Friday, October 24, 2008

XMLDAP XRDS

The XMLDAP relying party is now updated to provide XRDS data.

Notice the Information Card icon in the lower right corner in the status-bar of the browser.

You can start the card selector either through the sidebar - by dragging a card to the main window - or by clicking the Information Card icon. You need the latest version of the openinfocard id selector.

You may be wondering what the difference between the next and the previous image is?
I created a second card and used it at the xmldap relying party too.
The new claims were added to the previous set of claims. The claim "locality == Berlin" is new.

This image shows that the claim set was cleared. The relyingparty party has forgotten the privacy data after the "Clear privacy data" button was pressed.

THIS IS THE USER EXPERIENCE YOU WANT. DEATH TO USERNAME/PASSWORD.
(learn more)

Thursday, October 16, 2008

Information Card XRDS with Information Card Icon

Please note the small Information Card icon in the status-bar in the lower-right corner of the browser window.

If no Information Cards are accepted by the site then the icon has a little red cross.

If Information Cards are accepted by the site then the Information Card icon is shown.

You can click on the icon to start the identity selector.

Wednesday, October 15, 2008

Information Cards with XRDS

In former posts in this blog I stated that I find the use of the HTML object element for Information Cards "not optimal". The main reason is that the object element is intended to provide a means to render media like Flash, PDF, videos, sound etc. The second reason is that Mozilla requires that object elements are handled by a plugin instead of add-ons (and plugins are platform dependant).

In other posts I described a way to use XRDS to eliminate the object element.
Now, finally, I found some time to implement this in the openinfocard information card selector and the xmldap relying party.

First, here is how this looks.

The user surfs to the relying party.

She opens the card selector in the browser's sidebar (Crtl-Shift-i).

She drags a card onto the main window and the card selector starts.

The relying party now shows the posted token.


This is really cool. No more javascript kungfu to detect the card selector.
Detecting the presence of the selector and acting appropriately is not that easy for a relying party. Now this task is simply not there. No more hiding of the missing plugin warning.

Well, there is certainly room for improvement. The openinfocard selector in the current (unpublished) version does not indicate to the user that claims are acceptable at the RP. But I can change this easily. My current favorite to indicate this is a floating Information Card Icon in some corner of the browser window but maybe a more subtle way is more appropriate. A small information card icon on the right side in the address bar or somewhere in the bar at the bottom of the Firefox window??? Or the sidebar could open automatically...

How does this work?
1) The relying party HTML contains a HTML-Link element that points to a xrds file that is retrieved by the openinfocard Firefox add-on.
<link rel="xrds.metadata" href="?xmldap_rp.xrds"/>
In this example the href is a URL relative to the current document but the href can be absolute too.
2) The openinfocard add-on retrieves the xrds.metadata document.
<XRDS xmlns="xri://$xrds">
  <XRD version="2.0" xmlns="xri://$XRD*($v*2.0)">
    <Type>xri://$xrds*simple</Type>
    <Service>
      <Type>http://infocardfoundation.org/policy/1.0/login</Type>
      <URI>https://w4de3esy0069028.gdc-bln01.t-systems.com:8443/relyingparty/?login.xml</URI>
    </Service>
    <Service>
      <Type>http://infocardfoundation.org/policy/1.0/registration</Type>
      <URI>https://w4de3esy0069028.gdc-bln01.t-systems.com:8443/relyingparty/registration.xml</URI>
    </Service>
    <Service>
      <Type>http://infocardfoundation.org/service/1.0/login</Type>
      <URI>https://w4de3esy0069028.gdc-bln01.t-systems.com:8443/relyingparty/link.jsp</URI>
    </Service>
    <Service>
      <Type>http://infocardfoundation.org/service/1.0/registration</Type>
      <URI>https://w4de3esy0069028.gdc-bln01.t-systems.com:8443/relyingparty/registration</URI>
    </Service>
  </XRD>
</XRDS>

2) The openinfocard add-on retrieves the document for the service of type "http://infocardfoundation.org/policy/1.0/login".

This document is simply our old foe the object element:
<object type="application/x-informationcard" name="xmlToken">
  <param name="privacyUrl" value="https://w4de3esy0069028.gdc-bln01.t-systems.com:8443/relyingparty/?privacy.txt"/>
  <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/>
  <param name="optionalClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"/>
  <param name="privacyVersion" value="1"/>
  <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"/>
</object>


Instead of the object I could have used a relying party issuerPolicy document but I wanted to keeps things simple.
4) When an information card is dragged onto the main browser window the login policy is parsed and the selector is called with the parameters. The add-on could even call CardSpace...
5) The security token from the card selector is posted to the service of xrds type "http://infocardfoundation.org/service/1.0/login".
6) The relying party interprets the token and returns nothing.
7) The openinfocard add-on directs the browser to the login-service URL
8) The relying party can show the the claims to the user or whatever it thinks it is appropriate with the new claims information (e.g. new payment options).

What do you think about this?

Tuesday, October 14, 2008

Web 2.0 Expo Europe Next Week in Berlin

This morning I found an advertisment for next week's Web 2.0. Expo Europe in my daily newspaper.
I find it interessting that the organizers find it money well spend to have an ad in a "normal" newspaper. A quarter of the first page of the business section costs probably some money.

I will not attend the conference but will probably visit the expo. Although I would like to go to the conference too. There are some interesting talks and session. My brazen request for a blogger/press pass was rightly declined. See you at the Web 2.0 Summit in November and of course the Internet Identity Workshop 2008b.