Popup flow
David Recordon
recordond at gmail.com
Mon Sep 21 23:10:33 UTC 2009
Hey Darren,
Yeah, you're right. My philosophy is that I'd rather give an
application which I trust to some degree my password once and have it
throw it away, rather than either a poor user experience bouncing me
through a browser or it keeping my password forever.
--David
On Mon, Sep 21, 2009 at 4:02 PM, Darren Bounds <darren at cliqset.com> wrote:
> Hey David,
>
> Not speaking about iframes specifically in this case but rather the
> fact that the use if UIWebView controls being used within iPhone
> applications is generally considered 'ok' for OAuth handshakes. Both
> suffer from credential interception weaknesses and rely on user trust
> due to the lack of a visible address bar.
>
> Darren
>
>
> On Mon, Sep 21, 2009 at 6:36 PM, David Recordon <recordond at gmail.com> wrote:
>> Hey Darren,
>> I'm confused. The OAuth protocol doesn't use embedded iframes either.
>> It supports redirects like OpenID and now via the OpenID User
>> Experience Extension combined with the OpenID and OAuth Hybrid
>> protocol, popups.
>>
>> --David
>>
>> On Mon, Sep 21, 2009 at 1:28 PM, Darren Bounds <dbounds at gmail.com> wrote:
>>> I find it curious that these compromises have been embraced by the
>>> OAuth community to support a greater UX but they are not being
>>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
>>> a different type of iFrame? You're still trusting parent application
>>> not to do something malicious.
>>>
>>> On Mon, Sep 21, 2009 at 12:24 PM, Chris Messina <chris.messina at gmail.com> wrote:
>>>> 2009/9/21 Steven Livingstone Pérez <weblivz at hotmail.com>
>>>>>
>>>>> I would have thought an IFrame injected into the page woudn't cause popup
>>>>> issues.
>>>>
>>>> Injected iframes are a bad idea — especially ones that ask you to enter your
>>>> credentials.
>>>> Indeed, while the injected iframe approach has certainly usability benefits
>>>> (i.e. no new windows to lose track of) they present untenable security
>>>> issues that, ultimately, mean that they cannot be used.
>>>> Facebook has been somewhat erratic in its enforcement of the popup flow —
>>>> making exceptions for certain partners. The problem is not the good actors
>>>> who implement the technology correctly, though, it's that users don't
>>>> develop an expectation to look for the popup, which affords them certain
>>>> security-enhancing signals, like the URL bar, the presence of the HTTPS
>>>> indicator and so on.
>>>> Even if most people ignore these things, for those who *know* to inspect
>>>> them, the popup is an order of magnitude more security-preserving.
>>>>
>>>>>
>>>>> Is the popups generally going to be new window instances? I'd be surprised
>>>>> if the is the suggested way.
>>>>
>>>> I think we'll go through a transitional period. The big OpenID provider
>>>> would likely prefer the popup method — which is less obtrusive than the full
>>>> window redirect, which can be confusing for some users.
>>>> More usability research is needed here — and that research needs to be
>>>> shared with the wider community so that we understand what the typical user
>>>> mental model is of signing in — and whether they can comprehend why they're
>>>> sent back to their provider, rather than logged in directly.
>>>> Chris
>>>>
>>>>>
>>>>> steven
>>>>> http://livz.org
>>>>>
>>>>> ________________________________
>>>>> Date: Sun, 20 Sep 2009 17:38:19 -0700
>>>>> Subject: Re: Popup flow
>>>>> From: chris.messina at gmail.com
>>>>> To: openid-user-experience at lists.openid.net
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman
>>>>> <jonathan.coffman at gmail.com> wrote:
>>>>>
>>>>> Are there concerns over users with ad-blockers or pop-up blockers and
>>>>> being able to reach the OpenID flow?
>>>>>
>>>>> There are some, yes. This needs to be widely tested, but we're able to get
>>>>> around (read: interact with correctly) because the pop-up is launched by
>>>>> user action, rather than automatically.
>>>>> Facebook seems to use this method without a problem, so perhaps Luke has
>>>>> some insights.
>>>>> Chris
>>>>>
>>>>>
>>>>> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:
>>>>>
>>>>> Jonathan Coffman wrote:
>>>>>
>>>>> In seeing Yahoo's announcement of their pop-up flow, and Google's previous
>>>>> migration -- is this quickly becoming the defacto standard?
>>>>>
>>>>> Hi Jonathan,
>>>>>
>>>>> Yahoo's usability testing indicates that the new OpenID popup flow
>>>>> performs better than then old redirect flow, and this is also consistent
>>>>> with Facebook's experience with Connect.
>>>>>
>>>>> The popup flow is currently an extension, meaning that it's optional, and
>>>>> it's the RP's choice to invoke either the popup or redirect. If you have the
>>>>> resources to experiment with both flows in a production environment,
>>>>> definitely everyone would be very interested in the results.
>>>>>
>>>>> Some of my stakeholders are asking for a templated/co-branded experience
>>>>> so that users, when redirected, see a logo, etc from the RP on the
>>>>> sign-up/log-in page for our OP. Obviously, that's not too difficult to do
>>>>> but I feel like the whole argument might be overcome with a simplified OP
>>>>> design by utilizing the popup draft spec.
>>>>>
>>>>> Section 6 in the Draft User Interface spec defines a mechanism for the RP
>>>>> to pass its logos to the OP. Showing the RP's logos to the user on the OP's
>>>>> approval/login screens definitely is very helpful to users, and feedback
>>>>> from our testers in our usability labs was overwhelmingly positive when we
>>>>> did this.
>>>>>
>>>>> Speaking on behalf of Yahoo, there are issues with displaying metadata
>>>>> about the RP that was not manually reviewed for correctness by the OP. For
>>>>> instance, the RP could be a malicious site that is pretending to be a
>>>>> trusted site, such as a bank. The malicious RP could misrepresent itself by
>>>>> passing the bank logo to the OP.
>>>>>
>>>>> Other OPs that are planning to supporting the RP Icons portion of the UI
>>>>> Extension may have other opinions about how important it is for OPs to
>>>>> manually verify the RP's logos before displaying them to the user.
>>>>>
>>>>> An alternative approach for having the RP pass metadata about itself to
>>>>> the OP (including icons, name, description) would be to use the OpenID OAuth
>>>>> Hybrid Extension, and have all the RP metadata bound to the RP's OAuth
>>>>> consumer_key. Most OAuth service providers usually have certain
>>>>> business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case,
>>>>> business partners are allowed to have logos assocaited with their consumer
>>>>> key, and all of these logos are manually reviewed before being enabled.
>>>>>
>>>>> Thanks
>>>>> Allen
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> user-experience mailing list
>>>>> user-experience at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>>
>>>>> _______________________________________________
>>>>> user-experience mailing list
>>>>> user-experience at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Chris Messina
>>>>> Open Web Advocate
>>>>>
>>>>> Personal: http://factoryjoe.com
>>>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>>>
>>>>> Citizen Agency: http://citizenagency.com
>>>>> Diso Project: http://diso-project.org
>>>>> OpenID Foundation: http://openid.net
>>>>>
>>>>> This email is: [ ] bloggable [X] ask first [ ] private
>>>>>
>>>>> ________________________________
>>>>> Hotmail: Powerful Free email with security by Microsoft. Get it now.
>>>>> _______________________________________________
>>>>> user-experience mailing list
>>>>> user-experience at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Chris Messina
>>>> Open Web Advocate
>>>>
>>>> Personal: http://factoryjoe.com
>>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>>
>>>> Citizen Agency: http://citizenagency.com
>>>> Diso Project: http://diso-project.org
>>>> OpenID Foundation: http://openid.net
>>>>
>>>> This email is: [ ] shareable [X] ask first [ ] private
>>>>
>>>> _______________________________________________
>>>> user-experience mailing list
>>>> user-experience at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Thank you,
>>> Darren Bounds
>>> _______________________________________________
>>> user-experience mailing list
>>> user-experience at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>
>
>
>
> --
> darren bounds
> darren at cliqset.com
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
More information about the user-experience
mailing list