Popup flow

Mon Sep 21 23:13:49 UTC 2009

There are a ton of things to consider for OpenID, and unfortuantely
the web was not designed for delegated identities.

So here are some thoughts I have

++ Browser Support ++
we could make a few recomendations to modern browsers to provide added
security for the OpenID experience, maybe this is a plug in.

So, one thing I don't like about browsers today are how they support
iFrames that are on an HTTPS port/ server.  There needs to be a better
way to know when some parts of a page are being rendered in a secure
fashion.

There has also been talks about defining a custom tag for the OpenID
login flow, then the login process could be browser handled if
available, and if the browser fails to report the availability of an
OpenID Javascript/ HTML library, then we could resort to old methods.
Doing something like this would force the page to state who they are,
and which sites they are willing to accept a delegated identity from.
The browser could then render a login for a preferred provider like
Yahoo, MySpace, Facebook, Google, Janrain, or they could render a
general flow for people that are just following the spec.  For some
reason or another it seems that when companies get large enough, it
seems supporting the spec FIRST seems to get difficult for them ( on
the plus side they can afford to hire people to solve problems like
found in OAuth 2.0 ).

It is possible to make a plugin that follows the flow for many of the
top sites, and checks to see if the flow seems suspicious, so rather
than managing the flow, in this case it would just look for odd
behaviors and info from the RP that seems odd.

++Portal Browsing++
I have been wondering how OpenID might function if one where to browse
the web through a portal they owned, for instance I have a blog at
http://jdavid.net, and if I had some software at
http://browser.jdavid.net that proxies requests to my browser, I may
be able to browse the web consistently as my identity at
http://jdavid.net, however if I went to a different location and
browsed through a different proxy, my Identity would change.  I only
favor this pattern, in that cookies crumbs seem to creep together, and
I am worried about my browser having a set of cookies for one identity
active while logging into a site with a second identity.  it's
information leeks like this that make browsing with segmented
identities difficult.  I don't want to get into the details of it, but
OpenID makes it possible for some sites to look at other sites
cookies.  While working at MySpace, we could read Facebook's cookies
when users had logged into a site using Facebook Connect.  This means
that Facebook can see which identities on a Facebook Connect site are
also being used.  Using a portal browsing pattern would mean that it
would always be clear who you were navigating the web as.  I can also
see this pattern being integrated into the browser, and I think
Microsoft has been playing around with this idea in various forms like
'Passport' and their new identity software.

++DNS++
By overloading some of the functionality in the txt records of a DNS
record, we should be able to store the location of the directed
identity server, this would allow us to transition email address into
potential OpenIDs.  So in this context, if Yahoo.com had a txt record
that pointed to a valid OpenID delegated identity server, then my
server would know that a Yahoo email address would be a viable OpenID,
and if the DNS did not report such a Web Service, then the server
could send an automated password to that email address, and the user
could continue.  At some future point, that email address could be
rechecked to see if that domain supports OpenID, and if it does, then
it could use DiSo to report available social services back to my
server.

So these are the OpenID thoughts I have been having, and I wanted to
implement a few of them in my short time at MySpace.  I would love to
know if any of you find any of these compelling.

On Mon, Sep 21, 2009 at 3:36 PM, David Recordon <recordond at gmail.com> wrote:
> Hey Darren,
> I'm confused.  The OAuth protocol doesn't use embedded iframes either.
>  It supports redirects like OpenID and now via the OpenID User
> Experience Extension combined with the OpenID and OAuth Hybrid
> protocol, popups.
>
> --David
>
> On Mon, Sep 21, 2009 at 1:28 PM, Darren Bounds <dbounds at gmail.com> wrote:
>> I find it curious that these compromises have been embraced by the
>> OAuth community to support a greater UX but they are not being
>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
>> a different type of iFrame? You're still trusting parent application
>> not to do something malicious.
>>
>> On Mon, Sep 21, 2009 at 12:24 PM, Chris Messina <chris.messina at gmail.com> wrote:
>>> 2009/9/21 Steven Livingstone Pérez <weblivz at hotmail.com>
>>>>
>>>> I would have thought an IFrame injected into the page woudn't cause popup
>>>> issues.
>>>
>>> Injected iframes are a bad idea — especially ones that ask you to enter your
>>> credentials.
>>> Indeed, while the injected iframe approach has certainly usability benefits
>>> (i.e. no new windows to lose track of) they present untenable security
>>> issues that, ultimately, mean that they cannot be used.
>>> Facebook has been somewhat erratic in its enforcement of the popup flow —
>>> making exceptions for certain partners. The problem is not the good actors
>>> who implement the technology correctly, though, it's that users don't
>>> develop an expectation to look for the popup, which affords them certain
>>> security-enhancing signals, like the URL bar, the presence of the HTTPS
>>> indicator and so on.
>>> Even if most people ignore these things, for those who *know* to inspect
>>> them, the popup is an order of magnitude more security-preserving.
>>>
>>>>
>>>> Is the popups generally going to be new window instances? I'd be surprised
>>>> if the is the suggested way.
>>>
>>> I think we'll go through a transitional period. The big OpenID provider
>>> would likely prefer the popup method — which is less obtrusive than the full
>>> window redirect, which can be confusing for some users.
>>> More usability research is needed here — and that research needs to be
>>> shared with the wider community so that we understand what the typical user
>>> mental model is of signing in — and whether they can comprehend why they're
>>> sent back to their provider, rather than logged in directly.
>>> Chris
>>>
>>>>
>>>> steven
>>>> http://livz.org
>>>>
>>>> ________________________________
>>>> Date: Sun, 20 Sep 2009 17:38:19 -0700
>>>> Subject: Re: Popup flow
>>>> From: chris.messina at gmail.com
>>>> To: openid-user-experience at lists.openid.net
>>>>
>>>>
>>>>
>>>> On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman
>>>> <jonathan.coffman at gmail.com> wrote:
>>>>
>>>> Are there concerns over users with ad-blockers or pop-up blockers and
>>>> being able to reach the OpenID flow?
>>>>
>>>> There are some, yes. This needs to be widely tested, but we're able to get
>>>> around (read: interact with correctly) because the pop-up is launched by
>>>> user action, rather than automatically.
>>>> Facebook seems to use this method without a problem, so perhaps Luke has
>>>> some insights.
>>>> Chris
>>>>
>>>>
>>>> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:
>>>>
>>>> Jonathan Coffman wrote:
>>>>
>>>> In seeing Yahoo's announcement of their pop-up flow, and Google's previous
>>>> migration -- is this quickly becoming the defacto standard?
>>>>
>>>> Hi Jonathan,
>>>>
>>>> Yahoo's usability testing indicates that the new OpenID popup flow
>>>> performs better than then old redirect flow, and this is also consistent
>>>> with Facebook's experience with Connect.
>>>>
>>>> The popup flow is currently an extension, meaning that it's optional, and
>>>> it's the RP's choice to invoke either the popup or redirect. If you have the
>>>> resources to experiment with both flows in a production environment,
>>>> definitely everyone would be very interested in the results.
>>>>
>>>> Some of my stakeholders are asking for a templated/co-branded experience
>>>> so that users, when redirected, see a logo, etc from the RP on the
>>>> sign-up/log-in page for our OP. Obviously, that's not too difficult to do
>>>> but I feel like the whole argument might be overcome with a simplified OP
>>>> design by utilizing the popup draft spec.
>>>>
>>>> Section 6 in the Draft User Interface spec defines a mechanism for the RP
>>>> to pass its logos to the OP. Showing the RP's logos to the user on the OP's
>>>> approval/login screens definitely is very helpful to users, and feedback
>>>> from our testers in our usability labs was overwhelmingly positive when we
>>>> did this.
>>>>
>>>> Speaking on behalf of Yahoo, there are issues with displaying metadata
>>>> about the RP that was not manually reviewed for correctness by the OP. For
>>>> instance, the RP could be a malicious site that is pretending to be a
>>>> trusted site, such as a bank. The malicious RP could misrepresent itself by
>>>> passing the bank logo to the OP.
>>>>
>>>> Other OPs that are planning to supporting the RP Icons portion of the UI
>>>> Extension may have other opinions about how important it is for OPs to
>>>> manually verify the RP's logos before displaying them to the user.
>>>>
>>>> An alternative approach for having the RP pass metadata about itself to
>>>> the OP (including icons, name, description) would be to use the OpenID OAuth
>>>> Hybrid Extension, and have all the RP metadata bound to the RP's OAuth
>>>> consumer_key. Most OAuth service providers usually have certain
>>>> business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case,
>>>> business partners are allowed to have logos assocaited with their consumer
>>>> key, and all of these logos are manually reviewed before being enabled.
>>>>
>>>> Thanks
>>>> Allen
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> user-experience mailing list
>>>> user-experience at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>
>>>> _______________________________________________
>>>> user-experience mailing list
>>>> user-experience at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>
>>>>
>>>>
>>>> --
>>>> Chris Messina
>>>> Open Web Advocate
>>>>
>>>> Personal: http://factoryjoe.com
>>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>>
>>>> Citizen Agency: http://citizenagency.com
>>>> Diso Project: http://diso-project.org
>>>> OpenID Foundation: http://openid.net
>>>>
>>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>>
>>>> ________________________________
>>>> Hotmail: Powerful Free email with security by Microsoft. Get it now.
>>>> _______________________________________________
>>>> user-experience mailing list
>>>> user-experience at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>>
>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Open Web Advocate
>>>
>>> Personal: http://factoryjoe.com
>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>
>>> Citizen Agency: http://citizenagency.com
>>> Diso Project: http://diso-project.org
>>> OpenID Foundation: http://openid.net
>>>
>>> This email is:   [ ] shareable    [X] ask first   [ ] private
>>>
>>> _______________________________________________
>>> user-experience mailing list
>>> user-experience at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>>
>>>
>>
>>
>>
>> --
>>
>> Thank you,
>> Darren Bounds
>> _______________________________________________
>> user-experience mailing list
>> user-experience at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>

-- 
-- 
Justin Kruger -- Sr. Social Media Software Engineer -

http://jDavid.net
http://twitter.com/jdavid

http://www.linkedin.com/in/jdavid

jDavid.net at gmail.com

Anton Freeman: Vincent! How are you doing this Vincent? How have you
done any of this? We have to go back.
Vincent: It's too late for that. We're closer to the other side.
Anton Freeman: What other side? You wanna drown us both?
Vincent: You wanna know how I did it? This is how I did it Anton. I
never saved anything for the swim back.