<HTML>
<HEAD>
<TITLE>Can we make a seamless OpenID mobile experience?</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>(dropping board@, generalizing subject). Thanks for those links Breno - that research is helpful.<BR>
<BR>
The whole OpenID/Oauth model for non-browser devices seems to be “let’s get you to a browser as quick as we can”. Frankly, that still sucks- after all, if I’m playing on my Playstation (as in the example below), then I just want to enter my credentials right there, and not go get a computer. Not to mention mobile – how often do you think users of the mobile phone will be sitting in front of an internet-connected computer?<BR>
<BR>
We need to move the point of authentication as close as possible to where it’s needed.<BR>
<BR>
I know it’s really tough from a security perspective, because the OP doesn’t want to trust the device manufacturers with its credentials. But let’s assume that we have an OP and an RP, and they agree to trust each other. Can we build a way for them to do it with open standards? Right now, the “open” experience is so bad that they will design their own thing. As always, we can punt the “who to trust” problem to later. Having an open standard way of doing this, even if it requires trust, is still better than everybody inventing their own solution.<BR>
<BR>
Lots of mobile clients nowadays just ask you for username/password directly – look at the Gmail and Facebook apps for Blackberry, for example. So how can we make that same experience work through OpenID, without an external browser?<BR>
<BR>
<BR>
On 4/10/09 12:12 PM, "Breno de Medeiros" <<a href="breno@google.com">breno@google.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Google's public research on OAuth and OpenID, which deals with many<BR>
issues of interest to the developer community in this are, in<BR>
particular user experience issues, is available at<BR>
<a href="http://sites.google.com/site/oauthgoog/">http://sites.google.com/site/oauthgoog/</a><BR>
<BR>
In particular, the following link is of interest to you:<BR>
<BR>
<a href="http://sites.google.com/site/oauthgoog/UXFedLogin/nobrowser">http://sites.google.com/site/oauthgoog/UXFedLogin/nobrowser</a><BR>
<BR>
Significant changes to that site are also announced in the blog<BR>
<a href="http://oauthgoog.blogspot.com/">http://oauthgoog.blogspot.com/</a><BR>
<BR>
Cheers,<BR>
<BR>
--Breno<BR>
<BR>
On Fri, Apr 10, 2009 at 11:47 AM, David Recordon <<a href="david@sixapart.com">david@sixapart.com</a>> wrote:<BR>
> Hey Kamal,<BR>
> I'm forwarding your email to both the OpenID General and OAuth mailing<BR>
> lists.<BR>
> Cheers,<BR>
> --David<BR>
><BR>
> Begin forwarded message:<BR>
><BR>
> From: Kamal Mehta <<a href="kamal.mehta@gmail.com">kamal.mehta@gmail.com</a>><BR>
> Date: April 10, 2009 12:30:31 AM PDT<BR>
> To: <a href="board@openid.net">board@openid.net</a><BR>
> Subject: [OpenID board] Question on implementation of OAUTH/OpenID for<BR>
> Set-top-box<BR>
> Reply-To: <a href="board@openid.net">board@openid.net</a><BR>
> Hi,<BR>
><BR>
> We are evaluating the integration of OpenID/OAUTH for our clients so that<BR>
> there could be a seamless user experience of Authentication on<BR>
> Playstation/Set-top-box. In due course we investigated it a bit and found<BR>
> that OpenID/OAUTH 2.0 follows a redirection model FROM Relying Party TO<BR>
> OpenID Provider through the UserAgent, which happens to be browser in all<BR>
> example implementation we have seen.<BR>
><BR>
> We have quick question, As described we are using Blue-Ray players which<BR>
> lacks the ability of having state-of-the-art browsers, is there any<BR>
> possibility of implementing OpenID and OAUTH w/out going thru browser route<BR>
> of redirection, such as any direct API call to get an authentication of<BR>
> user? Is it even feasible?<BR>
><BR>
> Are there any implementations done for Set-Top-Box by any other company we<BR>
> could leverage some design discussions?<BR>
><BR>
> Appreciate your early response.<BR>
><BR>
> Thanks in advance.<BR>
><BR>
> --<BR>
> Regards,<BR>
> Kamal Mehta<BR>
> <a href="http://www.linkedin.com/in/kamalmehta">http://www.linkedin.com/in/kamalmehta</a><BR>
><BR>
> _______________________________________________<BR>
> board mailing list<BR>
> <a href="board@openid.net">board@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/board">http://openid.net/mailman/listinfo/board</a><BR>
><BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
><BR>
><BR>
<BR>
<BR>
<BR>
--<BR>
--Breno<BR>
<BR>
+1 (650) 214-1007 desk<BR>
+1 (408) 212-0135 (Grand Central)<BR>
MTV-41-3 : 383-A<BR>
PST (GMT-8) / PDT(GMT-7)<BR>
_______________________________________________<BR>
general mailing list<BR>
<a href="general@openid.net">general@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>