openid implementation advice

Dirk Balfanz dirk.balfanz at gmail.com
Sat Feb 14 18:37:03 UTC 2009 

On Fri, Feb 13, 2009 at 4:52 PM, Ben Clemens <bclemens at currentmedia.com> wrote:
> This is invaluable, thank you! I am working it into the code I have right
> now!
>
> Something that could improve this situation would be a spec of some kind
> that allowed RPs to show prominent messaging on the OP's authorization
> screen about what the access would and would not be used for. It's there now
> I know, but not strongly enough to help beat back some of the negative
> experiences people have had...

Yes, we have been thinking about this, too.

The alternative, of course, is to "prime" the user enough on the RP
before you send them off to the OP so that they aren't surprised
there. We're starting to get very good completion rates with such
"generic" OP approval pages:
http://www.readwriteweb.com/archives/comcast_property_sees_92_success_rate_openid.php.

Dirk.


>
> On 2/13/09 4:25 PM, "Breno de Medeiros" <breno at google.com> wrote:
>
> Ben, there is a js popup library on step2.googlecode.com
> <http://step2.googlecode.com>  that we plan to keep updated with any
> agreements that evolve on the OpenID space about handling popups.  I would
> appreciate your feedback.
>
> The library can be found at:
>
> http://code.google.com/p/step2/source/browse/code/java/trunk/example-consumer/src/main/webapp/popuplib.js
>
> On Fri, Feb 13, 2009 at 4:10 PM, Ben Clemens <bclemens at currentmedia.com>
> wrote:
>
> I really appreciate the reply, and I understand the large problems of
> breaking a security model; I imagine the "big button that spawns a pop-up"
> solution is where we will have to go. Perhaps I just have to accept the
> "least bad" scenario given the limitations that exist, but it is hard to
> "embrace." :)
>
>
> On 2/13/09 2:16 PM, "Luke Shepard" <lshepard at facebook.com
> <http://lshepard@facebook.com> > wrote:
>
> First, these mocks look pretty sweet. It's clear you've done a lot of
> thinking about the experience of a relying party.
>
> Steps 1,2, and 4 can all be done on your site, and for step 3, there's no
> need to break security policy by using an iframe. I think the providers are
> working on better designs that make it completely clear what's happening to
> the user so as to require minimal context from the RP. However, if you
> really want to tell the user what's happening before they click, then I
> suggest making an iframe lightbox explaining what's happening, then giving
> them a big fat Google button to click on, which spawns the popup. That would
> seem to accomplish the same goals.
>
> If they weren't already, I'm pretty sure Google and others will start
> putting iframe-busting Javascript to make this kind of thing impossible.
>
> We are working on putting together a best practices doc on the wiki as a
> result of the UX summit on Tuesday. Any feedback would be appreciated:
> http://wiki.openid.net/Details-of-UX-Best-Practices-for-RPs
>
> On 2/13/09 1:10 PM, "Ben Clemens" <bclemens at currentmedia.com
> <http://bclemens@currentmedia.com> > wrote:
>
> Hi:
>
> I'm a designer working on an OpenID (and FB Connect) implementation for
> current.com <http://current.com> , a social news site from Current TV (a
> cable TV channel). I've
> consulted with Chris Messina and wanted to ask this group for advice on the
> design I have so far.
>
> The largest issue for me has been attempting to do parts of the process in a
> pop-up window. While the domain of the site the user is providing their
> credentials to is a gigantic issue of course, the issue of *what exactly
> current.com <http://current.com>  will use the account access for* is *even
> bigger* for users I've
> talked with. Users do not want to provide access if we will be adding items
> to their account without their permission, and after a pop-up is launched
> (or there's a redirect), I have no ability to message the user about what my
> site will do with the access they are providing. So, this version of the
> design loads the external auth into an iFrame (now, excuse me while I cower
> behind a mattress and prepare for the tomatoes and other thrown objects).
>
> Thanks in advance for any feedback, advice, criticism, and an obvious, easy
> way around these issues :)
>
> http://labs.current.com/openid/currentauth_1_default.png
> http://labs.current.com/openid/currentauth_2_openid_identity.png
> http://labs.current.com/openid/currentauth_3_openid_auth.png
> http://labs.current.com/openid/currentauth_4_openid_link.png
>
> Ben Clemens
> current.com <http://current.com>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net <http://user-experience@openid.net>
> http://openid.net/mailman/listinfo/user-experience
>
>
> ________________________________
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net <http://user-experience@openid.net>
> http://openid.net/mailman/listinfo/user-experience
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>

More information about the user-experience mailing list