration API specifically?
If an IdP manages to call a IdentityProvider.register() to register a user, they can also manage to call a navigator.login.setStatus() to prime the Login Status initial state, right?
cbiesinger
commented
6 months ago Yes that was my thinking
samuelgoto
commented
6 months ago Maybe we should only make requests to IdPs with a logged-in status for the registration API specifically?
Yeah, I think this would be a reasonable requirement.
aaronpk
commented
6 months ago We should make sure we consider the implications to "button mode" too.
npm1
commented
6 months ago Is the suggestion basically to not have 'unknown' for registered IDPs? E.g. they are always either logged in or logged out?
samuelgoto
commented
6 months ago Is the suggestion basically to not have 'unknown' for registered IDPs? E.g. they are always either logged in or logged out?
Yeah, I think that's what Christian is suggesting.
cbiesinger
commented
6 months ago When I filed this, I was thinking that in RequestToken we basically change unknown to logged-out for an IDP if it came from configURL:any.
However we could also have IdentityProvider.register have an implied setStatus(logged-out) if the status was unknown.
IdPs currently start out in an unknown status (in Chrome). But with the registration API, we may have a lot of IdPs. Maybe we should only make requests to IdPs with a logged-in status for the registration API specifically?