Are there documented best practices when federating identity to a third party using OIDC?

We are creating an OpenId Provider (using Identity Server 4) that has the ability to federate authentication to other IdPs based on email (eg, we first ask for email and then determine how to authenticate you, potentially by redirecting you to another OpenId Provider). I’m looking for documented best practices on this scenario, especially when dealing with sessions. Some examples:

  1. When we are authenticating locally (not federating), we want to store a session cookie at the IdP to enable SSO scenarios. However, in the case of federation, we perhaps should not store cookies and should instead always redirect to the third-party IdP (who may or may not have cookies).
  2. If the user is federated and the client requests a refresh token, we should request a refresh token from the third party IdP and give that to the client. In turn, when issuing new access tokens based on the refresh token, we should validate that the refresh token is still valid at the third party IdP.

Flows like these would give the third party IdP better control over security and session parameters specific to their needs. However, I have been unable to find documentation, standards or RFCs detailing these or other recommended flows when federating from one OpenId Provider to another.

Is “work profile” a AOSP feature, where is it documented?

I was not able to find much documentation regarding how the “work profile” feature (or maybe it is called android-for-work) works.

It seems the feature attempts to provide two distinct user profiles (similar to multi-user “max 4 users” feature) but with the distinction that apps can be run side-by-side without logout and login (as would be the case with multi-user)

I know that some software (i.e. shelter) is using the “work-profile” feature to create some sort of sandbox for “deplorable applications” (e.g. WhatsApp that would abuse disfunct AOSP permissions system to access all contacts, though not necessary).

This questions seeks information where to find documentation and explanation how this “work profile” features works.

Are there any documented best practices for in-app SaaS upgrade prompts?

I have a SaaS web app with 3 different plans. Each plan increases access to certain features or a large quantity of a particular feature. We’ll call them A, B and C with C being the highest level, most expensive plan.

Currently if you are signed up for plan A you may see a location in the application that says “Upgrade your account to get access to XYZ feature” (because plan A doesn’t include that feature). Clicking on that prompt takes you to the plan management view where you can see the features vs plans and upgrade if you wish.

What I’m wondering is whether the prompts on the lower plans are overwhelming the user’s experience calling out things to them that they don’t have access to, and wondering if there are any best practices on how to handle this?

For example if I remove the prompts completely, the user may not know that the next level plan has a feature they need and want; perhaps they cancel because of that.

Should the prompts be removed and replaced with email marketing telling the user about what they are missing out on?

Whats the best way to handle?

Is the full behaviour of textboxes documented anywhere?

PC games often have to build their own UI widgets (buttons, input textboxes, etc). Fortunately it’s relatively trivial to write one’s own textbox from scratch given only a 2D drawing API and user-input event messages:

  • State:

    • Current text buffer
    • Textbox dimensions
    • Current caret location and current text selection range
    • Simple options, e.g. is read-only, etc
  • Render:

    • Draw rectangle (maybe with an inset border look)
    • Draw line of text from the internal buffer within the dimensions
    • Draw caret and/or text selection
  • User input:

    • On key-press:
      • If character key was pressed, insert that character into the buffer at the caret’s location (often just appending to the end)
      • If control key was pressed (e.g. backspace) then handle each control key appropriately
      • If arrow keys, then move the caret accordingly, including up/down for multi-line text-boxes
    • On key-down
      • If key held down for > 3 seconds then repeat key-press until key-up

So far, so simple.

But I noticed that many games and even business software using custom widget toolkits (thank you, WPF…) don’t match the full set of functionality provided by the Microsoft Windows’ User32 textbox (formally, the Edit Control).

Examples of this functionality missing from other implementations includes multiple keystroke (key-chord?) commands and various kinds of system integration for example:

  • Ctrl + Arrow-keys to move the caret to the next word-boundary
  • Shift + Arrow-keys for selection
  • Ctrl + Shift + Arrow-keys for selection to the next word-boundary
  • Built-in spell-checker with red-squiggle underlines
  • Right-click context menu
  • Ctrl+A to select all
  • Automatically opening the system’s on-screen keyboard when the control gains focus
  • “Tab” focus highlighting

But I noticed that these keystrokes and shortcuts are also accepted by other standard textboxes present in other platforms, sparing minor differences (e.g. on macOS it’s Alt+Arrow-keys to move between word-boundaries).

But it’s not just keystrokes, also consider things like rendering Unicode correctly as Unicode includes rules on text layout (e.g. Zalgo text via Combining Marks) – granted this is more to do with the text rendering library being used than the textbox itself.

So I was wondering if there exists something like an “ISO standard for input textboxes” or something similar that sets out all standard behaviour of a textbox so that developers of a new platform know exactly the functionality they need to implement to build something like that on other systems – without needing to go through proprietary, platform-specific documentation that may hide undocumented features. I note that the documentation for Win32’s Edit Control doesn’t go into details about the user-facing functionality (which is exactly what I’m talking about) because that’s something you’d read in the User Manual, not the programming reference – especially because the functionality of the Edit Control is improved and extended in future versions of Windows without the original hosting application’s developers needing to do anything.