MySpace OpenID Popup spotted in the wild

Chris Messina chris.messina at
Sat May 2 16:13:33 UTC 2009

On Sat, May 2, 2009 at 4:05 PM, DeWitt Clinton <dewitt at> wrote:

> Not "bait and switch" at all.  The site owner is the one that says
> type="login", thereby explicitly asking the client to inject the user's
> preferred identity if possible.
> Though your comment makes me realize that this isn't exactly login.  It's
> more the site saying "I need an identity here.  If you, the browser, can
> supply one on behalf of the user, please do.  Otherwise, you can have them
> fill out whatever HTML form exists here and I'll do it myself."

I think that's what I was getting at... that is, something that essentially
indicates "accepts_identification". What it does with that identification,
who knows... This is kind of what I think InfoCards should be used for — and
I actually tend to think that their card metaphor is the right one here.

How does InfoCard currently detect authentication? From the signin page for, it would appear that they embed an OBJECT in the page:

<OBJECT type="application/x-informationCard"
  <PARAM Name="tokenType"
  <PARAM Name="issuer"
  <PARAM Name="requiredClaims"
  <PARAM Name="optionalClaims"

I think we need something lighter weight... I don't know if this belongs in
/site-meta, but the ability to detect whether a page 1) accepts
identification 2) already has an identity associated with it seems the
pertinent opportunity here.

> Perhaps an alternative would be a meta tag or something like a
>> rel-authenticate, to indicate that the page could be authenticated against?
>> In this way, the browser could pop a dialog like "would you like to
>> signin/connect to this site?" Once the user closes the browser or indicates
>> a desire to end her session, the browser would be able to sign the user out
>> of all their active sessions; upon resuming, the browser could
>> auto-authenticate the user the next time they revisit the page (similar to
>> Luke's proposal to auto-sign you in today).
> I agree this is necessary.  I suggested using HTTP auth headers, but a
> combination of HTTP headers and a meta tag would be good.

Cool. A metatag would be easiest, but of course we should consider this
against /site-meta.

Chris Messina
Open Web Advocate // // //
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the user-experience mailing list