Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify "Use another account". #678

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Specify "Use another account". #678

Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a191a15
Specify "Use another account".
cbiesinger Nov 4, 2024
3d56908
ted changes
cbiesinger Nov 7, 2024
cbd0adf
npm comment
cbiesinger Nov 7, 2024
af610e6
fix indentation
cbiesinger Nov 7, 2024
cd1c73d
fix indentation
cbiesinger Nov 7, 2024
82ea3fa
fix nit
cbiesinger Nov 7, 2024
533de6b
fix indentation
cbiesinger Nov 7, 2024
20b53f0
oxford commas
cbiesinger Nov 22, 2024
c9b78be
Merge remote-tracking branch 'origin' into otheraccount
cbiesinger Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 50 additions & 15 deletions spec/index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -804,6 +804,11 @@ the exception thrown.
1. Let |config| be the result of running [=fetch the config file=] with
|provider| and |globalObject|.
1. If |config| is failure, return (failure, false).
1. If |options|.{{IdentityCredentialRequestOptions/mode}} is "active",
then let |modeSettings| be
|config|.{{IdentityProviderAPIConfig/modes}}.{{IdentityProviderModes/active}};
otherwise,
|config|.{{IdentityProviderAPIConfig/modes}}.{{IdentityProviderModes/passive}}.
1. <dfn>Fetch accounts step</dfn>: Let |accountsList| be the result of
[=fetch the accounts=] with |config|, |provider|, and |globalObject|.
1. If |accountsList| is failure, or the size of |accountsList| is 0:
Expand Down Expand Up @@ -883,21 +888,27 @@ the exception thrown.
1. Otherwise, if |accountsList|'s size is 1:
1. Set |account| to |accountsList|[0].
1. If [=compute the connection status=] of |account|, |provider| and |globalObject| returns
[=compute the connection status/connected=], show a dialog to request user permission to sign
in via |account|, and set the result in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} to customize the dialog.
[=compute the connection status/connected=]:
1. Show a dialog to request user permission to sign in via |account|, and set the result
in |permission|. The user agent MAY use |options|'s
{{IdentityCredentialRequestOptions/context}} to customize the dialog.
1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
that dialog MUST provide an affordance to use another account. If that
affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
cbiesinger marked this conversation as resolved.
Show resolved Hide resolved
1. If that returned success, go back to the [=fetch accounts step=].
1. Otherwise, let |permission| be the result of running [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|. Also set
|disclosureTextShown| to true.
algorithm with |account|, |modeSettings|, |config|, |provider|, and
|globalObject|. Also set |disclosureTextShown| to true.
1. Otherwise:
1. Set |account| to the result of running the [=select an account=] from the
|accountsList|.
1. Set |account| to the result of running [=select an account=] with
|accountsList|, |modeSettings|, |config|, |provider|, and |globalObject|.
1. If |account| is failure, return (failure, true).
1. If [=compute the connection status=] of |account|, |provider| and |globalObject| is
[=compute the connection status/connected=], set |permission| to true.
1. If [=compute the connection status=] of |account|, |provider|, and |globalObject|
is [=compute the connection status/connected=], set |permission| to true.
1. Otherwise:
1. Let |permission| be the result of running the [=request permission to sign-up=]
algorithm with |account|, |config|, |provider|, and |globalObject|.
algorithm with |account|, |modeSettings|, |config|, |provider|, and |globalObject|.
1. Set |disclosureTextShown| to true.
1. Wait until the [=user agent=]'s dialogs requesting for user choice or permission to be
closed, if any are created in the previous steps.
Expand Down Expand Up @@ -1053,13 +1064,23 @@ dictionary IdentityProviderBranding {
USVString name;
};

dictionary IdentityProviderModeSettings {
boolean supports_use_other_account;
};

dictionary IdentityProviderModes {
IdentityProviderModeSettings active;
IdentityProviderModeSettings passive;
};

dictionary IdentityProviderAPIConfig {
required USVString accounts_endpoint;
required USVString client_metadata_endpoint;
required USVString id_assertion_endpoint;
required USVString login_url;
USVString disconnect_endpoint;
IdentityProviderBranding branding;
IdentityProviderModes modes;
};
</xmp>

Expand Down Expand Up @@ -1267,10 +1288,17 @@ dictionary IdentityProviderToken {
<!-- ============================================================ -->

<div algorithm>
To <dfn>select an account</dfn> given an |accountsList|, run the following steps. This returns an
{{IdentityProviderAccount}} or failure.
To <dfn>select an account</dfn> given an |accountsList|, some {{IdentityProviderModeSettings}}
|modeSettings|, an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderConfig}} |provider|,
and a |globalObject|, run the following steps. This returns an {{IdentityProviderAccount}} or
failure.
1. Assert |accountsList|'s [=list/size=] is greater than 1.
1. Display an account chooser displaying the options from |accountsList|.
1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
the account chooser MUST provide an affordance to use another account. If that
affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
1. If that returned success, go back to the [=fetch accounts step=].
cbiesinger marked this conversation as resolved.
Show resolved Hide resolved
1. Let |account| be the {{IdentityProviderAccount}} of the account that the user
manually selects from the accounts chooser, or failure if no account is selected.
1. Return |account|.
Expand All @@ -1281,9 +1309,10 @@ waits for the user to grant permission to use the given account, and returns whe
granted permission or not.

<div algorithm>
To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}} |account|,
an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}} |provider|, and a
|globalObject|, run the following steps. This returns a boolean.
To <dfn>request permission to sign-up</dfn> the user with a given an {{IdentityProviderAccount}}
|account|, some {{IdentityProviderModeSettings}} |modeSettings|, an {{IdentityProviderAPIConfig}}
|config|, an {{IdentityProviderRequestOptions}} |provider|, and a |globalObject|, run the following
steps. This returns a boolean.
1. Assert: These steps are running [=in parallel=].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parallel steps would be better presented as bullets (which might bullets within a numbered step), rather than as numbered steps. As this stands, I am unsure exactly which steps are running in parallel.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would not be correct. Please check the definition of "in parallel": https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The definition of "in parallel" is not sufficient for me (and I have some familiarity with the subject) to know whether the numbered steps (1)-(20) of which this Assert is (1) are to run in parallel with each other (which appears possible, and indeed, the most likely meaning) or that this sequence of 20 steps is to occur in parallel with other operations (sequences, single steps, etc.) in the spec.

Presuming that one goal of writing this specification is to have it be comprehensible by readers who are new to the subject, I suggest that some rewording would be helpful.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A PR to the HTML spec is welcome, but I think it's pretty clear personally:

means those steps are to be run, one after another

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"In parallel" does not mean "in sequence", no matter what spec is written as if it does.

Also, I highly doubt that most readers of this spec will go to the HTML spec, so while I may well submit a PR there (if I can find where to do so; it wasn't obvious when I looked for it yesterday), I think it better to provide more clarity in the FedCM spec.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better or worse, "in parallel" is an existing term in specland. Ted, do you have a specific suggestion for how to improve this?

In general we should assume that readers either know what these terms mean or click through to their definition, IMO.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(https://github.com/whatwg/html/blob/main/source is where you would send PRs for the HTML spec)

Copy link
Contributor

@TallTed TallTed Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, GitHub's web interface (my primary tool) can't handle docs the size of that WHATWG source. But, I was able to view it, and noted the "parallel queue".

<p>A <dfn export>parallel queue</dfn> represents a queue of algorithm steps that must be run in 
series.</p>

I think that's a more apt description of this 20-step sequence. Something like

Suggested change
1. Assert: These steps are running [=in parallel=].
1. Assert: These steps comprise a [=parallel queue=] that should run [=in parallel=] with any other active algorithms and/or [=parallel queues=].

(That does presume that plurals of defined terms are properly handled; the last might need change from [=parallel queues=] to [=parallel queue=].)

I've added a note to whatwg/html#10049, but noting that they have 1923 open issues and 169 pending pull requests, I don't have high hopes of it being addressed in a timely fashion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@domenic — Your thumb-down emoji doesn't communicate even as well as the "in parallel" that is meant to be understood as some language other than English. If you have an argument against my points, please do me the courtesy of writing it out.

1. Let |metadata| be the result of running [=fetch the client metadata=] with |config|,
|provider|, and |globalObject|.
Expand All @@ -1299,6 +1328,12 @@ an {{IdentityProviderAPIConfig}} |config|, an {{IdentityProviderRequestOptions}}
the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link.
1. The user agent MAY use the {{IdentityCredentialRequestOptions/context}} to customize the
dialog shown.
1. If |modeSettings|.{{IdentityProviderModeSettings/supports_use_other_account}} is true,
the account chooser MUST provide an affordance to use another account unless such an
affordance was provided in a previous step (e.g. if [=select an account=] was
invoked). If that affordance is triggered:
1. [=Show an IDP login dialog=] with |config|, |provider| and |globalObject|.
cbiesinger marked this conversation as resolved.
Show resolved Hide resolved
1. If that returned success, go back to the [=fetch accounts step=].
cbiesinger marked this conversation as resolved.
Show resolved Hide resolved
1. If the user does not grant permission, return false.
1. [=Create a connection between the RP and the IdP account=] with |provider|, |account|, and
|globalObject|.
Expand Down
Loading