<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<title>Re: [OpenID] Facebook support for OpenID. Where?</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="blue">
<div class="Section1">
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">Luke’s immediate constraint of introducing OpenID with no design changes to the Facebook front page is interesting.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">Currently, if you are not logged into your OP (or it rejects checkid_immediate for any other reason) you cannot login to Facebook with
OpenID from their front page. I wonder if clicking the “Log in” button without filling in the email address or password fields could be a (not totally unintuitive) signal to trigger a checked_setup OpenID flow.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">Currently, if your browser does not have Facebook’s “openid_p” cookie there is no way to login with OpenID – you have to use your Facebook
password. I wonder if clicking “Log in” after filling in your email address, but leaving the password field blank, could be a signal to try an OpenID flow (probably checkid_setup)?<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">[This option has a slight privacy implication. It allows anyone to determine which OP a given email is associated with (enter the email
address and see which OP you are redirected to). I doubt this is a blocker, and a preference to disable the feature could be introduced if it is important.]<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">André,<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">The only functionality on the Facebook front page is “Log in” and “Sign Up” – there is no other content. Hence automatic login without
an explicit prompt seems quite reasonable. Going to the page was an explicit decision by a user to login.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<div>
<div>
<p><b><font size="3" color="navy" face="Arial"><span lang="FR" style="font-size:12.0pt;
font-family:Arial;color:navy;font-weight:bold">James Manger</span></font></b><font color="navy"><span style="color:navy">
<br>
<a href="mailto:James.H.Manger@team.telstra.com"><font size="2" face="Arial"><span lang="FR" style="font-size:10.0pt;font-family:Arial">James.H.Manger@team.telstra.com</span></font></a>
<br>
</span></font><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;
font-family:Arial;color:navy">Identity and security team</span></font><font color="navy"><span style="color:navy">
</span></font><font size="2" color="navy" face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma;color:navy">—</span></font><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;
color:navy"> Chief Technology Office</span></font><font color="navy"><span style="color:navy">
</span></font><font size="2" color="navy" face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma;color:navy">—</span></font><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;
color:navy"> Telstra</span></font><font color="navy"><span style="color:navy"><o:p></o:p></span></font></p>
<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><o:p> </o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>