Revision 364015 of Call logout() after a failed login

  • Revision slug: Persona/The_implementor_s_guide/Call_logout()_after_a_failed_login
  • Revision title: Call logout() after a failed login
  • Revision id: 364015
  • Created:
  • Creator: wbamberg
  • Is current revision? No
  • Comment
Tags: 

Revision Content

After your onlogin hander gets called with an assertion, if for any reason you can't use the assertion to log the user in, you must call {{ domxref("navigator.id.logout()")}}.

If you don't, then the next time you call {{ domxref("navigator.id.watch()")}} Persona will immediately call your onlogin handler again, with the same assertion. Typically this will lead to an endless loop of failed login attempts:

  1. the user clicks "Sign In"
  2. the user interacts with the Persona interface, and Persona generates an assertion
  3. Persona delivers the assertion to the page's onlogin handler
  4. the onlogin handler rejects the assertion, and redirects the user to the login page
  5. the login page loads, calls {{ domxref("navigator.id.watch()")}}, and we go back to (3)

The reason is that Persona tries to remember which email you want to use to log into a particular site. Once the user has tried to log into your site as bob@gmail.com, Persona remembers that this is the address they want to use with your site. Then when the next page load calls {{ domxref("navigator.id.watch()")}} with a loggedInUser of "null", Persona compares that with its value of "bob@gmail.com", and sends the assertion again.

To make Persona forget the association between your site and the email address, call {{ domxref("navigator.id.logout()")}} if you don't want to log the user in with that assertion. This might be because the assertion does not validate, or because you don't want to use the given email address.

A common scenario where this is a problem is when an RP wants to allow users to sign in with Persona, but does not want to let them sign up with Persona, preferring some custom registration system for new users. In this case, when you get an assertion, you'll check that the email address it contains is for one of your existing users, and reject the login attempt if it is not. If you do reject this assertion, you must call {{ domxref("navigator.id.logout()")}}.Personafdfd

Revision Source

<p>After your <code>onlogin</code> hander gets called with an assertion, if for any reason you can't use the assertion to log the user in, you must call {{ domxref("navigator.id.logout()")}}.</p>
<p>If you don't, then the next time you call {{ domxref("navigator.id.watch()")}} Persona will immediately call your <code>onlogin</code> handler again, with the same assertion. Typically this will lead to an endless loop of failed login attempts:</p>
<ol>
  <li>the user clicks "Sign In"</li>
  <li>the user interacts with the Persona interface, and Persona generates an assertion</li>
  <li>Persona delivers the assertion to the page's <code>onlogin</code> handler</li>
  <li>the <code>onlogin</code> handler rejects the assertion, and redirects the user to the login page</li>
  <li>the login page loads, calls {{ domxref("navigator.id.watch()")}}, and we go back to (3)</li>
</ol>
<p>The reason is that Persona tries to remember which email you want to use to log into a particular site. Once the user has tried to log into your site as bob@gmail.com, Persona remembers that this is the address they want to use with your site. Then when the next page load calls {{ domxref("navigator.id.watch()")}} with a <code>loggedInUser</code> of "null", Persona compares that with its value of "bob@gmail.com", and sends the assertion again.</p>
<p>To make Persona forget the association between your site and the email address, call {{ domxref("navigator.id.logout()")}} if you don't want to log the user in with that assertion. This might be because the assertion does not validate, or because you don't want to use the given email address.</p>
<p>A common scenario where this is a problem is when an RP wants to allow users to sign <strong>in</strong> with Persona, but does not want to let them sign <strong>up</strong> with Persona, preferring some custom registration system for new users. In this case, when you get an assertion, you'll check that the email address it contains is for one of your existing users, and reject the login attempt if it is not. If you do reject this assertion, you must call {{ domxref("navigator.id.logout()")}}.Personafdfd</p>
Revert to this revision