What an RP Needs

http://www.slideshare.net/jsmarr/what-an-rp-wants-part-2

What an RP Wants - Part II, Joseph Smarr, 11/02/09

What we said in February
 * Hybrid OpenID/OAuth is a game-changer
 * Plaxo/Google integration proved the “Chasm of Death” can be crossed
 * 92% success rate
 * We need all the major players to become first-class OpenID Providers (OPs)
 * More user data (profile/email + contacts)
 * User-friendly (not scary) consent UI
 * Auto-login on return (checkid_immediate)
 * Commitment to do what it takes for both sides to be successful
 * What’s happened since(ship early & often)

What’s happened since ￼* Plaxo built a deep 2-way integration with Facebook￼ (using Facebook Connect) ￼￼
 * Faceboook became an OpenID RP and joined the OpenID Foundation
 * MySpace rolled out full Hybrid/Open Stack￼￼ (though without validated email address)
 * Microsoft declared they’ll do OpenID for real￼ (though were vague on timing)
 * Yahoo rolled out Hybrid.

What hasn’t happened since Still waiting for more great OPs
 * Facebook (Hybrid RP)
 * Microsoft (Doing OpenID, but OAuth?)
 * AOL (OpenID, but not 2.0 or Hybrid)
 * Twitter (OAuth, but OpenID?)
 * Plaxo (Hybrid RP and PoCo Provider)
 * LinkedIn (?) Still waiting

So, where do we stand?
 * Significant progress, though more slowly than we might have hoped
 * But the fact is, I cannot recommend a new startup bet their business on being an RP. Why?
 * Still a bunch of unsolved issues and un-met needs… for more great OPs

'''What an RP Wants - nope.... What an RP NEEDS.'''

More high-quality OPs
 * Desktop / mobile / API best practices
 * Solution to the “Nascar problem”
 * Confidence that RP users are 1st class
 * Virtuous cycle

Desktop / mobile / APIs
 * OpenID login is a web-only solution
 * As an RP, how do my users log in to:
 * My rich desktop client
 * My iPhone app
 * My REST API
 * My TV widget
 * Option: use OAuth flows as a bridge
 * Pop a browser for OAuth flow
 * Log in using (web-based) OpenID
 * Need some way to tell the client to continue
 * Option: direct auth API proxied to OP?
 * Simpler UI, but assumes username/passwod
 * Do this for all users, or just RP users?
 * Consistency vs. complicating the base case

Solution to the “Nascar problem”

Solution to the “Nascar problem” ￼ Confidence in RP users
 * How many buttons?
 * What about smaller OPs?
 * What to do for return users?
 * Visits from other computer?
 * E-mail addresses as IDs?
 * What about OPs that aren’t webmail providers
 * Part perception issue, part reality
 * What happens when an OP dies?
 * If users get trained by login buttons, can I ever move/change them?

￼Virtuous Cycle

￼Conclusion:
 * We’ve still got a lot of work to do.


 * Why I still believe…(picture of the community at IIW)

￼