[OpenID] Can we make a seamless OpenID mobile experience?

Breno de Medeiros breno at google.com
Fri Apr 10 19:34:49 UTC 2009

The idea is to use a single-use code of some kind that works as a
password substitute (since the user does not have a password at the
site because he/she signs in using OpenID), followed by the
installation of a longer-lived token on the device. Think about
bluetooth pairing of devices as the basic paradigm.

Devices can basically fall into four categories depending on their
ability to accept customizable input or display programatically
controlled output. This leads to different approaches to the UX

On Fri, Apr 10, 2009 at 12:29 PM, Luke Shepard <lshepard at facebook.com> wrote:
> (dropping board@, generalizing subject). Thanks for those links Breno - that
> research is helpful.
> The whole OpenID/Oauth model for non-browser devices seems to be “let’s get
> you to a browser as quick as we can”.  Frankly, that still sucks- after all,
> if I’m playing on my Playstation (as in the example below), then I just want
> to enter my credentials right there, and not go get a computer. Not to
> mention mobile – how often do you think users of the mobile phone will be
> sitting in front of an internet-connected computer?
> We need to move the point of authentication as close as possible to where
> it’s needed.
> I know it’s really tough from a security perspective, because the OP doesn’t
> want to trust the device manufacturers with its credentials. But let’s
> assume that we have an OP and an RP, and they agree to trust each other. Can
> we build a way for them to do it with open standards? Right now, the “open”
> experience is so bad that they will design their own thing. As always, we
> can punt the “who to trust” problem to later. Having an open standard way of
> doing this, even if it requires trust, is still better than everybody
> inventing their own solution.
> Lots of mobile clients nowadays just ask you for username/password directly
> – look at the Gmail and Facebook apps for Blackberry, for example. So how
> can we make that same experience work through OpenID, without an external
> browser?
> On 4/10/09 12:12 PM, "Breno de Medeiros" <breno at google.com> wrote:
> Google's public research on OAuth and OpenID, which deals with many
> issues of interest to the developer community in this are, in
> particular user experience issues, is available at
> http://sites.google.com/site/oauthgoog/
> In particular, the following link is of interest to you:
> http://sites.google.com/site/oauthgoog/UXFedLogin/nobrowser
> Significant changes to that site are also announced in the blog
> http://oauthgoog.blogspot.com/
> Cheers,
> --Breno
> On Fri, Apr 10, 2009 at 11:47 AM, David Recordon <david at sixapart.com> wrote:
>> Hey Kamal,
>> I'm forwarding your email to both the OpenID General and OAuth mailing
>> lists.
>> Cheers,
>> --David
>> Begin forwarded message:
>> From: Kamal Mehta <kamal.mehta at gmail.com>
>> Date: April 10, 2009 12:30:31 AM PDT
>> To: board at openid.net
>> Subject: [OpenID board] Question on implementation of OAUTH/OpenID for
>> Set-top-box
>> Reply-To: board at openid.net
>> Hi,
>> We are evaluating the integration of OpenID/OAUTH for our clients so that
>> there could be a seamless user experience of Authentication on
>> Playstation/Set-top-box. In due course we investigated it a bit and found
>> that OpenID/OAUTH 2.0 follows a redirection model FROM Relying Party TO
>> OpenID Provider through the UserAgent, which happens to be browser in all
>> example implementation we have seen.
>>  We have quick question, As described we are using Blue-Ray players which
>> lacks the ability of having state-of-the-art browsers, is there any
>> possibility of implementing OpenID and OAUTH w/out going thru browser
>> route
>> of redirection, such as any direct API call to get an authentication of
>> user? Is it even feasible?
>>  Are there any implementations done for Set-Top-Box by any other company
>> we
>> could leverage some design discussions?
>>  Appreciate your early response.
>>  Thanks in advance.
>> --
>> Regards,
>> Kamal Mehta
>> http://www.linkedin.com/in/kamalmehta
>> _______________________________________________
>> board mailing list
>> board at openid.net
>> http://openid.net/mailman/listinfo/board
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> --
> --Breno
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list