[OpenID] Flickr / Yahoo OpenID implementation
Allen Tom
atom at yahoo-inc.com
Tue Jan 13 18:41:44 UTC 2009
Hi Ben,
We're really happy to see RPs accept Flickr OpenIDs, because there's a
lot of interesting things that RPs can potentially do with Flickr
identities. In particular, a user's Flickr Profile and Photos pages
contain plenty of interesting microformats that could be used by RPs to
personalize the experience for Flickr users.
Currently, Flickr users must explicitly enable their Flickr Photos URL
to be used as an OpenID. To do this, you can go to
http://openid.yahoo.com and click the big "Get Started" button. After
signing in with the Yahoo ID that is associated with the Flickr account,
you'll be able enable your Flickr Photos URL as an OpenID by expanding
the "Show Customization Options" arrow at the bottom of the screen.
Once you've enabled your Flickr Photos URL as an OpenID, you'll be able
to type in your Flickr Photos URL onto an RP site and have it returned
in the OpenID assertion. You can also just type in "flickr.com" and use
directed identity.
If you have not enabled your Flickr Photos URL as an OpenID, we will
return the default Yahoo OpenID (the ugly machine generated hashed
identifier) in the assertion.
After reading this, you're probably wondering why this is so convoluted.
When we launched our OpenID service a year ago, we were required to
issue machine generated OpenIDs (the ugly hashed ones) to users by
default, unless they explicitly asked for a personalized identifier.
Our lawyers also insisted that all Yahoo/Flickr users who wanted to use
their account as an OpenID explicitly enable their account for OpenID
and agree to a new Terms of Service. The whole User Experience (UX) of
enabling an account for OpenID, agreeing to a ToS, and then selecting a
personalized identifier proved to be a horrendous UX with very high
dropoff rates, which we formally studied, documented, and released to
the OpenID Community here:
http://developer.yahoo.com/openid/bestpractices.html
We can probably optimize the experience a bit by changing the UX flow to
ask the user to enable their Flickr account as an OpenID when the
authentication request contains a flickr.com URL.
An alternative approach (and probably better) would be to use Attribute
Exchange to share the Flickr Photos URL with the RP, and to keep the
default Yahoo OpenID identifier. There's even a Flickr URL attribute
defined in the official AX schema:
http://www.axschema.org/types/
If you have any more questions or feedback regarding Flickr OpenIDs,
please don't hesitate to contact me directly, or on this list.
Allen
Ben Schwarz wrote:
> So without my users specifically saying:
>
> Hi, I'm http://flickr.com/photos/benschwarz
>
> No really, I'm http://flickr.com/photos/benschwarz
>
> I cannot confirm that they own the Flickr account that they originally
> ID'd with.
> While this might be an edge case as far as OpenID goes, I believe it
> to be highly problematic and somewhat of a barrier for further OpenID
> implementations.
>
> --
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090113/a98c6c87/attachment-0002.htm>
More information about the general
mailing list