What an RP Wants, Part II Joseph Smarr 11/02/09

What we said in February Hybrid OpenID/OAuth is a game-changer Plaxo/Google integration proved the “Chasm of Death” can be crossed 92% success rate

Hybrid OpenID/OAuth is a game-changer

Plaxo/Google integration proved the “Chasm of Death” can be crossed

What we said in February We need all the major players to become first-class OpenID Providers (OPs) More user data (profile/email + contacts) User-friendly (not scary) consent UI Auto-login on return (checkid_immediate) Commitment to do what it takes for both sides to be successful (ship early & often)

We need all the major players to become first-class OpenID Providers (OPs)

More user data (profile/email + contacts)

User-friendly (not scary) consent UI

Auto-login on return (checkid_immediate)

Commitment to do what it takes for both sides to be successful (ship early & often)

What’s happened since

What’s happened since Facebook became an OpenID RP and joined the OpenID Foundation

Facebook became an OpenID RP and joined the OpenID Foundation

What’s happened since Plaxo built a deep 2-way integration with Facebook (using Facebook Connect)

Plaxo built a deep 2-way integration with Facebook

(using Facebook Connect)

What’s happened since MySpace rolled out full Hybrid/Open Stack (though without validated email address)

MySpace rolled out full Hybrid/Open Stack

(though without validated email address)

What’s happened since Microsoft declared they’ll do OpenID for real (though were vague on timing)

Microsoft declared they’ll do OpenID for real

(though were vague on timing)

What’s happened since Yahoo rolled out Hybrid.

Yahoo rolled out Hybrid.

What’s happened since Yahoo rolled out Hybrid.

Yahoo rolled out Hybrid.

What hasn’t happened since

Still waiting for more great OPs Facebook (Hybrid RP) Microsoft (Doing OpenID, but OAuth?) AOL (OpenID, but not 2.0 or Hybrid) Twitter (OAuth, but OpenID?) Plaxo (Hybrid RP and PoCo Provider) LinkedIn (?)

Facebook (Hybrid RP)

Microsoft (Doing OpenID, but OAuth?)

AOL (OpenID, but not 2.0 or Hybrid)

Twitter (OAuth, but OpenID?)

Plaxo (Hybrid RP and PoCo Provider)

LinkedIn (?)

So, where do we stand? Significant progress, though more slowly than we might have hoped But the fact is, I cannot recommend a new startup bet their business on being an RP Why? Still a bunch of unsolved issues and un-met needs…

Significant progress, though more slowly than we might have hoped

But the fact is, I cannot recommend a new startup bet their business on being an RP

Why?

Still a bunch of unsolved issues and un-met needs…

What an RP Wants

What an RP Wants

What an RP Needs

What an RP Needs More high-quality OPs Desktop / mobile / API best practices Solution to the “Nascar problem” Confidence that RP users are 1st class Virtuous cycle

More high-quality OPs

Desktop / mobile / API best practices

Solution to the “Nascar problem”

Confidence that RP users are 1st class

Virtuous cycle

Desktop / mobile / APIs OpenID login is a web-only solution As an RP, how do my users log in to: My rich desktop client My iPhone app My REST API My TV widget

OpenID login is a web-only solution

As an RP, how do my users log in to:

My rich desktop client

My iPhone app

My REST API

My TV widget

Desktop / mobile / APIs Option: use OAuth flows as a bridge Pop a browser for OAuth flow Log in using (web-based) OpenID Need some way to tell the client to continue Option: direct auth API proxied to OP? Simpler UI, but assumes username/passwod Do this for all users, or just RP users? Consistency vs. complicating the base case

Option: use OAuth flows as a bridge

Pop a browser for OAuth flow

Log in using (web-based) OpenID

Need some way to tell the client to continue

Option: direct auth API proxied to OP?

Simpler UI, but assumes username/passwod

Do this for all users, or just RP users?

Consistency vs. complicating the base case

Solution to the “Nascar problem”

Solution to the “Nascar problem” How many buttons? What about smaller OPs? What to do for return users? Visits from other computer? E-mail addresses as IDs? What about OPs that aren’t webmail providers

How many buttons?

What about smaller OPs?

What to do for return users?

Visits from other computer?

E-mail addresses as IDs?

What about OPs that aren’t webmail providers

Confidence in RP users Part perception issue, part reality What happens when an OP dies? If users get trained by login buttons, can I ever move/change them?

Part perception issue, part reality

What happens when an OP dies?

If users get trained by login buttons, can I ever move/change them?

Virtuous Cycle

Virtuous Cycle Example: Plaxo & TimesPeople

Example: Plaxo & TimesPeople

Conclusion:

We’ve still got a lot of work to do.

Why I still believe…