[OpenID] XAuth critiques

[Peter Watkins]

On Wed, Jun 09, 2010 at 07:40:45AM -0700, John Panzer wrote:
> On Wed, Jun 9, 2010 at 1:58 AM, Ben Laurie <benl at google.com> wrote:

> > I don't quite understand what you mean by "click OK" in this case? The
> > user will be presented with a choice of IdPs and will have to choose
> > one - there is no "OK" to click. However, having the user choose which
> > IdP to present to the RP seems like a win to me, regardless of whether
> > this is in-browser or xauth JS. See http://www.links.org/?p=938.

> My interpretation: In the common case, the user would have exactly one IdP
> and would be choosing whether to tell the RP about it -- so in effect it'd
> be an OK button.

There's a thread on the XAuth mailing list about using XAuth for discovering
multiple protocols -- OpenID, OExchange, Portable Contacts. Thinking about
Chris' NASCAR "Share" example -- identity assertion is only one "social"
service that a website might offer for a user. XAuth has the potential to
do more than simply help people log in with a preferred IdP. When a visitor
to my website wants to Share a page, we offer basically three sorts of 
NASCAR links: microblogging (Twitter), social graph (Facebook) and email
(mailto: and various URLs for launching compose pages on major webmail
providers). In none of those cases do I need the visitor to authenticate to
me -- I simply want to make it easy for the visitor to spread the word
about my website.

So I imagine that it won't be just one IdP, that it won't be just one OK
button. The question will be "Which of your social networking sites do
you mind this site knowing that you use?". And it will include more than 
just IdPs (also sites that don't provide traditional "identity" assertions,
but rather provide services, or perhaps provide assertions without 
identification). I imagine a (NASCAR) interface with some blanket options 
like "None of them" and "Any social network site I use".

-Peter