<div class="gmail_quote">2009/5/20 Andr้ Luํs <span dir="ltr"><<a href="http://andreluis.pt">andreluis.pt</a>@<a href="http://gmail.com">gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Just want to throw these 2 cents into the discussion..<br>
<br>
The fact that, if I'm logged into my provider, I'm simply swept off my<br>
feet and dragged into my facebook account feels very unnatural. In an<br>
exclusively usability perspective, the action should *always* start by<br>
user initiative. At least there should be a prompt suggesting "We've<br>
detected you're logged into ___insert__provider___. <button>Come on<br>
in</button>".<br>
<br>
Have they addressed this? Is this behavior only temporary?<br></blockquote></div><div><br></div>I think this is worth its own thread, especially since this new behavior is different than what happens at most OpenID relying parties.<div>
<br></div><div>Luke Shepard wrote up how he made this happen on his blog, so it shouldn't come as a surprise that he implemented it exactly as he said he would:</div><div><br></div><div><a href="http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/">http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/</a></div>
<div><a href="http://www.sociallipstick.com/2009/02/?y%25/how-to-accept-openid-in-a-popup-without-leaving-the-page/">http://www.sociallipstick.com/2009/02/?y%25/how-to-accept-openid-in-a-popup-without-leaving-the-page/</a></div>
<div><br></div><div>The basic idea is to use checkid_immediate against a list of known OPs and automatically log the user in to Facebook if they're signed in to one of those accounts AND they've linked their accounts.</div>
<div><br></div><div>From an interaction perspective, there are two pieces to this puzzle:</div><div><br></div><div>1. does the user associate account linking with automatic sign in?</div><div>2. is the ideal behavior to automatically sign someone in to an RP if they're already signed into their OP, or should there be some manual step at the RP to cause an authentication action?</div>
<div><br></div><div>...and, further complicating things, should it depend on the nature of the RP?</div><div><br></div><div>Already the question has been raised about whether this violates principles of user-centric design (principles which I think I need to review, personally) or whether it increases convenience and the value of using OpenID.</div>
<div><br></div><div>That the behavior at first alarmed me suggests that Luke got something right since I wasn't expecting it but upon reflection, the behavior actually makes sense.</div><div><br></div><div>After all, if we're talking about browser-based identity (at the level of the browser, rather than the level of the OS) then perhaps it makes sense to make it easy to present ONE identity across all the sites that you're visiting in a single browser session. If you're signed in to your Gmail account and you use your Gmail account as your OpenID, why wouldn't you want to automatically be signed in to all the sites that you've linked your Gmail identity to (that's rhetorical I can think of reasons too)?<br clear="all">
<br></div><div>Or, put another way if we conceptually imagine identity existing at the level of the browser session ("identity in the browser"), then when you visit a site, your identity should be easy to express to the site, without relying on any tricks or sleight of hands... that is: "For this browser session, I will use this identity and every site that uses or requires identity will be provided with this identity and I will not have to go back through painful redirects to assert my identity it should just work."</div>
<div><br></div><div>This is different from how most geeks probably think about or approach identity on the web but I think most people actually probably only have one account that they reuse over and over again (we really need data here!).</div>
<div><br></div><div>If, when someone goes to sign up for a new service they ultimately use the same username or email address anyway, why can't the browser not only "fill-in the form" for them, but do away with the form ritual altogether?</div>
<div><br></div><div>And so when we think about what Facebook has done here, I think we should start from the perspective of serving the 80% or 90% of users who largely maintain one or two accounts that could be useful for identity, and that they're likely to start up their browsing session by visiting one of those accounts and signing in.</div>
<div><br></div><div>Starting there, our challenge is to make this experience more obvious to people and easy to master.</div><div><br></div><div>Perhaps the best user experience in his respect is on the XBOX or Wii when you choose which profile or character you want to play as. Why shouldn't identity be as easy on the web?</div>
<div><br></div><div>The last thing I'll say about this, which we covered a bit at IIW, is single sign-out. In OpenID 2.1, in order to support the flow that Facebook has pushed here, I think we need to make a final determination about what it means to "log out" whether logging out from an RP also signs you out from your OP or not. Anecdotally, Eric Sachs from Google pointed out that once various Google acquisitions (YouTube, Blogger, etc) were converted to use Google's account system, people stopped signing out of them because they realized that signing out of YouTube would sign them out of their Gmail session and they didn't want that... so what does it mean when a service auto-logs you in and you attempt to sign out, but since you're still logged in to your OP, you're automatically signed back in? Super fail or what?</div>
<div><br></div><div>Chris</div><div><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://openid.net">openid.net</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>