357991 – openid authentication dialog provides no indication of the authenticity of the login page

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 357991 - openid authentication dialog provides no indication of the authenticity of the login page

Summary: openid authentication dialog provides no indication of the authenticity of th...

Status:	RESOLVED FIXED

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	Mylyn (show other bugs)
Version:	unspecified
Hardware:	PC Windows 7

Importance:	P3 enhancement (vote)
Target Milestone:	0.9
Assignee:	Steffen Pingel
QA Contact:

URL:
Whiteboard:
Keywords:	plan

Depends on:
Blocks:

Reported:	2011-09-16 16:11 EDT by David Green
Modified:	2012-01-27 12:22 EST (History)
CC List:	1 user (show)

See Also:

Attachments
mylyn/context/zip (2.22 KB, application/octet-stream) 2011-09-16 16:11 EDT, David Green	no flags	Details
mylyn/context/zip (700 bytes, application/octet-stream) 2012-01-27 12:22 EST, Steffen Pingel	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Green

2011-09-16 16:11:02 EDT

Normally when OpenID login is presented in a browser, the user can verify the authenticity of the login page from the browser address bar, and know if it's secure from the "lock" icon. I didn't notice any such information provided via the login dialog. This authenticity feedback is part of what makes OpenID work — I suspect that users may be reluctant to enter their username and password if they're not sure where the web page originated from.

The dialog presented by @GerritRepositoryLocationUi.showAuthenticationDialog(String, OpenIdAuthenticationRequest)@ should provide the user with the web address location, and some indication as to the transport-layer protocol security (TLS/SSL).

related to bug 341434: support openid for login to gerrit

Comment 1 David Green

2011-09-16 16:11:13 EDT

Created attachment 203525 [details]
mylyn/context/zip

Comment 2 Steffen Pingel

2011-09-27 06:06:00 EDT

Good point. We should investigate if the browser API supports displaying page authenticity information.

Comment 3 Steffen Pingel

2012-01-27 12:22:12 EST

I didn't notice any browser APIs to validate authenticity. We'll have to rely on the browser to show the appropriate warnings in case a certificate is not trusted.

To provide some feedback as to where the login form is originating from I added a label that shows the URL. It's not perfect but the best we can do for now.

Comment 4 Steffen Pingel

2012-01-27 12:22:15 EST

Created attachment 210205 [details]
mylyn/context/zip