[OpenID] Can we make a seamless OpenID mobile experience?

Nat Sakimura sakimura at gmail.com
Mon Apr 13 06:00:41 UTC 2009

When we talk about mobile, I think we should devide the device into
several spaces.

iPhone kind of intelligent device is one, then WAP etc. phone is another, and
there is SMS deveices.

In Japan, i-mode/wap type of browser phone is the norm.
They have unique identifiers assigned at the carrier gateway.
(So does some U.S. phones as well.)
These can be treated fairly robust as long as we are on SSL/TLS
channel. Thus, after registering the device to the OP, the
user experience will be quite seamless.

The user goes to the RP, clicks on Login, he will be taken to the OP
and automagically logged in with the device id, and sent back to
the RP. There is no click other than the initial click on the OP
Identifier Login

Downside is: OpenID messages are lengthy with GET, and when it is
coupled with AX or something like that, many phone will choke.
Something similar to SAML's Artifact binding would be preferable over the
current "GET/POST" binding.


On Sat, Apr 11, 2009 at 11:14 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> The problem with having the client directly submit the username/password to
> the SP is that it requires OAuth Service Providers to have passwords for
> their users, implying that OpenID Relying Parties cannot be OAuth SPs.
> For an example of a good mobile browser based  OAuth UX, check out the
> Sparrow iPhone App for Fire Eagle. The Sparrow app opens Safari  to the
> Yahoo Mobile Login screen, and then sends the user to the Fire Eagle OAuth
> Permissions screen to authorize the OAuth token. The Sparrow App
> automatically regains focus after the user authorizes the token via  a
> custom protocol handler on the OAuth callback URL.
> Is the UX demonstrated by the Sparrow iPhone app sufficient for mobile apps?
> I think it's just as good, if not better, than submitting the
> username/password directly to the SP.
> Allen
> Luke Shepard wrote:
>> It's still not great.
>> For example, take my Gmail app on my Blackberry. I don't have to go to a
>> website- I can enter my credentials directly. This is great- if I had to go
>> to a web browser, I would probably never have installed it.
>> So, how can we do that with OpenID and OAuth?
>> One way could be an extension that allows an OAuth consumer to ping the
>> provider directly with a username and password, and get a token directly.
>> Yes, this has issues with trust and security. But my point is that these
>> apps are being built already, and wouldn't it be cool if they were built
>> using open standards?
>> So I'm just putting it out there.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

Nat Sakimura (=nat)

More information about the general mailing list