-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add domainHint to the spec * b * b * Review
- Loading branch information
Showing
1 changed file
with
48 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -153,7 +153,7 @@ could be implemented. | |
| providers: [{ | ||
| configURL: "https://idp.example/manifest.json", | ||
| clientId: "123", | ||
| nonce: nonce | ||
| nonce: nonce, | ||
| }] | ||
| } | ||
| }); | ||
|
|
@@ -740,6 +740,7 @@ dictionary IdentityProviderConfig { | |
| dictionary IdentityProviderRequestOptions : IdentityProviderConfig { | ||
| USVString nonce; | ||
| DOMString loginHint; | ||
| DOMString domainHint; | ||
| }; | ||
| </xmp> | ||
|
|
||
|
|
@@ -757,6 +758,11 @@ dictionary IdentityProviderRequestOptions : IdentityProviderConfig { | |
| agent to show to the user. If provided, the user agent will not show accounts which do not | ||
| match this login hint value. It generally matches some attribute from the desired | ||
| {{IdentityProviderAccount}}. | ||
| : <b>{{IdentityProviderConfig/domainHint}}</b> | ||
| :: A string representing the domain hint corresponding to a domain which the [=RP=] is | ||
| interested in, or "any" if the [=RP=] wants any account associated with at least one domain | ||
| hint. If provided, the user agent will not show accounts which do not match the domain hint | ||
| value. | ||
| </dl> | ||
|
|
||
| <!-- ============================================================ --> | ||
|
|
@@ -871,7 +877,7 @@ the exception thrown. | |
| 1. Let |config| be the result of running [=fetch the config file=] | ||
| with |provider| and |globalObject|. | ||
| 1. If |config| is failure, return (failure, true). | ||
| 1. [=Show an IDP login dialog=] with |config|. | ||
| 1. [=Show an IDP login dialog=] with |config| and |provider|. | ||
| 1. If that algorithm returns failure, return (failure, true). | ||
|
|
||
| Issue: We should perhaps provide a way to let the [=RP=] request that | ||
|
|
@@ -901,8 +907,8 @@ the exception thrown. | |
| 1. <dfn>Mismatch dialog step</dfn>: If |loginStatus| is [=logged-in=], show a | ||
| dialog to the user. The contents of this dialog are defined by the user | ||
| agent. This dialog SHOULD provide an affordance for the user to trigger | ||
| the [=show an IDP login dialog=] algorithm with |config|; this dialog | ||
| is the <dfn>confirm IDP login dialog</dfn>. | ||
| the [=show an IDP login dialog=] algorithm with |config| and |provider|; | ||
| this dialog is the <dfn>confirm IDP login dialog</dfn>. | ||
|
|
||
| Note: This situation happens when the browser expects the user | ||
| to be signed in, but the accounts fetch indicated that the user | ||
|
|
@@ -932,6 +938,15 @@ the exception thrown. | |
| {{IdentityProviderAccount/login_hints}} does not [=list/contain=] |provider|'s | ||
| {{IdentityProviderRequestOptions/loginHint}}. | ||
| 1. If |accountList| is now empty, go to the [=mismatch dialog step=]. | ||
| 1. If |provider|'s {{IdentityProviderConfig/domainHint}} is not empty: | ||
| 1. For every |account| in |accountList|: | ||
| 1. If {{IdentityProviderConfig/domainHint}} is "any": | ||
| 1. If |account|'s {{IdentityProviderAccount/domain_hints}} is empty, remove | ||
| |account| from |accountList|. | ||
| 1. Otherwise, remove |account| from |accountList| if |account|'s | ||
| {{IdentityProviderAccount/domain_hints}} does not [=list/contain=] |provider|'s | ||
| {{IdentityProviderConfig/domainHint}}. | ||
| 1. If |accountList| is now empty, go to the [=mismatch dialog step=]. | ||
| 1. For each |acc| in |accountsList|: | ||
| 1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=] | ||
| with |acc| and |globalObject|. | ||
|
|
@@ -1206,6 +1221,7 @@ dictionary IdentityProviderAccount { | |
| USVString picture; | ||
| sequence<USVString> approved_clients; | ||
| sequence<DOMString> login_hints; | ||
| sequence<DOMString> domain_hints; | ||
| }; | ||
| dictionary IdentityProviderAccountList { | ||
| sequence<IdentityProviderAccount> accounts; | ||
|
|
@@ -1487,10 +1503,27 @@ and a |responseBody|, run the following steps. This returns an [=ordered map=]. | |
| </div> | ||
|
|
||
| <div algorithm> | ||
| To <dfn>show an IDP login dialog</dfn> given an {{IdentityProviderAPIConfig}} |config|, run | ||
| the following steps. This returns success or failure. | ||
| 1. [=Create a fresh top-level traversable=] with URL | ||
| To <dfn>show an IDP login dialog</dfn> given an {{IdentityProviderAPIConfig}} |config|, an | ||
| {{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns | ||
| success or failure. | ||
| 1. Assert: these steps are running [=in parallel=]. | ||
| 1. Let |loginUrl| be null. | ||
| 1. [=Queue a global task=] on the [=DOM manipulation task source=] given |globalObject| to set | ||
| |loginUrl| to the result of running [=url parser=] with | ||
| |config|.{{IdentityProviderAPIConfig/login_url}}. | ||
| 1. Wait until |loginUrl| is not null. | ||
| 1. Assert: |loginUrl| is not failure (the [=user agent=] has previously checked that | ||
| |config|.{{IdentityProviderAPIConfig/login_url}} is a valid URL). | ||
| 1. Let |queryList| be a new [=list=]. | ||
| 1. If |provider|'s {{IdentityProviderConfig/loginHint}} is not empty, [=list/append=] | ||
| ("login_hint", {{IdentityProviderConfig/loginHint}}) to |queryList|. | ||
| 1. If |provider|'s {{IdentityProviderConfig/domainHint}} is not empty, [=list/append=] | ||
| ("domain_hint", {{IdentityProviderConfig/domainHint}}) to |queryList|. | ||
| 1. If |queryList| is not [=list/empty=]: | ||
| 1. Let |queryParameters| be the result of the [=urlencoded serializer=] with |queryList|. | ||
| 1. If |loginUrl|'s [=url/query=] is not null or empty, prepend "&" to |queryParameters|. | ||
| 1. Append |queryParameters| to |loginUrl|'s [=url/query=]. | ||
| 1. [=Create a fresh top-level traversable=] with |loginUrl|. | ||
| 1. The user agent MAY [=set up browsing context features=] or otherwise | ||
| affect the presentation of this traversable in an implementation-defined | ||
| way. | ||
|
|
@@ -1856,6 +1889,10 @@ Every {{IdentityProviderAccount}} is expected to have members with the following | |
| :: A list of strings which correspond to all of the login hints which match with this account. | ||
| An [=RP=] can use the {{IdentityProviderRequestOptions/loginHint}} to request that only an account | ||
| matching a given value is shown to the user. | ||
| : <dfn>domain_hints</dfn> | ||
| :: A list of strings which correspond to all of the domain hints which match with this account. | ||
| An [=RP=] can use the {{IdentityProviderConfig/domainHint}} to request that only an account | ||
| matching a given value or containing some domain hint is shown to the user. | ||
| </dl> | ||
|
|
||
| For example: | ||
|
|
@@ -1870,15 +1907,17 @@ For example: | |
| "email": "[email protected]", | ||
| "picture": "https://idp.example/profile/123", | ||
| "approved_clients": ["123", "456", "789"], | ||
| "login_hints": ["john_doe"] | ||
| "login_hints": ["john_doe"], | ||
| "domain_hints": ["idp.example"], | ||
| }, { | ||
| "id": "5678", | ||
| "given_name": "Johnny", | ||
| "name": "Johnny", | ||
| "email": "[email protected]", | ||
| "picture": "https://idp.example/profile/456", | ||
| "approved_clients": ["abc", "def", "ghi"], | ||
| "login_hints": ["[email protected]", "id=5678"] | ||
| "login_hints": ["[email protected]", "id=5678"], | ||
| "domain_hints": ["idp.example"], | ||
| }] | ||
| } | ||
| ``` | ||
|
|
||