Popup flow

[Jonathan Coffman]

Thanks for the feedback, that's much appreciated. (I got most of my  
knowledge of the subject from various wiki pages).

Are there concerns over users with ad-blockers or pop-up blockers and  
being able to reach the OpenID flow?


On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:

> Jonathan Coffman wrote:
>>
>> In seeing Yahoo's announcement of their pop-up flow, and Google's  
>> previous migration -- is this quickly becoming the defacto standard?
> Hi Jonathan,
>
> Yahoo's usability testing indicates that the new OpenID popup flow  
> performs better than then old redirect flow, and this is also  
> consistent with Facebook's experience with Connect.
>
> The popup flow is currently an extension, meaning that it's  
> optional, and it's the RP's choice to invoke either the popup or  
> redirect. If you have the resources to experiment with both flows in  
> a production environment, definitely everyone would be very  
> interested in the results.
>
>> Some of my stakeholders are asking for a templated/co-branded  
>> experience so that users, when redirected, see a logo, etc from the  
>> RP on the sign-up/log-in page for our OP. Obviously, that's not too  
>> difficult to do but I feel like the whole argument might be  
>> overcome with a simplified OP design by utilizing the popup draft  
>> spec.
>>
> Section 6 in the Draft User Interface spec defines a mechanism for  
> the RP to pass its logos to the OP. Showing the RP's logos to the  
> user on the OP's approval/login screens definitely is very helpful  
> to users, and feedback from our testers in our usability labs was  
> overwhelmingly positive when we did this.
>
> Speaking on behalf of Yahoo, there are issues with displaying  
> metadata about the RP that was not manually reviewed for correctness  
> by the OP. For instance, the RP could be a malicious site that is  
> pretending to be a trusted site, such as a bank. The malicious RP  
> could misrepresent itself by passing the bank logo to the OP.
>
> Other OPs that are planning to supporting the RP Icons portion of  
> the UI Extension may have other opinions about how important it is  
> for OPs to manually verify the RP's logos before displaying them to  
> the user.
>
> An alternative approach for having the RP pass metadata about itself  
> to the OP (including icons, name, description) would be to use the  
> OpenID OAuth Hybrid Extension, and have all the RP metadata bound to  
> the RP's OAuth consumer_key. Most OAuth service providers usually  
> have certain business/legal criteria to issue an OAuth consumer_key,  
> and in Yahoo's case, business partners are allowed to have logos  
> assocaited with their consumer key, and all of these logos are  
> manually reviewed before being enabled.
>
> Thanks
> Allen
>
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience