Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 357991

Summary: openid authentication dialog provides no indication of the authenticity of the login page
Product: z_Archived Reporter: David Green <greensopinion>
Component: MylynAssignee: Steffen Pingel <steffen.pingel>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: P3 CC: shawn.minto
Version: unspecifiedKeywords: plan
Target Milestone: 0.9   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
mylyn/context/zip
none
mylyn/context/zip none

Description David Green CLA 2011-09-16 16:11:02 EDT 
Normally when OpenID login is presented in a browser, the user can verify the authenticity of the login page from the browser address bar, and know if it's secure from the "lock" icon. I didn't notice any such information provided via the login dialog. This authenticity feedback is part of what makes OpenID work — I suspect that users may be reluctant to enter their username and password if they're not sure where the web page originated from.

The dialog presented by @GerritRepositoryLocationUi.showAuthenticationDialog(String, OpenIdAuthenticationRequest)@ should provide the user with the web address location, and some indication as to the transport-layer protocol security (TLS/SSL).

related to bug 341434: support openid for login to gerrit
Comment 1 David Green CLA 2011-09-16 16:11:13 EDT 
Created attachment 203525 [details]
mylyn/context/zip
Comment 2 Steffen Pingel CLA 2011-09-27 06:06:00 EDT 
Good point. We should investigate if the browser API supports displaying page authenticity information.
Comment 3 Steffen Pingel CLA 2012-01-27 12:22:12 EST 
I didn't notice any browser APIs to validate authenticity. We'll have to rely on the browser to show the appropriate warnings in case a certificate is not trusted.

To provide some feedback as to where the login form is originating from I added a label that shows the URL. It's not perfect but the best we can do for now.
Comment 4 Steffen Pingel CLA 2012-01-27 12:22:15 EST 
Created attachment 210205 [details]
mylyn/context/zip