[jumping in]<div><br></div><div>Hi Chris, I'm the LinkedIn guy who presented at the OpenID Summit on Monday.</div><div><br></div><div>Indeed, we have many partners rolling their own Login with LinkedIn using our existing OAuth flow. <a href="http://coworkers.com">coworkers.com</a> is another good example, albeit a registration case instead of login. And we have developers in the forum requesting improvements for this use case - the most common request is for an endpoint that immediately redirects if an existing grant is available (the user never sees the Providers's page if they've already given permission), as is the case with Sign-in-with-Twitter.</div>
<div><br></div><div>At the risk of conflating protocols, I do think there is raw potential for an "identity and profile" extension to OAuth. IDPs which carry a lot of sensitive profile information (like LinkedIn) can probably never hand it out to arbitrary, unknown RPs ... but we already have an OAuth solution for managing our relationship with third parties (registration, terms of use, signing), so why not leverage that?</div>
<div><br></div><div>Basic pieces would include:</div><div><ul><li>An endpoint which will redirect immediately if the user is (a) signed in and (b) has an existing access grant for the requesting party.</li><ul><li>optionally, there could be an 'immediate report' option to this endpoint which will return immediately even in the negative case (i.e. signaling that the user would be prompted). Useful for background calls to detect a user's state and then adapt UX.</li>
<li>It's important to keep the "always prompt" endpoint so that concerned developers can make sure users understand what's happening.</li></ul><li>A standard field for returning a stable user_id. And probably some additional metadata: in the LinkedIn case, our member_ids are actually per-developer-key, so it might be useful to signal that in a standard way.</li>
<li>A mechanism for third parties to invalidate a token ("Logout Completely"). If the third party detects that the wrong LinkedIn-user is connected to an account on their side (UX confusion, etc), they can be good citizens and invalidate the underlying token, then send the current user back through the full flow to get it fixed. </li>
<li>A standard field for identifying a profile endpoint which (if called with the access token) will return the user's profile in an extensible way. I'm sure there's an Open solution for the basic data (ax, poco, etc) but it's likely that we (LI) will always have <i>some</i> unique info so would love to just pass the extra stuff back in a json blob somewhere.</li>
</ul><div>My idea here is not to push the wrong things into OAuth, but rather help out the extremely common use case of a developer saying "I just want to import that user's profile after getting their permission". Would be great if the various OAuth libraries had a getProfile() method that worked consistently. Even though results would be heterogenous and provider-specific - that's alright for many (most?) developers.</div>
</div><div><br></div><div>As to user experience reports on the grant duration (1-day, 1 month, Indefinite) , we don't have good data yet. Honestly the platform hasn't been open for long enough :-). But I do have anecdotal reports that users like the 1-day grant - it lets them try out subscription-style / ongoing services and not worry about dealing with the third-party's cancellation later.</div>
<div><br></div><div>I do not know if users have sufficiently grok'd the concept of an IDP's "Application Permissions Management Page". Would love to chat on common UX issues around that.</div><div><br></div>
<div>Of course, apologies for rambling about this on an OpenID list :-P</div><div><br></div><div>-- Mike</div><div><br><div class="gmail_quote">On Wed, Apr 7, 2010 at 1:19 PM, Paul Lindner <span dir="ltr"><<a href="mailto:lindner@inuus.com">lindner@inuus.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word">We have not done much in the way of usability studies on this page. We do know that most users will grant access 'until revoked', which is not too surprising since that's the default choice.<div>
<br></div><div>The partner can (and does) get a stable identifier by sending a query to a rest endpoint that returns the member ID for the current token (and other information). It's the equivalent of a PoCo @self request.</div>
<div><br><div><br></div><div><br><div><div>On Apr 7, 2010, at 10:43 AM, Chris Messina wrote:</div><br><blockquote type="cite">Have you done any usability studies on this flow/screen? Any idea whether people understand the "duration" dropdown? And — given that <a href="http://elegant.ly/" target="_blank">elegant.ly</a> is using the OAuth token to figure out identity — if and when the token expires — do they still have a stable identifier for the user?<div>
<br></div><div>Chris<br><br><div class="gmail_quote">On Wed, Apr 7, 2010 at 10:26 AM, Paul Lindner <span dir="ltr"><<a href="mailto:lindner@inuus.com" target="_blank">lindner@inuus.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">The screen you see is LinkedIn's standard OAuth Authorization Screen. When you click on the sign-in button it hits the 3rd party backend, which hits our requestToken endpoint, the resulting token is immediately used to redirect to the LinkedIn Authorize page. If you're logged out you're going to see the Email/Password fields. In all cases we prompt for the duration of the access grant. Once access is granted we redirect back to the originating site.<div>
<br></div><div>It appears that <a href="http://elegant.ly/" target="_blank">elegant.ly</a> then associates the retrieved access token with a cookie/session on their domain.</div><div><br></div><div>Very slick.</div><div>
<br>
</div><div><div><br><div><div>On Apr 7, 2010, at 9:05 AM, Chris Messina wrote:</div><br><blockquote type="cite"><div bgcolor="#FFFFFF"><div>Interesting. </div><div><br></div><div>But while the signin button doesn't come from you, the OAuth page you're redirected to does. </div>
<div><br></div><div>How else is that page intended to be used?</div><div><br></div><div>Chris<br><br>Sent from my iPhone 2G</div><div><br>On Apr 7, 2010, at 6:09 AM, Paul Lindner <<a href="mailto:lindner@inuus.com" target="_blank">lindner@inuus.com</a>> wrote:<br>
<br></div><div></div><blockquote type="cite"><div>Hi all,<div><br></div><div>This SignIn button is not something we've designed. However it shows that people will apply existing technology to solve their problems. In fact it's not that much different than 'Sign-in With Twitter' if you think about it...<div>
<div></div><div><br>
<br><div class="gmail_quote">On Wed, Apr 7, 2010 at 5:00 AM, <span dir="ltr"><<a href="mailto:openid-general-request@lists.openid.net" target="_blank"></a><a href="mailto:openid-general-request@lists.openid.net" target="_blank">openid-general-request@lists.openid.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Nice interface, thanks for sharing.<br>
<br>
A bit of Bo-Hoo at LinkedIn for using "Sign In" which seems to<br>
indicate log in when it's not really.<br>
But perhaps no one cares. Is authn and authz just an academic<br>
difference in the wild?<br>
<br>
The world will keep turning...<br>
<br>
<br>
On Fri, Apr 2, 2010 at 7:06 PM, Chris Messina <<a href="mailto:chris.messina@gmail.com" target="_blank"></a><a href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>> wrote:<br>
> Take a look at this:<br>
> visit <a href="http://elegant.ly/" target="_blank"></a><a href="http://elegant.ly/" target="_blank">http://elegant.ly</a> and click the "Sign In" button...<br>
> You end up at LinkedIn where you're essentially doing an OAuth dance for<br>
> sign in.<br>
> Interesting, eh?<br>
> Chris<br>
><br>
> --<br>
> Chris Messina<br>
> Open Web Advocate, Google<br>
><br>
> Personal: <a href="http://factoryjoe.com/" target="_blank"></a><a href="http://factoryjoe.com/" target="_blank">http://factoryjoe.com</a><br>
> Follow me on Buzz: <a href="http://buzz.google.com/chrismessina" target="_blank"></a><a href="http://buzz.google.com/chrismessina" target="_blank">http://buzz.google.com/chrismessina</a><br>
> ...or Twitter: <a href="http://twitter.com/chrismessina" target="_blank"></a><a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a><br>
><br>
> This email is: ? [X] shareable ? ?[ ] ask first ? [ ] private<br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net" target="_blank"></a><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank"></a><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
></div></blockquote></div><br></div></div></div>
</div></blockquote><div><div></div><div><blockquote type="cite"><div><span>_______________________________________________</span><br><span>general mailing list</span><br><span><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a></span><br></div></blockquote></div></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate, Google<br><br>Personal: <a href="http://factoryjoe.com/" target="_blank">http://factoryjoe.com</a><br>Follow me on Buzz: <a href="http://buzz.google.com/chrismessina" target="_blank">http://buzz.google.com/chrismessina</a> <br>
...or Twitter: <a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a> <br><br>This email is: [ ] shareable [X] ask first [ ] private<br>
</div>
</blockquote></div><br></div></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br></div>