Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What an RP Wants, Part 2

15,912 views

Published on

Joseph Smarr shares his perspectives on how OpenID could be improved to make a better experience for Relying Parties (RPs). Talk was given on 11/2/09 at the OpenID Summit.

Published in: Technology
  • i like it
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

What an RP Wants, Part 2

  1. What an RP Wants, Part II Joseph Smarr 11/02/09
  2. What we said in February <ul><li>Hybrid OpenID/OAuth is a game-changer </li></ul><ul><li>Plaxo/Google integration proved the “Chasm of Death” can be crossed </li></ul>92% success rate
  3. What we said in February <ul><li>We need all the major players to become first-class OpenID Providers (OPs) </li></ul><ul><ul><li>More user data (profile/email + contacts) </li></ul></ul><ul><ul><li>User-friendly (not scary) consent UI </li></ul></ul><ul><ul><li>Auto-login on return (checkid_immediate) </li></ul></ul><ul><ul><li>Commitment to do what it takes for both sides to be successful (ship early & often) </li></ul></ul>
  4. What’s happened since
  5. What’s happened since <ul><li>Facebook became an OpenID RP and joined the OpenID Foundation </li></ul>
  6. What’s happened since <ul><li>Plaxo built a deep 2-way integration with Facebook </li></ul><ul><li>(using Facebook Connect) </li></ul>
  7. What’s happened since <ul><li>MySpace rolled out full Hybrid/Open Stack </li></ul><ul><li>(though without validated email address) </li></ul>
  8. What’s happened since <ul><li>Microsoft declared they’ll do OpenID for real </li></ul><ul><li>(though were vague on timing) </li></ul>
  9. What’s happened since <ul><li>Yahoo rolled out Hybrid. </li></ul>
  10. What’s happened since <ul><li>Yahoo rolled out Hybrid. </li></ul>
  11. What hasn’t happened since
  12. Still waiting for more great OPs <ul><li>Facebook (Hybrid RP) </li></ul><ul><li>Microsoft (Doing OpenID, but OAuth?) </li></ul><ul><li>AOL (OpenID, but not 2.0 or Hybrid) </li></ul><ul><li>Twitter (OAuth, but OpenID?) </li></ul><ul><li>Plaxo (Hybrid RP and PoCo Provider) </li></ul><ul><li>LinkedIn (?) </li></ul>
  13. So, where do we stand? <ul><li>Significant progress, though more slowly than we might have hoped </li></ul><ul><li>But the fact is, I cannot recommend a new startup bet their business on being an RP </li></ul><ul><li>Why? </li></ul><ul><li>Still a bunch of unsolved issues and un-met needs… </li></ul>
  14. What an RP Wants
  15. What an RP Wants
  16. What an RP Needs
  17. What an RP Needs <ul><li>More high-quality OPs </li></ul><ul><li>Desktop / mobile / API best practices </li></ul><ul><li>Solution to the “Nascar problem” </li></ul><ul><li>Confidence that RP users are 1st class </li></ul><ul><li>Virtuous cycle </li></ul>
  18. Desktop / mobile / APIs <ul><li>OpenID login is a web-only solution </li></ul><ul><li>As an RP, how do my users log in to: </li></ul><ul><ul><li>My rich desktop client </li></ul></ul><ul><ul><li>My iPhone app </li></ul></ul><ul><ul><li>My REST API </li></ul></ul><ul><ul><li>My TV widget </li></ul></ul>
  19. Desktop / mobile / APIs <ul><li>Option: use OAuth flows as a bridge </li></ul><ul><ul><li>Pop a browser for OAuth flow </li></ul></ul><ul><ul><li>Log in using (web-based) OpenID </li></ul></ul><ul><ul><li>Need some way to tell the client to continue </li></ul></ul><ul><li>Option: direct auth API proxied to OP? </li></ul><ul><ul><li>Simpler UI, but assumes username/passwod </li></ul></ul><ul><li>Do this for all users, or just RP users? </li></ul><ul><ul><li>Consistency vs. complicating the base case </li></ul></ul>
  20. Solution to the “Nascar problem”
  21. Solution to the “Nascar problem” <ul><li>How many buttons? </li></ul><ul><ul><li>What about smaller OPs? </li></ul></ul><ul><li>What to do for return users? </li></ul><ul><ul><li>Visits from other computer? </li></ul></ul><ul><li>E-mail addresses as IDs? </li></ul><ul><ul><li>What about OPs that aren’t webmail providers </li></ul></ul>
  22. Confidence in RP users <ul><li>Part perception issue, part reality </li></ul><ul><li>What happens when an OP dies? </li></ul><ul><li>If users get trained by login buttons, can I ever move/change them? </li></ul>
  23. Virtuous Cycle
  24. Virtuous Cycle <ul><li>Example: Plaxo & TimesPeople </li></ul>
  25. Conclusion:
  26. We’ve still got a lot of work to do.
  27. Why I still believe…
  28.  

×