[OpenID] Automatic login with checkid_immediate (Was: Re: Facebook support for OpenID. Where?)

[Chris Messina]

2009/5/20 André Luís <andreluis.pt at gmail.com>

> Just want to throw these 2 cents into the discussion..
>
> The fact that, if I'm logged into my provider, I'm simply swept off my
> feet and dragged into my facebook account feels very unnatural. In an
> exclusively usability perspective, the action should *always* start by
> user initiative. At least there should be a prompt suggesting "We've
> detected you're logged into ___insert__provider___. <button>Come on
> in</button>".
>
> Have they addressed this? Is this behavior only temporary?
>

I think this is worth its own thread, especially since this new behavior is
different than what happens at most OpenID relying parties.
Luke Shepard wrote up how he made this happen on his blog, so it shouldn't
come as a surprise that he implemented it exactly as he said he would:

http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/
http://www.sociallipstick.com/2009/02/?y%25/how-to-accept-openid-in-a-popup-without-leaving-the-page/

The basic idea is to use checkid_immediate against a list of known OPs and
automatically log the user in to Facebook if they're signed in to one of
those accounts AND they've linked their accounts.

>From an interaction perspective, there are two pieces to this puzzle:

1. does the user associate account linking with automatic sign in?
2. is the ideal behavior to automatically sign someone in to an RP if
they're already signed into their OP, or should there be some manual step at
the RP to cause an authentication action?

...and, further complicating things, should it depend on the nature of the
RP?

Already the question has been raised about whether this violates principles
of user-centric design (principles which I think I need to review,
personally) or whether it increases convenience and the value of using
OpenID.

That the behavior at first alarmed me suggests that Luke got something right
— since I wasn't expecting it — but upon reflection, the behavior actually
makes sense.

After all, if we're talking about browser-based identity (at the level of
the browser, rather than the level of the OS) then perhaps it makes sense to
make it easy to present ONE identity across all the sites that you're
visiting in a single browser session. If you're signed in to your Gmail
account and you use your Gmail account as your OpenID, why wouldn't you want
to automatically be signed in to all the sites that you've linked your Gmail
identity to (that's rhetorical — I can think of reasons too)?

Or, put another way — if we conceptually imagine identity existing at the
level of the browser session ("identity in the browser"), then when you
visit a site, your identity should be easy to express to the site, without
relying on any tricks or sleight of hands... that is: "For this browser
session, I will use this identity and every site that uses or requires
identity will be provided with this identity — and I will not have to go
back through painful redirects to assert my identity — it should just work."

This is different from how most geeks probably think about or approach
identity on the web — but I think most people actually probably only have
one account that they reuse over and over again (we really need data here!).

If, when someone goes to sign up for a new service they ultimately use the
same username or email address anyway, why can't the browser not only
"fill-in the form" for them, but do away with the form ritual altogether?

And so when we think about what Facebook has done here, I think we should
start from the perspective of serving the 80% or 90% of users who largely
maintain one or two accounts that could be useful for identity, and that
they're likely to start up their browsing session by visiting one of those
accounts and signing in.

Starting there, our challenge is to make this experience more obvious to
people — and easy to master.

Perhaps the best user experience in his respect is on the XBOX or Wii when
you choose which profile or character you want to play as. Why shouldn't
identity be as easy on the web?

The last thing I'll say about this, which we covered a bit at IIW, is single
sign-out. In OpenID 2.1, in order to support the flow that Facebook has
pushed here, I think we need to make a final determination about what it
means to "log out" — whether logging out from an RP also signs you out from
your OP or not. Anecdotally, Eric Sachs from Google pointed out that once
various Google acquisitions (YouTube, Blogger, etc) were converted to use
Google's account system, people stopped signing out of them because they
realized that signing out of YouTube would sign them out of their Gmail
session and they didn't want that... so what does it mean when a service
auto-logs you in and you attempt to sign out, but since you're still logged
in to your OP, you're automatically signed back in? Super fail or what?

Chris

-- 
Chris Messina
Open Web Advocate

factoryjoe.com // diso-project.org // openid.net
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090520/eb6c18d0/attachment.htm>