[OpenID] Feedback requested: New OpenID RP login UX prototype

Andrew Arnott andrewarnott at gmail.com
Fri Oct 23 20:03:14 UTC 2009 

Thanks, Allen.  Inline...

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, Oct 22, 2009 at 10:35 PM, Allen Tom <atom at yahoo-inc.com> wrote:

>  Hi Andrew -
>
> The RP UX looks very promissing, and it'll be really slick with just a
> little more polish.
>
> Can you make the Yahoo popup a bit wider? Although the UI Draft spec says
> that the popup is supposed to be 450px wide, Yahoo's popup is 500px wide.
> (our users prefer larger fonts)
>

Yes, I'll make the change.

>
> Also, as per your blog post, Yahoo displays a warning for RPs that don't
> implement RP discovery.
> http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html
>

Doh!  How did I forget that?  I've corrected it.

>
>
> Because the OpenID authentication response exceeds 2KB, the Yahoo OP
> automatically sends the response via HTTP POST, which results in a degraded
> user experience. (browser warnings when switching from HTTPS to HTTP) and
> also a "blank white page" for the autosubmitting form. I'm a very surprised
> that the response exceeds 2KB on your demo site, because generally speaking,
> OpenID responses that don't use AX or OAuth Hybrid almost never exceed 2KB.
> I think your demo has an unusually large return_to URL, which is
> contributing to the oversized response.
>

Yes, the return_to is large.  DotNetOpenAuth does some return_to signatures
so boost RP security, but in this case it's not serving any security
purpose.  I'll correct that.


>
> On the Yahoo OP side of things, we're working on ways to shrink the size of
> our responses to try to stay under the 2KB limit. For instance, we'll be
> removing the PAPE responses unless they were requested, and we'll try to
> shrink the size of our association handles.
>
> Also, as others have reported, the browser plugin warning is a bit
> distracting. I'm runing WinXP with Firefox. Presumably this should be fairly
> easy to fix.
>

This should be fixed now.


>
> Good job!
> Allen
>
>
>
>
> Andrew Arnott wrote:
>
>  OpenID RP login UX
>
> Live demo location: http://openidux.dotnetopenauth.net/
> Design considerations
>
> The DNOA<http://docs.google.com/Doc?docid=0AXB25E7fZcQCZGY1bm40ampfMTkxaHJ2emZya3M&hl=en> login
> UX design document<http://docs.google.com/Doc?docid=0AXB25E7fZcQCZGY1bm40ampfMTkxaHJ2emZya3M&hl=en> contains
> the design spec, and some of the reasoning that went into that design.
>
> One high-level goal of all this work is to produce a set of HTML, CSS, and
> JS files that can work on any web platform, so that ruby, python, php,
> coldfusion, and (of course) ASP.NET <http://asp.net/> RP web sites can
> benefit from a better UI for logging users in.
> Interesting scenarios to experiment with and/or test
>
>    - Login by clicking on Members Only. This invokes the full page
>    redirect login UI.
>    - Login by clicking Login in the upper-right corner of the page. This
>    invokes the popup dialog UI.
>    - Visit the account management page and add additional
>    OpenIDs or InfoCards to your account so you can log in with multiple
>    identities yet be recognized as holding just one account.
>    - Login multiple times, using various OPs. Notice first that we
>    highlight the button you chose the prior time. This helps the user not
>    splinter his identity on a return visit in the event he has accounts with
>    more than one displayed OP.
>    - Notice that in the login UI some OPs support checkid_immediate, and
>    on a return visit, a green checkmark appears in the lower-right corner of
>    an OP button when an immediate login is available. If a green checkmark is
>    not visible on an OP button, a popup window will be used to guide the user
>    through the initial login process. Some OPs (such as Verisign and Yahoo) do
>    not support checkid_immediate, and will never display green checkmarks.
>    - When logging in, try using the OpenID button. Notice that as soon as
>    you finish typing that discovery on that identifier begins and a login
>    button appears within the text box. Next time you visit, the UX will
>    remember what identifier you typed in and help you log in again.
>    - Try using the OpenID button with an identifier that delegates to
>    multiple OPs. Notice how the Login button that appears to help you go
>    through checkid_setup (if no checkid_immediate requests come back positive)
>    is a split button, allowing you to actually pick which OP to log in with,
>    and these OPs are in priority order (adjusted for OPs that are down or
>    misbehaving, which are moved to the bottom).
>
> Special release notes
>
> In this iteration, I've elected to go with the popup dialog approach to
> displaying the login UI rather than a popup browser window. This is still
> alterable, and your feedback and/or preferences on this decision is most
> welcome.
>
> The current set of OP buttons displayed include 4 OPs: Google, Yahoo,
> Verisign and MyOpenID. The last two of these do not fit the qualifications
> given in the design document, but they are included here to assist in the
> feedback process, and because I don't know how to make four buttons (Google,
> Yahoo, OpenID and InfoCard) look good, so I jumped up from three to six.
>
> In the OpenID text box area, after authentication completes a green
> checkmark is displayed, but sometimes no login button appears to complete
> login. This is a UX issue I haven't figured out how to solve yet. But the
> way to proceed with login is to click the original, large OpenID button
> again.
>
> The browsers I've tested with are IE8, Chrome 3, FireFox 3.5 and Safari 4.
> If you test with other/older browsers, please leave feedback about how your
> experience was. But currently I'm not targeting older browsers, so any bug
> reports regarding backward compatibility may not be fixed.
> How to leave feedback
>
> Just reply to this message.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> ------------------------------
>
> _______________________________________________
> general mailing listgeneral at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091023/1560d793/attachment-0001.htm>

More information about the general mailing list