What an RP Wants, Part 2

What an RP Wants, Part II Joseph Smarr 11/02/09

What we said in February
Hybrid OpenID/OAuth is a game-changer
Plaxo/Google integration proved the “Chasm of Death” can be crossed
92% success rate

What we said in February
We need all the major players to become first-class OpenID Providers (OPs)
More user data (profile/email + contacts)
User-friendly (not scary) consent UI
Auto-login on return (checkid_immediate)
Commitment to do what it takes for both sides to be successful (ship early & often)

What’s happened since

Facebook became an OpenID RP and joined the OpenID Foundation

Plaxo built a deep 2-way integration with Facebook
(using Facebook Connect)

MySpace rolled out full Hybrid/Open Stack
(though without validated email address)

Microsoft declared they’ll do OpenID for real
(though were vague on timing)

Yahoo rolled out Hybrid.

What hasn’t happened since

Still waiting for more great OPs
Facebook (Hybrid RP)
Microsoft (Doing OpenID, but OAuth?)
AOL (OpenID, but not 2.0 or Hybrid)
Twitter (OAuth, but OpenID?)
Plaxo (Hybrid RP and PoCo Provider)
LinkedIn (?)

So, where do we stand?
Significant progress, though more slowly than we might have hoped
But the fact is, I cannot recommend a new startup bet their business on being an RP
Why?
Still a bunch of unsolved issues and un-met needs…

What an RP Wants

What an RP Needs

What an RP Needs
More high-quality OPs
Desktop / mobile / API best practices
Solution to the “Nascar problem”
Confidence that RP users are 1st class
Virtuous cycle

Desktop / mobile / APIs
OpenID login is a web-only solution
As an RP, how do my users log in to:
My rich desktop client
My iPhone app
My REST API
My TV widget

Desktop / mobile / APIs
Option: use OAuth flows as a bridge
Pop a browser for OAuth flow
Log in using (web-based) OpenID
Need some way to tell the client to continue
Option: direct auth API proxied to OP?
Simpler UI, but assumes username/passwod
Do this for all users, or just RP users?
Consistency vs. complicating the base case

How many buttons?
What about smaller OPs?
What to do for return users?
Visits from other computer?
E-mail addresses as IDs?
What about OPs that aren’t webmail providers

Confidence in RP users
Part perception issue, part reality
What happens when an OP dies?
If users get trained by login buttons, can I ever move/change them?

Virtuous Cycle

Virtuous Cycle
Example: Plaxo & TimesPeople

Conclusion:

We’ve still got a lot of work to do.

Why I still believe…

http://josephsmarr.com	4282
http://therealmccrea.com	563
http://feeds.feedburner.com	16
http://www.josephsmarr.com	5
http://webcache.googleusercontent.com	5
http://www.slideshare.net	2
http://www.yatedo.com	2
http://translate.googleusercontent.com	2
http://www.linkedin.com	1
http://webref-view	1
http://www.hanrss.com	1
url_unknown	1
http://ranksit.com	1

What an RP Wants, Part 2

by Joseph Smarr

Accessibility

Categories

Upload Details

Usage Rights

13 Embeds 4,882

Statistics