This repository has been archived by the owner. It is now read-only.

"keep me signed in" #490

Closed
lloyd opened this Issue Oct 26, 2011 · 5 comments

Comments

Projects
None yet
3 participants
@lloyd
Contributor

lloyd commented Oct 26, 2011

The user should be able to stay signed into a site if they like.

At the time a user selects an email address to sign into a site, they should be provided a checkbox that they can click to choose to stay signed into the site.

This checkbox will cause assertions to be automatically issued subsequently, without user prompting.

This feature will require UX feedback, and new APIs. Specifically, getVerifiedEmail() is no longer sufficient, as with this new feature several things change:

  • it becomes possible to get an assertion without user interaction, something that can occur outside a click handler (ben adida suggests adding an 'immediate' option to the getVerifiedEmail() call, lloyd suggests a new, distinct function)
  • there must be a user discoverable way to undo this setting, probably on the manage page
  • the RP must be able to tell browserid when the user logs out

@ghost ghost assigned shane-tomlinson Oct 27, 2011

@lloyd

This comment has been minimized.

Show comment
Hide comment
@lloyd

lloyd Oct 27, 2011

Contributor

shane and lloyd agree, we now need navigator.id.logout();
`

Contributor

lloyd commented Oct 27, 2011

shane and lloyd agree, we now need navigator.id.logout();
`

@lloyd

This comment has been minimized.

Show comment
Hide comment
@lloyd

lloyd Oct 28, 2011

Contributor

Suggest the following API changes:

  • add navigator.id.getIdentityAssertion(<callback>) which may be invoked anywhere in the calling page (even outside of a click handler, usually at load time) and invokes the callback with an assertion corresponding to the identity that they user has chosen to share with the site.
  • add navigator.id.promptForIdentity([options], <callback>) prompt the user and ask them for an identity to share with the calling site. The user will always be prompted, even if they have specified keep me signed in in the dialog previously. This function MUST be invoked from a click handler.
  • add navigator.id.logout() which indicates to browserid that the user has chosen to log out of their site, and that BrowserID should purge any persistent authentication perferences related to this site.
  • change navigator.id.getVerifiedEmail() to invoke navigator.id.getIdentityAssertion() then if that fails, automatically invoke navigator.id.promptForIdentity()

A final implementation proposal - all persistent sign in is device local to start, it's cleared when you clear browsing data, and is cleared locally when you log out from a site. It works exactly as cookies do today (which the user is used to).

Contributor

lloyd commented Oct 28, 2011

Suggest the following API changes:

  • add navigator.id.getIdentityAssertion(<callback>) which may be invoked anywhere in the calling page (even outside of a click handler, usually at load time) and invokes the callback with an assertion corresponding to the identity that they user has chosen to share with the site.
  • add navigator.id.promptForIdentity([options], <callback>) prompt the user and ask them for an identity to share with the calling site. The user will always be prompted, even if they have specified keep me signed in in the dialog previously. This function MUST be invoked from a click handler.
  • add navigator.id.logout() which indicates to browserid that the user has chosen to log out of their site, and that BrowserID should purge any persistent authentication perferences related to this site.
  • change navigator.id.getVerifiedEmail() to invoke navigator.id.getIdentityAssertion() then if that fails, automatically invoke navigator.id.promptForIdentity()

A final implementation proposal - all persistent sign in is device local to start, it's cleared when you clear browsing data, and is cleared locally when you log out from a site. It works exactly as cookies do today (which the user is used to).

@lloyd

This comment has been minimized.

Show comment
Hide comment
@lloyd
Contributor

lloyd commented Oct 28, 2011

@jbonacci

This comment has been minimized.

Show comment
Hide comment
@jbonacci

jbonacci Nov 16, 2011

Contributor

OK, so the current behavior I see right now is this:
If I log into beta.myfavoritebeer.org, I get automatically logged into diresworb.org.
If I log into diresworb.org first, I get automatically logged into beta.myfavoritebeer.org

Now, with "Always sign in using this email" selected:
If I log out of beta.myfavoritebeer.org, I am still logged into diresworb.org
If I log out of diresworb.org first, I am still logged into beta.myfavoritebeer.org
If I log out of both, it's as if I am starting over.

If I log out of beta.myfavoritebeer.org now and click "This is not me", everything on both sites is reset, as expected.

Closing a browser and reopening it with "Always sign in using this email" selected results in saved sessions for both sites.

Closing a browser and logging out/logging in to OS works.

Closing a browser and restarting the OS works.

If I leave the pages open and close the browser, re-opening the browser brings up the same open sessions/pages.

If I "logout" first, then click Sign In again, I can see that "Always sign in using this email" is still checked.

If I "logout", then click Sign In and uncheck "Always sign in using this email", once I Sign Out, I need to reselect an email, as expected.

I will assume that if the user clears the browser cache, cookies, and/or data, this will clear out the setting and he/she will have to start over.

Tested Safari on Mac, IE9 on Windows so far.
Still need to check FF, Opera, Chrome, then on to iOS and Android.

Contributor

jbonacci commented Nov 16, 2011

OK, so the current behavior I see right now is this:
If I log into beta.myfavoritebeer.org, I get automatically logged into diresworb.org.
If I log into diresworb.org first, I get automatically logged into beta.myfavoritebeer.org

Now, with "Always sign in using this email" selected:
If I log out of beta.myfavoritebeer.org, I am still logged into diresworb.org
If I log out of diresworb.org first, I am still logged into beta.myfavoritebeer.org
If I log out of both, it's as if I am starting over.

If I log out of beta.myfavoritebeer.org now and click "This is not me", everything on both sites is reset, as expected.

Closing a browser and reopening it with "Always sign in using this email" selected results in saved sessions for both sites.

Closing a browser and logging out/logging in to OS works.

Closing a browser and restarting the OS works.

If I leave the pages open and close the browser, re-opening the browser brings up the same open sessions/pages.

If I "logout" first, then click Sign In again, I can see that "Always sign in using this email" is still checked.

If I "logout", then click Sign In and uncheck "Always sign in using this email", once I Sign Out, I need to reselect an email, as expected.

I will assume that if the user clears the browser cache, cookies, and/or data, this will clear out the setting and he/she will have to start over.

Tested Safari on Mac, IE9 on Windows so far.
Still need to check FF, Opera, Chrome, then on to iOS and Android.

@jbonacci

This comment has been minimized.

Show comment
Hide comment
@jbonacci

jbonacci Nov 17, 2011

Contributor

All desktop browser tests went well.
iPhone + iOS + Safari is done, current email sticks even after restarting Safari or restarting phone.
Similar results for Android, 2.2 firmware, FireFox (I had separate issues with stock browser).

Contributor

jbonacci commented Nov 17, 2011

All desktop browser tests went well.
iPhone + iOS + Safari is done, current email sticks even after restarting Safari or restarting phone.
Similar results for Android, 2.2 firmware, FireFox (I had separate issues with stock browser).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.