You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mozilla's recommends in it's implementors guide for Persona that you call navigator.id.logout() in the Javascript if the assertion fails to verify. This can be easily checked in a jQuery request like in the demo in their quick setup guide.
In commit c33d228 as part of issue #8, the Ajax call was replaced by a form submission which as far as I understand makes this type of checking difficult. Could you explain why this was done because I do not fully understand the motivation in issue #8?
In it's current state, if the assertion failed to verify for any reason, pyramid_persona will show the login view with a HTTP 400 header to the user. However, Persona now believes that the user should be logged in and so if the user revisits a forbidden view (or, presumably, any page with a login button), it will attempt an automatic login which will fail again. Until the user manually removes some cookies from login.persona.org, the entire web app might be unusable.
The text was updated successfully, but these errors were encountered:
The form submission was initially done to allow the application write to easily change the login view and redirect the user wherever they wanted. I've just rewritten that part to have the same feature with an Ajax call, so that I can now call navigator.id.logout() in case of failure. This should fix the problem.
I'll make a release for this in a few days if there are no further problems with this.
Mozilla's recommends in it's implementors guide for Persona that you call
navigator.id.logout()
in the Javascript if the assertion fails to verify. This can be easily checked in a jQuery request like in the demo in their quick setup guide.In commit c33d228 as part of issue #8, the Ajax call was replaced by a form submission which as far as I understand makes this type of checking difficult. Could you explain why this was done because I do not fully understand the motivation in issue #8?
In it's current state, if the assertion failed to verify for any reason, pyramid_persona will show the login view with a HTTP 400 header to the user. However, Persona now believes that the user should be logged in and so if the user revisits a forbidden view (or, presumably, any page with a login button), it will attempt an automatic login which will fail again. Until the user manually removes some cookies from login.persona.org, the entire web app might be unusable.
The text was updated successfully, but these errors were encountered: