Skip to content

Commit

Permalink
Add domainHint to the spec (#512)
Browse files Browse the repository at this point in the history
* Add domainHint to the spec

* b

* b

* Review
  • Loading branch information
npm1 authored Jan 2, 2024
1 parent 87e8ca6 commit 828e96b
Showing 1 changed file with 48 additions and 9 deletions.
57 changes: 48 additions & 9 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ could be implemented.
providers: [{
configURL: "https://idp.example/manifest.json",
clientId: "123",
nonce: nonce
nonce: nonce,
}]
}
});
Expand Down Expand Up @@ -740,6 +740,7 @@ dictionary IdentityProviderConfig {
dictionary IdentityProviderRequestOptions : IdentityProviderConfig {
USVString nonce;
DOMString loginHint;
DOMString domainHint;
};
</xmp>

Expand All @@ -757,6 +758,11 @@ dictionary IdentityProviderRequestOptions : IdentityProviderConfig {
agent to show to the user. If provided, the user agent will not show accounts which do not
match this login hint value. It generally matches some attribute from the desired
{{IdentityProviderAccount}}.
: <b>{{IdentityProviderConfig/domainHint}}</b>
:: A string representing the domain hint corresponding to a domain which the [=RP=] is
interested in, or "any" if the [=RP=] wants any account associated with at least one domain
hint. If provided, the user agent will not show accounts which do not match the domain hint
value.
</dl>

<!-- ============================================================ -->
Expand Down Expand Up @@ -871,7 +877,7 @@ the exception thrown.
1. Let |config| be the result of running [=fetch the config file=]
with |provider| and |globalObject|.
1. If |config| is failure, return (failure, true).
1. [=Show an IDP login dialog=] with |config|.
1. [=Show an IDP login dialog=] with |config| and |provider|.
1. If that algorithm returns failure, return (failure, true).

Issue: We should perhaps provide a way to let the [=RP=] request that
Expand Down Expand Up @@ -901,8 +907,8 @@ the exception thrown.
1. <dfn>Mismatch dialog step</dfn>: If |loginStatus| is [=logged-in=], show a
dialog to the user. The contents of this dialog are defined by the user
agent. This dialog SHOULD provide an affordance for the user to trigger
the [=show an IDP login dialog=] algorithm with |config|; this dialog
is the <dfn>confirm IDP login dialog</dfn>.
the [=show an IDP login dialog=] algorithm with |config| and |provider|;
this dialog is the <dfn>confirm IDP login dialog</dfn>.

Note: This situation happens when the browser expects the user
to be signed in, but the accounts fetch indicated that the user
Expand Down Expand Up @@ -932,6 +938,15 @@ the exception thrown.
{{IdentityProviderAccount/login_hints}} does not [=list/contain=] |provider|'s
{{IdentityProviderRequestOptions/loginHint}}.
1. If |accountList| is now empty, go to the [=mismatch dialog step=].
1. If |provider|'s {{IdentityProviderConfig/domainHint}} is not empty:
1. For every |account| in |accountList|:
1. If {{IdentityProviderConfig/domainHint}} is "any":
1. If |account|'s {{IdentityProviderAccount/domain_hints}} is empty, remove
|account| from |accountList|.
1. Otherwise, remove |account| from |accountList| if |account|'s
{{IdentityProviderAccount/domain_hints}} does not [=list/contain=] |provider|'s
{{IdentityProviderConfig/domainHint}}.
1. If |accountList| is now empty, go to the [=mismatch dialog step=].
1. For each |acc| in |accountsList|:
1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=]
with |acc| and |globalObject|.
Expand Down Expand Up @@ -1206,6 +1221,7 @@ dictionary IdentityProviderAccount {
USVString picture;
sequence<USVString> approved_clients;
sequence<DOMString> login_hints;
sequence<DOMString> domain_hints;
};
dictionary IdentityProviderAccountList {
sequence<IdentityProviderAccount> accounts;
Expand Down Expand Up @@ -1487,10 +1503,27 @@ and a |responseBody|, run the following steps. This returns an [=ordered map=].
</div>

<div algorithm>
To <dfn>show an IDP login dialog</dfn> given an {{IdentityProviderAPIConfig}} |config|, run
the following steps. This returns success or failure.
1. [=Create a fresh top-level traversable=] with URL
To <dfn>show an IDP login dialog</dfn> given an {{IdentityProviderAPIConfig}} |config|, an
{{IdentityProviderConfig}} |provider|, and a |globalObject|, run the following steps. This returns
success or failure.
1. Assert: these steps are running [=in parallel=].
1. Let |loginUrl| be null.
1. [=Queue a global task=] on the [=DOM manipulation task source=] given |globalObject| to set
|loginUrl| to the result of running [=url parser=] with
|config|.{{IdentityProviderAPIConfig/login_url}}.
1. Wait until |loginUrl| is not null.
1. Assert: |loginUrl| is not failure (the [=user agent=] has previously checked that
|config|.{{IdentityProviderAPIConfig/login_url}} is a valid URL).
1. Let |queryList| be a new [=list=].
1. If |provider|'s {{IdentityProviderConfig/loginHint}} is not empty, [=list/append=]
("login_hint", {{IdentityProviderConfig/loginHint}}) to |queryList|.
1. If |provider|'s {{IdentityProviderConfig/domainHint}} is not empty, [=list/append=]
("domain_hint", {{IdentityProviderConfig/domainHint}}) to |queryList|.
1. If |queryList| is not [=list/empty=]:
1. Let |queryParameters| be the result of the [=urlencoded serializer=] with |queryList|.
1. If |loginUrl|'s [=url/query=] is not null or empty, prepend "&" to |queryParameters|.
1. Append |queryParameters| to |loginUrl|'s [=url/query=].
1. [=Create a fresh top-level traversable=] with |loginUrl|.
1. The user agent MAY [=set up browsing context features=] or otherwise
affect the presentation of this traversable in an implementation-defined
way.
Expand Down Expand Up @@ -1856,6 +1889,10 @@ Every {{IdentityProviderAccount}} is expected to have members with the following
:: A list of strings which correspond to all of the login hints which match with this account.
An [=RP=] can use the {{IdentityProviderRequestOptions/loginHint}} to request that only an account
matching a given value is shown to the user.
: <dfn>domain_hints</dfn>
:: A list of strings which correspond to all of the domain hints which match with this account.
An [=RP=] can use the {{IdentityProviderConfig/domainHint}} to request that only an account
matching a given value or containing some domain hint is shown to the user.
</dl>

For example:
Expand All @@ -1870,15 +1907,17 @@ For example:
"email": "john_doe@idp.example",
"picture": "https://idp.example/profile/123",
"approved_clients": ["123", "456", "789"],
"login_hints": ["john_doe"]
"login_hints": ["john_doe"],
"domain_hints": ["idp.example"],
}, {
"id": "5678",
"given_name": "Johnny",
"name": "Johnny",
"email": "johnny@idp.example",
"picture": "https://idp.example/profile/456",
"approved_clients": ["abc", "def", "ghi"],
"login_hints": ["email=johhny@idp.example", "id=5678"]
"login_hints": ["email=johhny@idp.example", "id=5678"],
"domain_hints": ["idp.example"],
}]
}
```
Expand Down

0 comments on commit 828e96b

Please sign in to comment.