[OpenID] Can we make a seamless OpenID mobile experience?

Luke Shepard lshepard at facebook.com
Fri Apr 10 19:29:15 UTC 2009

(dropping board@, generalizing subject). Thanks for those links Breno - that research is helpful.

The whole OpenID/Oauth model for non-browser devices seems to be "let's get you to a browser as quick as we can".  Frankly, that still sucks- after all, if I'm playing on my Playstation (as in the example below), then I just want to enter my credentials right there, and not go get a computer. Not to mention mobile - how often do you think users of the mobile phone will be sitting in front of an internet-connected computer?

We need to move the point of authentication as close as possible to where it's needed.

I know it's really tough from a security perspective, because the OP doesn't want to trust the device manufacturers with its credentials. But let's assume that we have an OP and an RP, and they agree to trust each other. Can we build a way for them to do it with open standards? Right now, the "open" experience is so bad that they will design their own thing. As always, we can punt the "who to trust" problem to later. Having an open standard way of doing this, even if it requires trust, is still better than everybody inventing their own solution.

Lots of mobile clients nowadays just ask you for username/password directly - look at the Gmail and Facebook apps for Blackberry, for example. So how can we make that same experience work through OpenID, without an external browser?

On 4/10/09 12:12 PM, "Breno de Medeiros" <breno at google.com> wrote:

Google's public research on OAuth and OpenID, which deals with many
issues of interest to the developer community in this are, in
particular user experience issues, is available at

In particular, the following link is of interest to you:


Significant changes to that site are also announced in the blog



On Fri, Apr 10, 2009 at 11:47 AM, David Recordon <david at sixapart.com> wrote:
> Hey Kamal,
> I'm forwarding your email to both the OpenID General and OAuth mailing
> lists.
> Cheers,
> --David
> Begin forwarded message:
> From: Kamal Mehta <kamal.mehta at gmail.com>
> Date: April 10, 2009 12:30:31 AM PDT
> To: board at openid.net
> Subject: [OpenID board] Question on implementation of OAUTH/OpenID for
> Set-top-box
> Reply-To: board at openid.net
> Hi,
> We are evaluating the integration of OpenID/OAUTH for our clients so that
> there could be a seamless user experience of Authentication on
> Playstation/Set-top-box. In due course we investigated it a bit and found
> that OpenID/OAUTH 2.0 follows a redirection model FROM Relying Party TO
> OpenID Provider through the UserAgent, which happens to be browser in all
> example implementation we have seen.
>  We have quick question, As described we are using Blue-Ray players which
> lacks the ability of having state-of-the-art browsers, is there any
> possibility of implementing OpenID and OAUTH w/out going thru browser route
> of redirection, such as any direct API call to get an authentication of
> user? Is it even feasible?
>  Are there any implementations done for Set-Top-Box by any other company we
> could leverage some design discussions?
>  Appreciate your early response.
>  Thanks in advance.
> --
> Regards,
> Kamal Mehta
> http://www.linkedin.com/in/kamalmehta
> _______________________________________________
> board mailing list
> board at openid.net
> http://openid.net/mailman/listinfo/board
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
general mailing list
general at openid.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090410/53227342/attachment.htm>

More information about the general mailing list