What an RP Needs

From IIW


What an RP Wants - Part II, Joseph Smarr, 11/02/09

What we said in February

  • Hybrid OpenID/OAuth is a game-changer
  • Plaxo/Google integration proved the “Chasm of Death” can be crossed
    • 92% success rate
  • We need all the major players to become first-class OpenID Providers (OPs)
  • More user data (profile/email + contacts)
  • User-friendly (not scary) consent UI
  • Auto-login on return (checkid_immediate)
  • Commitment to do what it takes for both sides to be successful
  • What’s happened since(ship early & often)

What’s happened since

  • Faceboook became an OpenID RP and joined the OpenID Foundation

* Plaxo built a deep 2-way integration with Facebook (using Facebook Connect)

  • MySpace rolled out full Hybrid/Open Stack (though without validated email address)
  • Microsoft declared they’ll do OpenID for real (though were vague on timing)
  • Yahoo rolled out Hybrid.

What hasn’t happened since Still waiting for more great OPs

  • Facebook (Hybrid RP)
  • Microsoft (Doing OpenID, but OAuth?)
  • AOL (OpenID, but not 2.0 or Hybrid)
  • Twitter (OAuth, but OpenID?)
  • Plaxo (Hybrid RP and PoCo Provider)
  • LinkedIn (?) Still waiting

So, where do we stand?

  • Significant progress, though more slowly than we might have hoped
  • But the fact is, I cannot recommend a new startup bet their business on being an RP. Why?
  • Still a bunch of unsolved issues and un-met needs… for more great OPs

What an RP Wants - nope.... What an RP NEEDS.

More high-quality OPs

  • Desktop / mobile / API best practices
  • Solution to the “Nascar problem”
  • Confidence that RP users are 1st class
  • Virtuous cycle

Desktop / mobile / APIs

  • OpenID login is a web-only solution
  • As an RP, how do my users log in to:
    • My rich desktop client
    • My iPhone app
    • My REST API
    • My TV widget
  • Option: use OAuth flows as a bridge
  • Pop a browser for OAuth flow
  • Log in using (web-based) OpenID
  • Need some way to tell the client to continue
  • Option: direct auth API proxied to OP?
  • Simpler UI, but assumes username/passwod
  • Do this for all users, or just RP users?
  • Consistency vs. complicating the base case

Solution to the “Nascar problem”

Solution to the “Nascar problem”

  • How many buttons?
  • What about smaller OPs?
  • What to do for return users?
  • Visits from other computer?
  • E-mail addresses as IDs?
  • What about OPs that aren’t webmail providers

Confidence in RP users

  • Part perception issue, part reality
  • What happens when an OP dies?
  • If users get trained by login buttons, can I ever move/change them?

Virtuous Cycle


  • We’ve still got a lot of work to do.
  • Why I still believe…(picture of the community at IIW)