Identity/Features/NativeSignInToWebsite

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Status

Native Sign In to Website
Stage Development
Status In progress
Release target `
Health OK
Status note `

Team

Product manager `
Directly Responsible Individual `
Lead engineer Austin King (ozten)
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead Zhenshuo Fang
Product marketing lead `
Operations lead `
Additional members Matthew Noorenberghe (Desktop)

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Implement the UI/UX to allow signing into a website with BrowserID natively in the browser.

2. Users & use cases

See https://wiki.mozilla.org/Kilimanjaro/ProductDraft#All_your_devices_recognize_you_and_enable_access_to_your_ID-attached_services

3. Dependencies

bug 753238 - Core Identity Module

4. Requirements

`

Non-goals

Sign in to the Browser

Stage 2: Design

5. Functional specification

`

6. User experience design

Desktop Ideas:

  • Australis-SignInToSites.jpg
  • PersonaIDNative2.jpg

Stage 3: Planning

7. Implementation plan

  • bug 764213 - Implement provisional Desktop UI for website sign-in with Persona
  • bug 767276 - Implement Fennec UI for website sign-in with Persona

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

The UI module should listen for the following observer notifications:

Subject Topic Data Description
wrappedJSObject: { 
  rpId: 999,
  origin: "https://www.example.com",
  // Properties below may not be provided:
  privacyPolicy: "https://www.example.com/pp",
  termsOfService: "https://www.example.com/tos",
}
identity-request
null
The user has requested to login to the site with the given origin on the frame with outerWindowId = rpId. Show an identity selector using RP.getIdentitiesForSite(origin) and provide a way to choose a new identity (requiring a valid email address). The origin of the RP should be shown in the UI along with privacy policy and terms of service links (if URLS are provided). Call selectIdentity(rpId, identity) with the identity the user selected. The should not close immediately upon identity selection as there may be errors which should be shown to the user (ie. NXDOMAIN). Error delivery mechanism TBD soon.
wrappedJSObject: { 
  provId: 999,
}
identity-auth https://www.example.com/auth (Authentication URI) The user needs to authenticate with their IDP. Open UI with a content frame displaying the content at the authentication URI so that the user can authenticate with their IDP. The origin and any security indicators (ie. mixed content) should be present. IDP.setAuthenticationFlow(outerWinId, provId) must be called with the outerWindowId (= the authentication ID) for the frame before starting to load the authentication URL so that the DOM API knows that calls from that frame are for the authentication flow. That is: open the frame, call setAuthenticationFlow, then load the URI in that frame.
null
identity-auth-complete Authentication ID Authentication (initiated from identity-auth) is now complete. Destroy the frame created to display the authentication page.
wrappedJSObject: { 
  rpId: 999,
}
identity-login-state-changed The identity (ie. user@example.com) for the specified origin or null if the user logged out. If data is provided, the user is now logged in as that identity:
  • Remove any request UI (leftover from an incomplete identity-request
  • Show UI indicating that the user is logged into the website with the given rpId. UI to logout via RP.logout(rpId) may also be provided.

Otherwise, the user has logged out:

  • Update UI to reflect the logged out state.


The UI should call the following methods:

  • IdentityService.RP.getIdentitiesForSite(origin);
  • IdentityService.selectIdentity(rpId, identity);
  • IdentityService.RP.logout(rpId);
  • IdentityService.IDP.setAuthenticationFlow(authId, provId);

Stage 5: Release

10. Landing criteria

`

The given value "The UI module should listen for the following observer notifications:


Subject Topic Data Description


wrappedJSObject: { 
  rpId: 999,
  origin: "https://www.example.com",
  // Properties below may not be provided:
  privacyPolicy: "https://www.example.com/pp",
  termsOfService: "https://www.example.com/tos",
}

identity-request

null

The user has requested to login to the site with the given origin on the frame with outerWindowId = rpId. Show an identity selector using RP.getIdentitiesForSite(origin) and provide a way to choose a new identity (requiring a valid email address). The origin of the RP should be shown in the UI along with privacy policy and terms of service links (if URLS are provided). Call selectIdentity(rpId, identity) with the identity the user selected. The should not close immediately upon identity selection as there may be errors which should be shown to the user (ie. NXDOMAIN). Error delivery mechanism TBD soon.


wrappedJSObject: { 
  provId: 999,
}

identity-auth https://www.example.com/auth (Authentication URI) The user needs to authenticate with their IDP. Open UI with a content frame displaying the content at the authentication URI so that the user can authenticate with their IDP. The origin and any security indicators (ie. mixed content) should be present. IDP.setAuthenticationFlow(outerWinId, provId) must be called with the outerWindowId (= the authentication ID) for the frame before starting to load the authentication URL so that the DOM API knows that calls from that frame are for the authentication flow. That is: open the frame, call setAuthenticationFlow, then load the URI in that frame.


null

identity-auth-complete Authentication ID Authentication (initiated from identity-auth) is now complete. Destroy the frame created to display the authentication page.


wrappedJSObject: { 
  rpId: 999,
}

identity-login-state-changed The identity (ie. user@example.com) for the specified origin or null if the user logged out. If data is provided, the user is now logged in as that identity:

  • Remove any request UI (leftover from an incomplete identity-request
  • Show UI indicating that the user is logged into the website with the given rpId. UI to logout via RP.logout(rpId) may also be provided.

Otherwise, the user has logged out:

  • Update UI to reflect the logged out state.



The UI should call the following methods:

  • IdentityService.RP.getIdentitiesForSite(origin);
  • IdentityService.selectIdentity(rpId, identity);
  • IdentityService.RP.logout(rpId);
  • IdentityService.IDP.setAuthenticationFlow(authId, provId);" contains strip markers and therefore it cannot be parsed sufficiently.

Feature details

Priority `
Rank 999
Theme / Goal Connect
Roadmap Mozilla Identity
Secondary roadmap Mozilla Identity
Feature list Desktop
Project `
Engineering team Identity

Team status notes

  status notes
Products ` `
Engineering ` `
Security sec-review-needed `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `