Popup flow

Allen Tom atom at yahoo-inc.com
Sun Sep 20 03:32:36 UTC 2009 

Jonathan Coffman wrote:
>
> In seeing Yahoo's announcement of their pop-up flow, and Google's 
> previous migration -- is this quickly becoming the defacto standard?
Hi Jonathan,

Yahoo's usability testing indicates that the new OpenID popup flow 
performs better than then old redirect flow, and this is also consistent 
with Facebook's experience with Connect.

The popup flow is currently an extension, meaning that it's optional, 
and it's the RP's choice to invoke either the popup or redirect. If you 
have the resources to experiment with both flows in a production 
environment, definitely everyone would be very interested in the results.

> Some of my stakeholders are asking for a templated/co-branded 
> experience so that users, when redirected, see a logo, etc from the RP 
> on the sign-up/log-in page for our OP. Obviously, that's not too 
> difficult to do but I feel like the whole argument might be overcome 
> with a simplified OP design by utilizing the popup draft spec.
>
Section 6 in the Draft User Interface spec defines a mechanism for the 
RP to pass its logos to the OP. Showing the RP's logos to the user on 
the OP's approval/login screens definitely is very helpful to users, and 
feedback from our testers in our usability labs was overwhelmingly 
positive when we did this.

Speaking on behalf of Yahoo, there are issues with displaying metadata 
about the RP that was not manually reviewed for correctness by the OP. 
For instance, the RP could be a malicious site that is pretending to be 
a trusted site, such as a bank. The malicious RP could misrepresent 
itself by passing the bank logo to the OP.

Other OPs that are planning to supporting the RP Icons portion of the UI 
Extension may have other opinions about how important it is for OPs to 
manually verify the RP's logos before displaying them to the user.

An alternative approach for having the RP pass metadata about itself to 
the OP (including icons, name, description) would be to use the OpenID 
OAuth Hybrid Extension, and have all the RP metadata bound to the RP's 
OAuth consumer_key. Most OAuth service providers usually have certain 
business/legal criteria to issue an OAuth consumer_key, and in Yahoo's 
case, business partners are allowed to have logos assocaited with their 
consumer key, and all of these logos are manually reviewed before being 
enabled.

Thanks
Allen

More information about the user-experience mailing list