Popup flow

[Chris Messina]

On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman <
jonathan.coffman at gmail.com> wrote:

>
> Are there concerns over users with ad-blockers or pop-up blockers and being
> able to reach the OpenID flow?


There are some, yes. This needs to be widely tested, but we're able to get
around (read: interact with correctly) because the pop-up is launched by
user action, rather than automatically.

Facebook seems to use this method without a problem, so perhaps Luke has
some insights.

Chris



>
>
> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:
>
>  Jonathan Coffman wrote:
>>
>>>
>>> In seeing Yahoo's announcement of their pop-up flow, and Google's
>>> previous migration -- is this quickly becoming the defacto standard?
>>>
>> Hi Jonathan,
>>
>> Yahoo's usability testing indicates that the new OpenID popup flow
>> performs better than then old redirect flow, and this is also consistent
>> with Facebook's experience with Connect.
>>
>> The popup flow is currently an extension, meaning that it's optional, and
>> it's the RP's choice to invoke either the popup or redirect. If you have the
>> resources to experiment with both flows in a production environment,
>> definitely everyone would be very interested in the results.
>>
>>  Some of my stakeholders are asking for a templated/co-branded experience
>>> so that users, when redirected, see a logo, etc from the RP on the
>>> sign-up/log-in page for our OP. Obviously, that's not too difficult to do
>>> but I feel like the whole argument might be overcome with a simplified OP
>>> design by utilizing the popup draft spec.
>>>
>>>  Section 6 in the Draft User Interface spec defines a mechanism for the
>> RP to pass its logos to the OP. Showing the RP's logos to the user on the
>> OP's approval/login screens definitely is very helpful to users, and
>> feedback from our testers in our usability labs was overwhelmingly positive
>> when we did this.
>>
>> Speaking on behalf of Yahoo, there are issues with displaying metadata
>> about the RP that was not manually reviewed for correctness by the OP. For
>> instance, the RP could be a malicious site that is pretending to be a
>> trusted site, such as a bank. The malicious RP could misrepresent itself by
>> passing the bank logo to the OP.
>>
>> Other OPs that are planning to supporting the RP Icons portion of the UI
>> Extension may have other opinions about how important it is for OPs to
>> manually verify the RP's logos before displaying them to the user.
>>
>> An alternative approach for having the RP pass metadata about itself to
>> the OP (including icons, name, description) would be to use the OpenID OAuth
>> Hybrid Extension, and have all the RP metadata bound to the RP's OAuth
>> consumer_key. Most OAuth service providers usually have certain
>> business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case,
>> business partners are allowed to have logos assocaited with their consumer
>> key, and all of these logos are manually reviewed before being enabled.
>>
>> Thanks
>> Allen
>>
>>
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>



-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090920/7d3dd434/attachment.htm>