[OpenID] Feedback requested: New OpenID RP login UX prototype

Sun Nov 1 14:40:05 UTC 2009

Thanks, Peter.  Responses inline.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

On Sun, Nov 1, 2009 at 7:18 AM, Peter Williams <home_pw at msn.com> wrote:

>   The mechanisms for parallel account linking are all there (as
> advertised). They work in practice with infocard (I only tested the personal
> card variety.)
>
>
>
> I used a personal infocard to signin. One “token” is displayed on profile
> page. Presumably, this is the representation of the old SAML1 token
> communicated to the RP in original infocard signaling design.
>
>
>
> On the profile page, bound a second infocard to the RP account using the
> infocard button on the PROFILE page. Second “token” is added to list of
> tokens. This showcases the desired parallel account linking.
>
>
>
> Since there is an infocard button (which invokes the card selector assigned
> to the per-USER profile page), I was wondering why there would NOT be a
> openid selector button. You see now how I got to asking: why not a similar
> openid selector?
>
Putting an InfoCard selector button next to an OpenID selector button would
*not* be consistent with the UI the user saw during login, where the
InfoCard selector was side-by-side with the several other buttons that make
up the "openid+infocard" selector that they saw during login.

Perhaps just a simple "bind another login token" button that brings up the
original selector is best, since it will resemble what the user logged in
with most closely.

>
>
> Anyways, there is no such selector. But, in compensation, I entered
> yahoo.com in the openid text  box playing its role, which seems to test
> for metadata availability before presenting a login button. This seems to be
> some kind of composite, server-side user control. Presumably, in the era of
> host-meta, this control’s initializer would do the google-dance to ensure an
> app-domain has cloud endpoints that the RP trusts to speak for that domain.
> Errors in handling that trust or having user compensate for such issues
> would be handled within in this control’s UI.
>
>
>
> So I then used the login button on the openid user control, which induced
> yahoo to present content in a signin frame (where the yahoo site appeared to
> detect interoperability issues on the url passing over control [see below],
> and which appeared to present a yahoo-originated error report). A trial with
> myopenid produced similar interoperability failure results (it hangs on the
> myopenid site, apparently).
>

Thanks for pointing out the missing RP discovery endpoing that Yahoo
reported.  I forgot about that page.  I haven't had any problem with the
myopenid hang you described.  Does it happen repeatedly for you?  And what
"hangs" exactly?

>
>
> The logout button seems tied to the attempted interworking with yahoo. This
> seems to imply you may have a mental model that the “last” openid/card bound
> to the account (even from a profile management page) will be the one that
> binds to the logout button of the entire site. This begs the question Nate
> is famous for posing: is the users mental model of logout on any given IDP
> site consistent with actual state.
>
The logout button doesn't "bind" to any openid/card at all.  It just clears
the user's auth ticket cookie with that RP.

>
>
>
> https://open.login.yahooapis.com/openid/op/auth?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=IKXoaIrmjUUWMyiC1hzVBt8gQCcGvaDi8.7GXaLI9azVaqB3HAIj19Rudo_o867PIEpkR3QQpYZyTp1pLJ1ksLUHETO724R57Rrx5i47FBkqbqKBpUVu9wEGSqEq2FDVL3w0Kg--&openid.return_to=http%3A%2F%2Fopenidux.dotnetopenauth.net%2FMembers%2FAccountInfo.aspx%3Fdnoa.uipopup%3D1%26dnoa.popupUISupported%3D1%26dnoa.UsePersistentCookie%3DSession%26dnoa.receiver%3Dctl00_Body_openIdBox%26index%3D0%26dnoa.userSuppliedIdentifier%3Dyahoo.com%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fopen.login.yahooapis.com%252Fopenid%252Fop%252Fauth%26dnoa.claimed_id%3D&openid.realm=http%3A%2F%2Fopenidux.dotnetopenauth.net%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.alias3.lang=en-US&openid.alias3.mode=popup
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091101/1cf27632/attachment.htm>