what an rp wants, part 2
DESCRIPTION
Joseph Smarr shares his perspectives on how OpenID could be improved to make a better experience for Relying Parties (RPs). Talk was given on 11/2/09 at the OpenID Summit.TRANSCRIPT
What an RP Wants, Part II
Joseph Smarr
11/02/09
What we said in February
• Hybrid OpenID/OAuth is a game-changer
• Plaxo/Google integration proved the “Chasm of Death” can be crossed
92%success rate
What we said in February
We need all the major players to become first-class OpenID Providers (OPs)– More user data (profile/email + contacts) – User-friendly (not scary) consent UI – Auto-login on return (checkid_immediate)– Commitment to do what it takes for both sides
to be successful (ship early & often)
What’s happened since
What’s happened since
Facebook became an OpenID RP and joined the OpenID Foundation
What’s happened since
Plaxo built a deep 2-way integration with Facebook
(using Facebook Connect)
What’s happened since
MySpace rolled out full Hybrid/Open Stack
(though without validated email address)
What’s happened since
Microsoft declared they’ll do OpenID for real
(though were vague on timing)
What’s happened since
Yahoo rolled out Hybrid.
What’s happened since
Yahoo rolled out Hybrid.
What hasn’t happened since
Still waiting for more great OPs
• Facebook (Hybrid RP)
• Microsoft (Doing OpenID, but OAuth?)
• AOL (OpenID, but not 2.0 or Hybrid)
• Twitter (OAuth, but OpenID?)
• Plaxo (Hybrid RP and PoCo Provider)
• LinkedIn (?)
So, where do we stand?
• Significant progress, though more slowly than we might have hoped
• But the fact is, I cannot recommend a new startup bet their business on being an RP
• Why?
• Still a bunch of unsolved issues and un-met needs…
What an RP Wants
What an RP Wants
What an RP Needs
What an RP Needs
• More high-quality OPs
• Desktop / mobile / API best practices
• Solution to the “Nascar problem”
• Confidence that RP users are 1st class
• Virtuous cycle
Desktop / mobile / APIs
• OpenID login is a web-only solution
• As an RP, how do my users log in to:– My rich desktop client – My iPhone app– My REST API– My TV widget
Desktop / mobile / APIs
• Option: use OAuth flows as a bridge– Pop a browser for OAuth flow– Log in using (web-based) OpenID– Need some way to tell the client to continue
• Option: direct auth API proxied to OP?– Simpler UI, but assumes username/passwod
• Do this for all users, or just RP users?– Consistency vs. complicating the base case
Solution to the “Nascar problem”
Solution to the “Nascar problem”
• How many buttons?– What about smaller OPs?
• What to do for return users?– Visits from other computer?
• E-mail addresses as IDs?– What about OPs that aren’t
webmail providers
Confidence in RP users
• Part perception issue, part reality• What happens when an OP dies?• If users get trained by login buttons, can I ever
move/change them?
Virtuous Cycle
Virtuous Cycle
Example: Plaxo & TimesPeople
Conclusion:
We’ve still got a lot of work to do.
Why I still believe…