Popup flow

Jonathan Coffman jonathan.coffman at gmail.com
Tue Sep 22 00:10:31 UTC 2009


Do you all have examples of good mobile (or more specifically iPhone)  
OID or oAuth flows?

(And thanks again for all of the great dialogue the last couple of  
days, I'm going to try my hardest to post as much about the system  
we're building as possible for the benefit of the community.)

We're going to try a quick and dirty federated logout (RP pushes  
logout back up to the OP) and see how people respond, I think it might  
make for an interesting case-study as a positive, or maybe even a  
negative?.

-Jonathan

On Sep 21, 2009, at 7:01 PM, Chris Messina wrote:

> To Darren's point — there are OAuth applications that encapsulate  
> the entire experience within an embedded WebKit view, or with an  
> iframe.
>
> This is also bad, but unfortunately, too many developers using OAuth  
> seem willing to sacrifice their customer's security for a better  
> user experience. This is regrettable, to be sure, and selfish at  
> worst.
>
> While OAuth makes the situation better in degrees, the typical OAuth  
> argument suggests that if you're a desktop app, "you can get the  
> user's credentials" if you want them. That's a naive and arrogant  
> perspective, but is quite common.
>
> The point is not whether the developer is evil or not, but whether  
> other applications and actually evil developers are able to take  
> advantage of these behaviors, either to trick users who think that  
> entering their credentials into any username/email + password form  
> is okay, or where other native applications leak a user's passwords  
> because the system itself is infected with some kind of malware. If  
> apps never ask for or accept user passwords, then the worst thing  
> that can happen is based on the permissions afforded the app's  
> tokens — and if the developer is security conscious, he will have  
> only asked for the permissions that he's looking for.
>
> Unfortunately, we're going to have to see a few people get badly  
> burned before this behavior changes.
>
> Remember, we're still largely in the era of desktop-based virus  
> scanners — few people install "virus scanners" in their social  
> networking profiles.
>
> Chris
>
> On Mon, Sep 21, 2009 at 3:36 PM, David Recordon  
> <recordond at gmail.com> wrote:
> Hey Darren,
> I'm confused.  The OAuth protocol doesn't use embedded iframes either.
>  It supports redirects like OpenID and now via the OpenID User
> Experience Extension combined with the OpenID and OAuth Hybrid
> protocol, popups.
>
> --David
>
> On Mon, Sep 21, 2009 at 1:28 PM, Darren Bounds <dbounds at gmail.com>  
> wrote:
> > I find it curious that these compromises have been embraced by the
> > OAuth community to support a greater UX but they are not being
> > embraced by OpenID. After all, isn't an iPhone UIWebView control  
> just
> > a different type of iFrame? You're still trusting parent application
> > not to do something malicious.
> >
> > On Mon, Sep 21, 2009 at 12:24 PM, Chris Messina <chris.messina at gmail.com 
> > wrote:
> >> 2009/9/21 Steven Livingstone Pérez <weblivz at hotmail.com>
> >>>
> >>> I would have thought an IFrame injected into the page woudn't  
> cause popup
> >>> issues.
> >>
> >> Injected iframes are a bad idea — especially ones that ask you to  
> enter your
> >> credentials.
> >> Indeed, while the injected iframe approach has certainly  
> usability benefits
> >> (i.e. no new windows to lose track of) they present untenable  
> security
> >> issues that, ultimately, mean that they cannot be used.
> >> Facebook has been somewhat erratic in its enforcement of the  
> popup flow —
> >> making exceptions for certain partners. The problem is not the  
> good actors
> >> who implement the technology correctly, though, it's that users  
> don't
> >> develop an expectation to look for the popup, which affords them  
> certain
> >> security-enhancing signals, like the URL bar, the presence of the  
> HTTPS
> >> indicator and so on.
> >> Even if most people ignore these things, for those who *know* to  
> inspect
> >> them, the popup is an order of magnitude more security-preserving.
> >>
> >>>
> >>> Is the popups generally going to be new window instances? I'd be  
> surprised
> >>> if the is the suggested way.
> >>
> >> I think we'll go through a transitional period. The big OpenID  
> provider
> >> would likely prefer the popup method — which is less obtrusive  
> than the full
> >> window redirect, which can be confusing for some users.
> >> More usability research is needed here — and that research needs  
> to be
> >> shared with the wider community so that we understand what the  
> typical user
> >> mental model is of signing in — and whether they can comprehend  
> why they're
> >> sent back to their provider, rather than logged in directly.
> >> Chris
> >>
> >>>
> >>> steven
> >>> http://livz.org
> >>>
> >>> ________________________________
> >>> Date: Sun, 20 Sep 2009 17:38:19 -0700
> >>> Subject: Re: Popup flow
> >>> From: chris.messina at gmail.com
> >>> To: openid-user-experience at lists.openid.net
> >>>
> >>>
> >>>
> >>> On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman
> >>> <jonathan.coffman at gmail.com> wrote:
> >>>
> >>> Are there concerns over users with ad-blockers or pop-up  
> blockers and
> >>> being able to reach the OpenID flow?
> >>>
> >>> There are some, yes. This needs to be widely tested, but we're  
> able to get
> >>> around (read: interact with correctly) because the pop-up is  
> launched by
> >>> user action, rather than automatically.
> >>> Facebook seems to use this method without a problem, so perhaps  
> Luke has
> >>> some insights.
> >>> Chris
> >>>
> >>>
> >>> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:
> >>>
> >>> Jonathan Coffman wrote:
> >>>
> >>> In seeing Yahoo's announcement of their pop-up flow, and  
> Google's previous
> >>> migration -- is this quickly becoming the defacto standard?
> >>>
> >>> Hi Jonathan,
> >>>
> >>> Yahoo's usability testing indicates that the new OpenID popup flow
> >>> performs better than then old redirect flow, and this is also  
> consistent
> >>> with Facebook's experience with Connect.
> >>>
> >>> The popup flow is currently an extension, meaning that it's  
> optional, and
> >>> it's the RP's choice to invoke either the popup or redirect. If  
> you have the
> >>> resources to experiment with both flows in a production  
> environment,
> >>> definitely everyone would be very interested in the results.
> >>>
> >>> Some of my stakeholders are asking for a templated/co-branded  
> experience
> >>> so that users, when redirected, see a logo, etc from the RP on the
> >>> sign-up/log-in page for our OP. Obviously, that's not too  
> difficult to do
> >>> but I feel like the whole argument might be overcome with a  
> simplified OP
> >>> design by utilizing the popup draft spec.
> >>>
> >>> Section 6 in the Draft User Interface spec defines a mechanism  
> for the RP
> >>> to pass its logos to the OP. Showing the RP's logos to the user  
> on the OP's
> >>> approval/login screens definitely is very helpful to users, and  
> feedback
> >>> from our testers in our usability labs was overwhelmingly  
> positive when we
> >>> did this.
> >>>
> >>> Speaking on behalf of Yahoo, there are issues with displaying  
> metadata
> >>> about the RP that was not manually reviewed for correctness by  
> the OP. For
> >>> instance, the RP could be a malicious site that is pretending to  
> be a
> >>> trusted site, such as a bank. The malicious RP could  
> misrepresent itself by
> >>> passing the bank logo to the OP.
> >>>
> >>> Other OPs that are planning to supporting the RP Icons portion  
> of the UI
> >>> Extension may have other opinions about how important it is for  
> OPs to
> >>> manually verify the RP's logos before displaying them to the user.
> >>>
> >>> An alternative approach for having the RP pass metadata about  
> itself to
> >>> the OP (including icons, name, description) would be to use the  
> OpenID OAuth
> >>> Hybrid Extension, and have all the RP metadata bound to the RP's  
> OAuth
> >>> consumer_key. Most OAuth service providers usually have certain
> >>> business/legal criteria to issue an OAuth consumer_key, and in  
> Yahoo's case,
> >>> business partners are allowed to have logos assocaited with  
> their consumer
> >>> key, and all of these logos are manually reviewed before being  
> enabled.
> >>>
> >>> Thanks
> >>> Allen
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> user-experience mailing list
> >>> user-experience at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>
> >>> _______________________________________________
> >>> user-experience mailing list
> >>> user-experience at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>
> >>>
> >>>
> >>> --
> >>> Chris Messina
> >>> Open Web Advocate
> >>>
> >>> Personal: http://factoryjoe.com
> >>> Follow me on Twitter: http://twitter.com/chrismessina
> >>>
> >>> Citizen Agency: http://citizenagency.com
> >>> Diso Project: http://diso-project.org
> >>> OpenID Foundation: http://openid.net
> >>>
> >>> This email is:   [ ] bloggable    [X] ask first   [ ] private
> >>>
> >>> ________________________________
> >>> Hotmail: Powerful Free email with security by Microsoft. Get it  
> now.
> >>> _______________________________________________
> >>> user-experience mailing list
> >>> user-experience at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>
> >>
> >>
> >>
> >> --
> >> Chris Messina
> >> Open Web Advocate
> >>
> >> Personal: http://factoryjoe.com
> >> Follow me on Twitter: http://twitter.com/chrismessina
> >>
> >> Citizen Agency: http://citizenagency.com
> >> Diso Project: http://diso-project.org
> >> OpenID Foundation: http://openid.net
> >>
> >> This email is:   [ ] shareable    [X] ask first   [ ] private
> >>
> >> _______________________________________________
> >> user-experience mailing list
> >> user-experience at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>
> >>
> >
> >
> >
> > --
> >
> > Thank you,
> > Darren Bounds
> > _______________________________________________
> > user-experience mailing list
> > user-experience at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-user-experience
> >
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
>
>
> -- 
> Chris Messina
> Open Web Advocate
>
> Personal: http://factoryjoe.com
> Follow me on Twitter: http://twitter.com/chrismessina
>
> Citizen Agency: http://citizenagency.com
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
>
> This email is:   [ ] shareable    [X] ask first   [ ] private
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090921/f0897cea/attachment-0001.htm>


More information about the user-experience mailing list