<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Ben,<br>
<br>
We're really happy to see RPs accept Flickr OpenIDs, because there's a
lot of interesting things that RPs can potentially do with Flickr
identities. In particular, a user's Flickr Profile and Photos pages
contain plenty of interesting microformats that could be used by RPs to
personalize the experience for Flickr users.<br>
<br>
Currently, Flickr users must explicitly enable their Flickr Photos URL
to be used as an OpenID. To do this, you can go to
<a class="moz-txt-link-freetext" href="http://openid.yahoo.com">http://openid.yahoo.com</a> and click the big "Get Started" button. After
signing in with the Yahoo ID that is associated with the Flickr
account, you'll be able enable your Flickr Photos URL as an OpenID by
expanding the "Show Customization Options" arrow at the bottom of the
screen.<br>
<br>
Once you've enabled your Flickr Photos URL as an OpenID, you'll be able
to type in your Flickr Photos URL onto an RP site and have it returned
in the OpenID assertion. You can also just type in "flickr.com" and use
directed identity.<br>
<br>
If you have not enabled your Flickr Photos URL as an OpenID, we will
return the default Yahoo OpenID (the ugly machine generated hashed
identifier) in the assertion.<br>
<br>
After reading this, you're probably wondering why this is so
convoluted. When we launched our OpenID service a year ago, we were
required to issue machine generated OpenIDs (the ugly hashed ones) to
users by default, unless they explicitly asked for a personalized
identifier. Our lawyers also insisted that all Yahoo/Flickr users who
wanted to use their account as an OpenID explicitly enable their
account for OpenID and agree to a new Terms of Service. The whole User
Experience (UX) of enabling an account for OpenID, agreeing to a ToS,
and then selecting a personalized identifier proved to be a horrendous
UX with very high dropoff rates, which we formally studied, documented,
and released to the OpenID Community here:
<a class="moz-txt-link-freetext" href="http://developer.yahoo.com/openid/bestpractices.html">http://developer.yahoo.com/openid/bestpractices.html</a><br>
<br>
We can probably optimize the experience a bit by changing the UX flow
to ask the user to enable their Flickr account as an OpenID when the
authentication request contains a flickr.com URL. <br>
<br>
An alternative approach (and probably better) would be to use Attribute
Exchange to share the Flickr Photos URL with the RP, and to keep the
default Yahoo OpenID identifier. There's even a Flickr URL attribute
defined in the official AX schema:<br>
<a class="moz-txt-link-freetext" href="http://www.axschema.org/types/">http://www.axschema.org/types/</a><br>
<br>
If you have any more questions or feedback regarding Flickr OpenIDs,
please don't hesitate to contact me directly, or on this list.<br>
<br>
Allen<br>
<br>
<br>
Ben Schwarz wrote:
<blockquote cite="mid:4A813294-2B82-455E-A95C-38EB4C75C63B@gmail.com"
type="cite">
<div>So without my users specifically saying:</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space: pre;"> </span>Hi,
I'm <a moz-do-not-send="true"
href="http://flickr.com/photos/benschwarz">http://flickr.com/photos/benschwarz</a><br>
</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space: pre;"> </span>No
really, I'm <a moz-do-not-send="true"
href="http://flickr.com/photos/benschwarz">http://flickr.com/photos/benschwarz</a><br>
</div>
<div><br>
</div>
<div>I cannot confirm that they own the Flickr account that they
originally ID'd with.</div>
<div>While this might be an edge case as far as OpenID goes, I
believe it to be highly problematic and somewhat of a barrier for
further OpenID implementations.</div>
<div><br>
</div>
<div>--</div>
<br>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>