openid implementation advice

Ben Clemens bclemens at currentmedia.com
Sat Feb 14 00:52:28 UTC 2009 

This is invaluable, thank you! I am working it into the code I have right
now!

Something that could improve this situation would be a spec of some kind
that allowed RPs to show prominent messaging on the OP¹s authorization
screen about what the access would and would not be used for. It¹s there now
I know, but not strongly enough to help beat back some of the negative
experiences people have had...


On 2/13/09 4:25 PM, "Breno de Medeiros" <breno at google.com> wrote:

> Ben, there is a js popup library on step2.googlecode.com
> <http://step2.googlecode.com>  that we plan to keep updated with any
> agreements that evolve on the OpenID space about handling popups.  I would
> appreciate your feedback.
> 
> The library can be found at:
> 
> http://code.google.com/p/step2/source/browse/code/java/trunk/example-consumer/
> src/main/webapp/popuplib.js
> 
> On Fri, Feb 13, 2009 at 4:10 PM, Ben Clemens <bclemens at currentmedia.com>
> wrote:
>> I really appreciate the reply, and I understand the large problems of
>> breaking a security model; I imagine the "big button that spawns a pop-up"
>> solution is where we will have to go. Perhaps I just have to accept the
>> "least bad" scenario given the limitations that exist, but it is hard to
>> "embrace." :) 
>> 
>> 
>> On 2/13/09 2:16 PM, "Luke Shepard" <lshepard at facebook.com
>> <http://lshepard@facebook.com> > wrote:
>> 
>>> First, these mocks look pretty sweet. It's clear you've done a lot of
>>> thinking about the experience of a relying party.
>>> 
>>> Steps 1,2, and 4 can all be done on your site, and for step 3, there's no
>>> need to break security policy by using an iframe. I think the providers are
>>> working on better designs that make it completely clear what's happening to
>>> the user so as to require minimal context from the RP. However, if you
>>> really want to tell the user what's happening before they click, then I
>>> suggest making an iframe lightbox explaining what's happening, then giving
>>> them a big fat Google button to click on, which spawns the popup. That would
>>> seem to accomplish the same goals.
>>> 
>>> If they weren't already, I'm pretty sure Google and others will start
>>> putting iframe-busting Javascript to make this kind of thing impossible.
>>> 
>>> We are working on putting together a best practices doc on the wiki as a
>>> result of the UX summit on Tuesday. Any feedback would be appreciated:
>>> http://wiki.openid.net/Details-of-UX-Best-Practices-for-RPs
>>> 
>>> On 2/13/09 1:10 PM, "Ben Clemens" <bclemens at currentmedia.com
>>> <http://bclemens@currentmedia.com> > wrote:
>>> 
>>>> Hi:
>>>> 
>>>> I'm a designer working on an OpenID (and FB Connect) implementation for
>>>> current.com <http://current.com> , a social news site from Current TV (a
>>>> cable TV channel). I've
>>>> consulted with Chris Messina and wanted to ask this group for advice on the
>>>> design I have so far.
>>>> 
>>>> The largest issue for me has been attempting to do parts of the process in
>>>> a
>>>> pop-up window. While the domain of the site the user is providing their
>>>> credentials to is a gigantic issue of course, the issue of *what exactly
>>>> current.com <http://current.com>  will use the account access for* is *even
>>>> bigger* for users I've
>>>> talked with. Users do not want to provide access if we will be adding items
>>>> to their account without their permission, and after a pop-up is launched
>>>> (or there's a redirect), I have no ability to message the user about what
>>>> my
>>>> site will do with the access they are providing. So, this version of the
>>>> design loads the external auth into an iFrame (now, excuse me while I cower
>>>> behind a mattress and prepare for the tomatoes and other thrown objects).
>>>> 
>>>> Thanks in advance for any feedback, advice, criticism, and an obvious, easy
>>>> way around these issues :)
>>>> 
>>>> http://labs.current.com/openid/currentauth_1_default.png
>>>> http://labs.current.com/openid/currentauth_2_openid_identity.png
>>>> http://labs.current.com/openid/currentauth_3_openid_auth.png
>>>> http://labs.current.com/openid/currentauth_4_openid_link.png
>>>> 
>>>> Ben Clemens
>>>> current.com <http://current.com>
>>>> 
>>>> _______________________________________________
>>>> user-experience mailing list
>>>> user-experience at openid.net <http://user-experience@openid.net>
>>>> http://openid.net/mailman/listinfo/user-experience
>>>> 
>>> 
>>> 
>>> _______________________________________________
>>> user-experience mailing list
>>> user-experience at openid.net <http://user-experience@openid.net>
>>> http://openid.net/mailman/listinfo/user-experience
>> 
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090213/c5795e6d/attachment-0001.htm>

More information about the user-experience mailing list