Auth flows for web widgets?

George Fletcher gffletch at aol.com
Tue Mar 17 20:17:12 UTC 2009 

This actually gets to a question of identity "federation" (OpenID) vs 
identity "aggregation" (OAuth). In the case of a widget being displayed, 
it really depends on the context in which that widget will be used. In 
the example that Allen provided, the iGoogle page is actually a widget 
container that uses OAuth to do identity aggregation. Note that I have 
to first authenticate to Google with a google account before I can 
"authorize" the Yahoo! Updates widget with my Yahoo! account. The 
container maintains the Yahoo! access token & secret for the 
authenticated Google user so that future displays of the widget don't 
require authentication.

In the case of a "temporary" widget where the user just wants to try out 
some functionality and not create "long term" tokens, OpenID is probably 
a better choice.

However, from a user experience, the UI flow is basically the same. The 
user needs to "authorize" the widget to perform some action on the 
user's behalf. In order to do so, the user need to authenticate the 
service provider. The current best practice for this UI is to use a 
popup browser window so the user doesn't loose the context of the page 
they are on, and the user only enters their authentication credentials 
as the site that "owns" them.

To me, this feels a little clunky, but I don't see any alternatives that 
don't get back to the "password anti-pattern". Just not sure how to 
convince the product teams that this UI flow is a "good thing" :)

Thanks,
George

Dominik Schwind wrote:
> Actually that sounds more like a job for OAuth than OpenId? Did you
> have a look into that one before?
>
> On Tue, Mar 17, 2009 at 6:37 PM, George Fletcher <gffletch at aol.com> wrote:
>   
>> Hi,
>>
>> I'm wondering if anyone has developed UX flows for web based "widgets" that
>> don't implement the "password anti-pattern"?  Most widget's that require an
>> identity provide an "authentication form" on the "back" of the widget. I'm
>> trying to figure out how to propose a good user experience that doesn't
>> require the "password anti-pattern". For instance, it seems weird to popup a
>> browser window from the "back" of a widget. Just wondering if anyone has
>> examples for solving this. I realize a widget container can help... but I'm
>> looking for the standalone solution right now.
>>
>> Thanks,
>> George
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>     
>
>
>
>

More information about the user-experience mailing list