What an RP Wants, Part 2

15,219 views

Published on

Joseph Smarr shares his perspectives on how OpenID could be improved to make a better experience for Relying Parties (RPs). Talk was given on 11/2/09 at the OpenID Summit.

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
  • i like it
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
15,219
On SlideShare
0
From Embeds
0
Number of Embeds
6,382
Actions
Shares
0
Downloads
36
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

What an RP Wants, Part 2

  1. What an RP Wants, Part II Joseph Smarr 11/02/09
  2. What we said in February <ul><li>Hybrid OpenID/OAuth is a game-changer </li></ul><ul><li>Plaxo/Google integration proved the “Chasm of Death” can be crossed </li></ul>92% success rate
  3. What we said in February <ul><li>We need all the major players to become first-class OpenID Providers (OPs) </li></ul><ul><ul><li>More user data (profile/email + contacts) </li></ul></ul><ul><ul><li>User-friendly (not scary) consent UI </li></ul></ul><ul><ul><li>Auto-login on return (checkid_immediate) </li></ul></ul><ul><ul><li>Commitment to do what it takes for both sides to be successful (ship early & often) </li></ul></ul>
  4. What’s happened since
  5. What’s happened since <ul><li>Facebook became an OpenID RP and joined the OpenID Foundation </li></ul>
  6. What’s happened since <ul><li>Plaxo built a deep 2-way integration with Facebook </li></ul><ul><li>(using Facebook Connect) </li></ul>
  7. What’s happened since <ul><li>MySpace rolled out full Hybrid/Open Stack </li></ul><ul><li>(though without validated email address) </li></ul>
  8. What’s happened since <ul><li>Microsoft declared they’ll do OpenID for real </li></ul><ul><li>(though were vague on timing) </li></ul>
  9. What’s happened since <ul><li>Yahoo rolled out Hybrid. </li></ul>
  10. What’s happened since <ul><li>Yahoo rolled out Hybrid. </li></ul>
  11. What hasn’t happened since
  12. Still waiting for more great OPs <ul><li>Facebook (Hybrid RP) </li></ul><ul><li>Microsoft (Doing OpenID, but OAuth?) </li></ul><ul><li>AOL (OpenID, but not 2.0 or Hybrid) </li></ul><ul><li>Twitter (OAuth, but OpenID?) </li></ul><ul><li>Plaxo (Hybrid RP and PoCo Provider) </li></ul><ul><li>LinkedIn (?) </li></ul>
  13. So, where do we stand? <ul><li>Significant progress, though more slowly than we might have hoped </li></ul><ul><li>But the fact is, I cannot recommend a new startup bet their business on being an RP </li></ul><ul><li>Why? </li></ul><ul><li>Still a bunch of unsolved issues and un-met needs… </li></ul>
  14. What an RP Wants
  15. What an RP Wants
  16. What an RP Needs
  17. What an RP Needs <ul><li>More high-quality OPs </li></ul><ul><li>Desktop / mobile / API best practices </li></ul><ul><li>Solution to the “Nascar problem” </li></ul><ul><li>Confidence that RP users are 1st class </li></ul><ul><li>Virtuous cycle </li></ul>
  18. Desktop / mobile / APIs <ul><li>OpenID login is a web-only solution </li></ul><ul><li>As an RP, how do my users log in to: </li></ul><ul><ul><li>My rich desktop client </li></ul></ul><ul><ul><li>My iPhone app </li></ul></ul><ul><ul><li>My REST API </li></ul></ul><ul><ul><li>My TV widget </li></ul></ul>
  19. Desktop / mobile / APIs <ul><li>Option: use OAuth flows as a bridge </li></ul><ul><ul><li>Pop a browser for OAuth flow </li></ul></ul><ul><ul><li>Log in using (web-based) OpenID </li></ul></ul><ul><ul><li>Need some way to tell the client to continue </li></ul></ul><ul><li>Option: direct auth API proxied to OP? </li></ul><ul><ul><li>Simpler UI, but assumes username/passwod </li></ul></ul><ul><li>Do this for all users, or just RP users? </li></ul><ul><ul><li>Consistency vs. complicating the base case </li></ul></ul>
  20. Solution to the “Nascar problem”
  21. Solution to the “Nascar problem” <ul><li>How many buttons? </li></ul><ul><ul><li>What about smaller OPs? </li></ul></ul><ul><li>What to do for return users? </li></ul><ul><ul><li>Visits from other computer? </li></ul></ul><ul><li>E-mail addresses as IDs? </li></ul><ul><ul><li>What about OPs that aren’t webmail providers </li></ul></ul>
  22. Confidence in RP users <ul><li>Part perception issue, part reality </li></ul><ul><li>What happens when an OP dies? </li></ul><ul><li>If users get trained by login buttons, can I ever move/change them? </li></ul>
  23. Virtuous Cycle
  24. Virtuous Cycle <ul><li>Example: Plaxo & TimesPeople </li></ul>
  25. Conclusion:
  26. We’ve still got a lot of work to do.
  27. Why I still believe…
  28.  

×