Labs/Weave/Identity/Account Manager/Spec/Mods

From MozillaWiki
Jump to: navigation, search

required modifications to AM specification (https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager/Spec/Latest)

  • It should be specified that the Account Management Realm must always be absolute regardless of whether it occurs in a link header or in a host metadata document.
  • Possibly issue a reccomendation to UA implementors to surface parse errors in amcd control documents or host meta in debugging console to help adopters along when implementing
  • Static parameters in each method

For example: 

...
"connect": {
    "method": "POST",
    "path": "/process-form",
    "params": {
        "username": "unam",
        "password": "pass"
    },
    "static-params": {
        "action": "connect"
    }
}

In the above example the connect call would always contain a parameter named 'action' with value 'connect'. This is useful for scripts that can receive POSTs from multiple forms which contain hidden fields to mark which form is which.

  • Dynamic parameters (e.g. for csrf protection)

This is somewhat similar to the above, but with values defined by scraping some document. Care must be taken however to only allow scraping documents within the realm! (don't want to allow site A to scrape site B).

For example: 

"connect": {
    "method": "POST",
    "path": "/connect",
    "params": {
        "username": "unam",
        "password": "pass"
    },
    "scrape": {
        "method": "GET",
        "path": "/foo",
        "tokens": {
            "foo": "/foo[0]/[3]/bar",
            "bar": "blah/blah/blah"
        }
    }
}

The above example would GET the /foo resource and apply two XPath expressions to the document, then pass the results to the /connect method as 'foo' and 'bar' parameters. This would typically be used to scrape a CSRF token, for example.

  • Account param for disconnect

Simple: add an (optional) parameter to the disconnect method which, if present, the user agent will use to send the username being disconnected.

  • Registration changes (oh boy)

Yow.

  • New versioning stuff
  1. Top-level "version" has no meaning really. It should be allowed for humans more than anything.
  2. Top-level "must-support" property, if set, must have an array value with strings. Each string is defined in the spec. User-agents must immediately abort if there is a value in the must-support array which they do not recognize.
  3. User-agents must ignore any properties they do not understand.
  • Cookie watching

The sessionstatus section needs a "watch-cookie" property with the name of a cookie to watch. If the cookie is set/cleared for any page within the realm, the user-agent should force a sessionstatus ping.

  • rel in host-meta has to be "acct-mgmt" and not "http://services.mozilla.com/amcd/0.1"
  • actions like load-url and refresh(?) need to send the referrer as the current page
  • methods like GET/POST for connect/disconnect/status need to send the referrer as well
  • Path in host-meta should be namespaced


It's not a standard XRD:Link attribute. We want it.

Retrieved from "https://wiki.mozilla.org/index.php?title=Labs/Weave/Identity/Account_Manager/Spec/Mods&oldid=258283"