[OpenID] popup protocol UX? Re: FB Connect, OpenID and UX

Christian Scholz / Tao Takashi (SL) tao.takashi at googlemail.com
Tue Dec 16 09:44:47 UTC 2008 

On Tue, Dec 16, 2008 at 4:38 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Allen Tom wrote:
>
> The approval screen can show up in a lightbox if the user is already
> signed into FB. Not sure if this matters, but a malicious 3rd party site
> can probably auto-approve itself using clickjacking gymnastics to click
> on the connect button.
>
>
> The approval screen now appears to always be in a popup, even if the user is
> already signed into FB. I could have sworn it was in a lightbox the last
> time I looked. At any rate, having the user authenticate and approve access
> in a popup seems to be an improvement over the existing OpenID and OAuth
> implementations that are currently in the wild.

I was playing around with FB connect on a blog yesterday and when
being logged in I got a layer, no popup.. But anyway, things might
have changed.

But if we are heading towards a popup, does that mean we need some
sort of standard of how big it is so that OPs can create a correct
layout for them? And while we are at it, maybe more things should be
standardized so that users more easily understand of what's going on?

Sebastians[1] screens might show a solution but I would suggest to
make it clearer which provider now is in charge of your login. Also we
need to take into account that it's not always your password they are
asking for so there needs to be some flexibility in layout. But in
general I think it would be good if

- a base layout is always the same
- the branding of the provider needs to be very clear

The other question is if e.g. the popup size (and maybe whether it's a
popup or a full redirect) can be discovered by the RP/OP so that all
parties know what to do.

As for Sebastian's screens it needs to be discussed where the
selection of the provider is happening. If would be great if people
would knew what to put into an OpenID field as they know about an
email field but that's not happening right now. So there needs to be
some selection of a provider but also a freeform option for every
OpenID. The question is then if this happens in the popup or already
on the actual page.

(should there be browser support the browser could maybe select the
correct button for you and exchange a "login with openid"
automatically by "login with your yahoo account" etc.)

-- Christian

[1] http://pixelsebi.com/2008-12-14/open-connect-a-ux-proposal-for-the-openstack/



-- 
Christian Scholz
http://mrtopf.de/blog

New Podcast: http://datawithoutborders.net

More information about the general mailing list