Too long ago I wrote about an Javascript API for openid:
all those NASCARs
To repeat the main points:
Sites currently have no easy way to detect support for openid
The site can detect support for openid like so:
if (window.openid) { don't show the nascar }The DOM level API that allows the site to query the preferred identity provider looks like this:
window.openid.getPreferredOpenidProvider(callback);In a world of oauth2 and openid connect this could be generalized to:
https://openid.net/specs/openid-connect-standard-1_0.html#rf_prep
var parameters = {}; parameters.response_type="id_token"; parameters.client_id="https://server.example.com/seminar/callback.html"; parameters.request = "eyJhbGciOiJSUzI1NiIsIng1dSI6Imh0dHBzOlwvXC9nYWJ1bm9taS5uZXRcL3NlbWluYXJcL3JzYV9wdWJsaWNfa2V5LnBlbSJ9.ewoJInJlc3BvbnNlX3R5cGUiOiAiaWRfdG9rZW4iLAoJInNjb3BlIjogIm9wZW5pZCIsCgkiY2xpZW50X2lkIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvY2FsbGJhY2suaHRtbCIsCgkicG9saWN5X3VybCI6ICJodHRwczovL2dhYnVub21pLm5ldC9zZW1pbmFyL3BvbGljeS5odG1sIiwKCSJ1c2VyaW5mbyI6IHsKCQkiY2xhaW1zIjogewoJCQkibmFtZSI6IG51bGwsCgkJCSJlbWFpbCI6IG51bGwsCgkJCSJwaWN0dXJlIjogbnVsbAoJCX0KCX0sCgkicmVnaXN0cmF0aW9uIjogewoJCSJhcHBsaWNhdGlvbl9uYW1lIjogIlNhbXBsZSBTZW1pbmFyIiwKCQkibG9nb191cmwiOiAiaHR0cHM6Ly9nYWJ1bm9taS5uZXQvc2VtaW5hci9sb2dvLnBuZyIsCgkJIng1MDlfdXJsIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvcnNhX3B1YmxpY19rZXkucGVtIgoJfQp9Cg.Faytuhwb2W4CWVz2-10umSieh-bqR7QXqU0bNF39u_D0mGoBD4e3X2b4jZNqPvPADSnQhlBGSJu189iFM5bwFzchnO-quCpj7T2CK_-wkrpL5LUn_WHYMmYlFadmb-a1p-TEo7exU9azMS9cT70-kHNqmTaJziZyiAMoJ0Q4TtyTt1Xbkknc_CQRug3ilNv3bEXSlOlva3HUOY7jQIbYMB3jDL3QxS1wbVYNAjOxCxCDmiNAUJA-BkYe6Tpyj-DUs57IM4wQSp64sqim8RqirJJfFb4bCbNTkC3G8sYfN2_1-qEDpOnWW7N3gjl174TWHbnzVLAZGg_rZm58-wHOLw"; parameters.state="509b9cafd3119"; parameters.nonce="509b9cafd34fd"; window.openid.connect(parameters, oc_callback);The callback
oc_callbackwould be called with one parameter.
function oc_callback(resp) { // resp contains a signed then encrypted id_token in jw-* format // https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature // state and nonce are inside the resp parameter too // need a private key to decrypt it so forward it to my own validation endpoint $.post("validate.php", { resp: resp }, function(id_token) { alert("returned id_token: " + id_token); }); }The general idea is: put all http request parameters which are defined in openid connect into the request object. Put all the http respones parameters into the response object.
I think we need an Javascript API for identity that is supported by browsers. BrowserID/Persona and AccountChooser do something in this direction but not enough.