Google as an OpenID RP

Session: Tuesday Session 5 Space I

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Ilan Caron, Eric Sachs, Yaniv Shuba

Notes-taker(s): Jacky Wang, Yaniv Shuba

Tags: Technology discussed / demo / google practice

Notes:
 * 1) Currently, Google accepts OpenID login for Blogger, Moderator, FriendConnect, Appengine, FreeMusic (in China)
 * 2) GAIA - integrate OpenID into Google account management
 * 3) Create Google account: "easy verification" - half of the Google accounts are created using the yahoo/aol(?) email addresses.  Therefore, we'd like to verify whether the user is the guy they claim to be.
 * 4) Hybrid onboarding - oauth plugged-in.
 * 5) Support multiple ID provider protocols, like OpenID, Windows Live ID, and Chinese local ID providers (Renren.com, etc.)

[Demo1: sync email validation]... Only the email provided by the same IDP. e.g.: abc@yahoo.com from Yahoo!, which is an IDP.
 * What kind of email addresses are considered to be trusted?

[Demo2: federated login demo - share a Google doc to the Yahoo user]
 * How could user move their email, say, from yahoo to aol? The scenario is pretty complicated - it includes moving from federated domain to un-federated domain and vice versa, and federated domain to federated domain.  It's an on-going effort.

Eric will start a new session on Wed to discuss it.
 * What's the checklist that an IDP need to go through before Google trust them?

NOTES BY: Yaniv Shuba

Google’s live OpenId RP features:
 * Blogger,Moderator App Engine and China Free Music already function as an RP.
 * Friend Connect - an easy way to make your site an RP.

Work in progress:
 * Integrate OpenId support into Google's login page.
 * Easy verification - allow e-mail address verification during account creation using OpenId, instead of the regular procedure where a verification e-mail is sent to the user.
 * Hybrid onboarding - authorize Google to get your Yahoo contact information while you sign-in.
 * Google is compiling a list of requirements for IDPs to qualify for being IDPs to Google.
 * The Google login page will have to change to reflect the different use-cases introduced by federated login.

[Demo1: sync email validation]...
 * What kind of email addresses are considered to be trusted? Only the email provided by the same IDP.  e.g.: abc@yahoo.com from Yahoo!, which is an IDP.

[Demo2: federated login demo - share a Google doc to the Yahoo user]
 * How could user move their email, say, from yahoo to aol? The scenario is pretty complicated - it includes moving from federated domain to un-federated domain and vice versa, and federated domain to federated domain.  It's an on-going effort.