Improve UX of adding a third party app as trusted

Question

Improve UX of adding a third party app as trusted

michielbdejong opened this issue 5 years ago · 7 comments

Current UX with NSS 5 for using a third-party webapp:

visit e.g. https://pheyvaer.github.io/solid-chess/
click 'Log In'
a popup gives you four options, pick 'custom'
enter your WebId, or at least the protocol+hostname of it
log in to your pod (if you're not already logged in)
the popup wil close and the app will say you're logged in
open a separate tab, browse to your own WebId (make sure to include the '#me')
hover over the 'card' title
select the 'A' icon
enter the origin of the app, https://pheyvaer.github.io
tick the read, write, and append boxes
click add
switch back to the app pane and start using the app

Proposal: add a checkbox that makes it easier to add an app as trusted, as part of the login flow. With this, it would become:

visit https://pheyvaer.github.io/solid-chess/
click 'Log In'
a popup gives you four options, pick 'custom'
enter your WebId, or at least the protocol+hostname of it
log in to your pod (if you're not already logged in)
if the app is not in your list of trusted apps yet, you will see three buttons in the popup dialog: 'identity only (don't add as trusted app)', 'identity+read only', and 'identity+read+write'
click one of those buttons
the popup wil close and the app will say you're logged in
no need to go into the data browser's trusted apps pane separately

Answer 1 · 2019-04-17T13:55:56.000Z

michielbdejong commented 5 years ago

Answer 2 · 2019-04-17T13:57:53.000Z

michielbdejong commented 5 years ago

Answer 3 · 2019-04-17T15:27:54.000Z

This makes sense. I'll be sure to try to implement this feature in the new idp.

Answer 4 · 2019-04-17T15:31:05.000Z

Yeah, we need some cross-dependency there because it means the UI of the IDP needs to trigger a change on the pod.

Answer 5 · 2019-04-17T15:33:44.000Z

Ah, that's very true. This would require a whole new dimension where the IDP knows all the pods that a user has, and update each one of them. On top of that, the UI isn't just as simple as "grant access to an app." It would be "Grant access to an app for all of my pods... this one pod... everything excluding this pod?"

Answer 6 · 2019-04-18T06:55:21.000Z

No, there is only one profile per user, even if there are multiple pim:storage pods. You find the user's profile by dereferencing their webid, and that's where their list of trusted apps is. In theory, the user's profile doesn't even have to be on their pod, it could also be generated dynamically from the profile information stored in an organization's LDAP server.

Answer 7 · 2019-05-08T11:27:58.000Z

To inform people following this issue: @jaxoncreed are working on implementing a solution that would allow users to grant access to application as part of the login process if a redirect URL is present and the profile the user tries to authenticate with haven't granted access to application from before and trustedOrigin is set to true for the server.

I'm working on a text that explains what this is about for people uncertain what this part of the login form means.