Making OpenID really really easy - a use case
A while back I read a post by Boris about how OpenID is not really easy to use (yet). He is completely right, and if Boris can’t use it, our moms definitely do not stand a chance.
I had a conversation about this with Ted Rheingold of Dogster, who was thinking of implementing OpenID for their users so people could user their Dogster logins to log in to affiliate third party sites.
A very important issue for him is that a lot of his users are not geeks and do not really want to get into the technological side of things. In most cases people will not be familiar yet with OpenID and you want to shield them from the complexities while still offering the benefits.
Do I have a OpenID?
When confronted with an OpenID login box, this is the first question that people —like Boris— are confronted with. What is this OpenID thing and do I have one or where do I get one?
Luckily more and more sites are offering hosted OpenID identities to their users. Wordpress.com does this for their blog owners and LiveJournal does this as well. Most people will probably prefer to use one of these hosted solutions offered by a third party site instead of hosting their OpenID themselves.
This way identities will be created until most people will have multiple OpenIDs. That still does not solve the problem of knowing that you have an OpenID and knowing what it is. I will propose a solution to this problem just after the next point.
URLs for what?
The whole concept that you use an URL to login —though I think it is quite elegant— will be difficult to explain to users, who already have trouble telling their login names and e-mail addresses apart. Adding another entity that you can use to login at sites, will only add to the confusion.
Signing in with e-mail addresses is firmly settled but it did take some time to get there. We may get to the same level with OpenID (and hopefully replace e-mail based logins altogether) some day but that is too distant currently. URLs are generally perceived as user unfriendly and normal users should not have to deal with them too much (yet).
Maybe i-names will be a solution to this sometime, but I don’t see it becoming mainstream any time soon.
Solve away the URLs
Taking both previous points together: most people will use a hosted OpenID solution and people do not want to type URLs, we can just abstract away the URLs completely.
When logging into an OpenID consuming site, that site can provide a selector with a couple of well known sites providing OpenIDs. This list of OpenID providers should be attuned to the target audience so they are familiar with these sites. With a fairly small list of providers, you can probably cover a large part of your user base.
I have made an example login box that works this way. It gives users the choice between several well known sites or the possibility to fill in your own OpenID. This is just a mockup which you can adjust in any way you like. You could expand the different login options or present them anyway you like. A site which already takes such an approach is the site for the band Rooney. You could also display the generated OpenID to the user at some point to get them accustomed to the OpenID they will be using.
Using that selector and a textbox users can pick a site they have an account on and fill in their username. The consuming site can then construct an OpenID URL from the given username and use that to log the user on. So taking my Wordpress.com username illustir it would construct my OpenID http://illustir.wordpress.com/ automatically (see the example).
What site are you taking me to?
The step where you leave the site you are logging into for another site can be a bit distressing for users. The approach that sites such as Wordpress.com take by having their own identity provider which looks and feels familiar dampens this transition a lot.
Large sites using OpenID should generally have their own provider so that they can control and attune the experience for logging users in.
Dogster’s use for OpenID
Suppose Dogster wanted their users to be able to log into third party sites using ther Dogster login credentials. This seems like it is exactly the kind of problem that OpenID is meant to solve. Especially in the case where the login is more a dependent syndication —a third party site affiliating with a bigger site— than that it is a general login (though nothing stops it from working that way as well).
So in the Dogster case they should start their own OpenID provider and OpenID enable all their accounts which are both relatively easy steps. Then, third party sites could use a Dogster login to log onto their site by simply becoming an OpenID consumer and by constructing the correct OpenID from the Dogster login.
The only problem with the Dogster case is that they use e-mail addresses as usernames and you would have to construct an URL with the e-mail in it. You probably would not want to spread e-mail addresses in that fashion.
This approach can be taken by any big site which wants to enable its users logging in elsewhere with the same credentials.
Update: I updated the example to be more clear and more educational about the actual OpenID that is being constructed.
Besides that a lot of people are missing the point. I am completely in favor of browser integration rich identity homepages and everything. Go out and build them already, but should/could/would are not going to help us right here right now. Given Livejournal+Wordpress+AOL almost everybody already has an OpenID but most of them do not know it yet. This —admittedly trivial example— is meant to fix that.
Reinier http://zwitserloot.com
July 12th, 2007I don’t think this will end up scaling. As much as we blogosphere inhabitants fawn over facebook, in the end that’s just another Walled Garden AOL wannabee that’s doomed to failure in the long run, at least in the sense of becoming a universal springboard for everything related to social identity.
Of course, maybe it doesn’t have to scale. As you say, once the world is accustomed to OpenID, this selection box can go away and thus it only needs to work as a transition tool. I’m just not entirely sure the transition period is small enough that this dropdown will suffice.
The way I think this will go, IF OpenID does become successfull (crossing fingers!) is browser plugins. Firefox should definitely ship with openID built right in. It already ships with a ‘remember my password’ feature - this is really no different. I envision a button that lights up if the appropriate tags are available in the current site (analogous to how the ’sign up to newsfeed’/RSS button shows up if there’s a meta tag linking the rss stream), that adds/replaces your current login identity with the one offered. Dogster, wordpress, and all other OpenID providers would add this tag so OpenID supporting browsers recognize it.
Add to this a ‘log me in’ button for any OpenID login box that the browser can find and you avoid 90% of all the confusion.
That reminds me, is there a unique machine-identifiable format for an OpenID login box? If not, may I suggest this gets built PRONTO? It’s crucial to OpenID uptake if you ask me. Firefox/Opera/Safari’s ‘manage logins for me’ features sort of guess at what is a login box and what isn’t. Sxipper (google it) has a whole commnity dedicated to just interpreting login and signup forms - it’s not a foolproof task for a machine to do it. At least the existence of password boxes makes this relatively easy now. Finding OpenID login boxes is much more difficult heuristically because there’s no password box, and this is bad.
If there’s a simple protocol for logging into your openID and giving access to a consumer site, then firefox can handle this using a dialog box or two, replacing the full name of a site simply with ‘the current site’, which should be easier on Mom and Dad users, I think.
I’ll walk through an example experience:
I’m on dogster, anywhere on the site and I am logged in. The ‘OpenID available’ button shows up in my URL. I click on it, and Safari asks me if I want to add “http://myname.dogster.com/” to my identities. I say ‘ok’ and from now on, anytime a site asks me for an OpenID, I get a popdown with all identities that I own, with the ‘default’ identity selected so pressing ENTER is all I need to do. If I have only one OpenID, there’s no popup at all. (To see this popup thing in action, download Opera. If you save multiple identities, instead of always using the last one saved like safari and firefox, you get a keyboard navigable popup). If I’m logged into my OpenID this session, I just get logged in. If not, instead of going off-site to my Open ID provider (say, dogster), firefox logs in FOR ME, I still don’t see a thing. If firefox doesn’t know the password or I didn’t allow it to store it, I get a popup from firefox itself (quick and doesn’t generate any confusion that another page from another host might cause) asking me to type in my dogster password.
This does require forcing such services to use password authentication, but for the foreseeable future this doesn’t seem to change. A site can always explain that some form of authentication, but not a password, is needed, so firefox can still go to the site instead.
Cristiano Betta http://ibbydibby.com/
July 12th, 2007@Reinier, I think there is a standard login box for OpenID. I remember reading the specs somewhere. Furthermore about scaling: in the end with openid I also expect a few providers to “stick out”. I don’t think we will see 50 providers in the future, but more like a few that people really like. Although 1 dominantly popular provider per language (much like social networks now) is something you might expect.
Isn’t it in the end about that provider that offers just that bit more that really makes people stick?
@Alper: Nice idea and I think it will help for now, especially considering that some people in the beginning of the internet really didn’t understand the difference between a URL and a email address.
I do wonder if this is annoying to people like us, who can’t rely on auto completion for our url, as we also have to make a selection everywhere in the selection boxes.
Pascal Van Hecke http://vanhecke.info
July 12th, 2007There’s a stub page on the wiki for some OpenID login box standardization:
http://openid.net/wiki/index.php/OpenID_Login_Box
I just added my own suggestion, to have a standard name for the input box. Could be used by Firefox extensions as well, as suggested by Reinier.
Pascal Van Hecke http://pascal.vanhecke.info/
July 12th, 2007My previous comment as non-authenticated user got in the spam or moderation queue…
BTW: funny side-effect of the way the previously installed WP-openid plugin works - I could have my (non-existing) password reset by infering the internally stored user-id for OpenID-authenticated users
alper http://www.alper.nl
July 12th, 2007Yes, you’re right that this won’t scale beyond too much and it should be a transition tool. It will fix the initial question people have ‘Do I have an OpenID?’ oh no but I do have a Wordpress.com account or an AIM account.
This is a transition measure which works simply with what we have right now.
Better things are possible of course:
Browser plugins are the way to go and Firefox 3.0 is supposed to have OpenID support built in though I haven’t really been able to find out what the extent of functionality supported is. There was some talk about anti-phishing measures but there was also talk about integrated identity management in the browser.
But this does take a concerted effort to get it right.
Brendan Taylor http://necronomicorp.com/bct
July 13th, 2007> That reminds me, is there a unique machine-identifiable
> format for an OpenID login box? If not, may I suggest
> this gets built PRONTO?
A lot of sites use , but I don’t think that’s explicitly suggested anywhere.
Brendan Taylor http://necronomicorp.com/bct
July 13th, 2007err, <input name=”openid_url”> ?
jilles van gurp http://blog.jillesvangurp.com
July 13th, 2007I think an additional solution could be to detect openid in a website using e.g. a firefox extension and to offer a big sign in with your openid button in the browser UI.
Ideally this would be done using a microformat like solution. Just add “openidlogin” to the class of the input where the user is supposed to provide their openid url. All the extension then needs to do is prefill the field with the users id and submit the form the input tag is in.
Unfortunately I don’t have time to get involved with this but I recommend that a proposal for this is submitted to microformats.org where it can be discussed further. Browser vendors are already working on microformat support and are considering openid support as well.
Damon Haidary
July 13th, 2007There is already a recommended way of denoting OpenID login boxes…
http://openid.net/specs/specs-1.1.bml#submitclaim
“It’s also recommend that the form field be named openid_url so browsers auto-complete user’s URLs between different sites, in the same way the ecommerce world tends to use conventions like “address1″ and “address2″.”
Peter Nixey http://www.sitepass.com
July 13th, 2007Great post Alper, we felt exactly the same thing. OpenID is the most incredible proposition but way to difficult to use so we’ve tuned it a little
One click, no URL’s and not even a browser extension involved.
Do you think that more people would install OpenID if it really were that simple to implement?
Peter
Jason
July 13th, 2007Everyone here needs to start reading the OpenID specs again.
http://openid.net/specs/openid-authentication-1_1.html#anchor6 Section 3.2’s important notes (3.2.1) are as follows:
* It is RECOMMENDED that every Consumer place the OpenID logo at the beginning of the form field where the End User enters their Identifier URL.
* The End User is NOT REQUIRED to prefix their Identifier URL with “http://” or postfix it with a trailing slash. Consumers MUST canonicalize the Identifier URL, following redirects, and note the final URL. The final, canonicalized URL is the End User’s Identifier.
* It is RECOMMENDED that the form field be named “openid_url” so User-Agent’s will auto-complete the End User’s Identifier URL in the same way the eCommerce world tends to use conventions like “address1″ and “address2″.
2 of the 3 notes address nearly every comment above mine.
Cristiano Betta http://ibbydibby.com/
July 13th, 2007I think that OpenID is pretty cool because of the fact that we all realize that it is currently to difficult. So what do we do? We propose new methods. I am hoping to see this idea propagate into some kind of standard as it IS the easy way for most people.
Carsten Pötter http://www.notsorelevant.com
July 13th, 2007Good suggestion, Alper; http://ex.plode.us has a similar approach. Though I think people still won’t know what OpenID is about and that they can use their e.g. Dogster OpenID somewhere else, too. If they just have to type in their username instead of username.openidprovider.com they probably won’t be able to log in to the majority of RP’s because those RP’s might not feature a login box you are suggesting. You can’t force RP’s to have a box like that.
Nevertheless it is an interesting and valid approach to spread OpenID. It should go hand in hand with other approaches like providing a small page exlaining OpenID and/or linking to a list of OpenID providers.
Cristiano Betta http://ibbydibby.com/
July 13th, 2007@Carsten: You have a good point there, but maybe you can enhance the experience by doing a “live buildup” of the full URL using a but of javascript magic? So let’s say I type in “cbetta” as my username and I select wordpress as my provider, than it would automatically show me my full url as “http://cbetta.wordpress.com” in a side bar or something.
This way you create the awareness of the full URL without the hassle.
Carsten Pötter http://www.notsorelevant.com
July 13th, 2007That’s actually a splendid idea, Cristiano. I like that.
eugene http://www.freeyourid.com/
July 13th, 2007Or just use your real name with the .name freeyourid.com integrated OpenID platform. For example John Smith’s url and openid would be john.smith.name and his email would be john@smith.name
alper http://www.alper.nl
July 13th, 2007I took the suggestions here and updated the login box to also show what the generated OpenID URL is. See it at: http://alper.nl/ajax/openid.html
It could benefit from some more design to distinguish between main login functionality and helper functionality, but I’m not a visual designer.
@Jason, the OpenID specs could be somewhat more readable. Most stuff I know, I got from Simon Willison’s presentations and other publications online.
@eugene, I tried to free my id but your form choked on my name: “Alper Çuğun”. There’s this thing called unicode you might want to implement.
Cristiano Betta http://ibbydibby.com/
July 13th, 2007Talking about OpenID: We re-added OpenID login to this blog. Should work if you can read this post.
Just for your info: openid + wordpress is simply not easy. Just too much work.
Joe Cascio http://joec0914.myopenid.com/
July 13th, 2007I think it’s not too beyond reason to think that a large number of people would understand using a URL to login. Once the early adopters start using it, and the LoginWithOpenID controls start appearing on web-sites, people will catch on rather quickly. After all, they already know what a URL is. If you just call it a “web site address” I think a lot (ok not most yet) will grok it right away.
alper http://www.alper.nl
July 13th, 2007I just got around to watching The Implications of OpenID talk Simon Willison did at Google and he briefly touches on constructing OpenID URLs as described in this post.
Also the similarity with OpenID and e-mail as SSO methods is pretty striking.
Cristiano Betta http://ibbydibby.com/
July 13th, 2007Uhhh, for your info: it was Simon giving the talk at Google, while he used to work for Yahoo.
alper http://www.alper.nl
July 14th, 2007Yeah fixed. It was late.
Simon Willison http://simonwillison.net/
July 15th, 2007I noticed today that pibb.com uses a variant of this technique: https://pibb.com/signin
Cristiano Betta http://cristianobetta.com/
July 15th, 2007Yeah, I noticed this on your blog. Looks interesting, but they did the “spacious” option which doesn’t really work if you want to support this for let’s say 20 providers
Angelo Gladding http://angelogladding.com
July 18th, 2007After entering my OpenID, angelogladding.com, at one relying party I have never had to type it again. To test OpenID consumption I brewed a quick login prompt (4 lines HTML) and plugged a library (20 Python lines to implementation) on the backend. As you can see in the following screenshot my first login attempt needed only an “a” to get me going.
http://angelogladding.com/static/openid.png
You’ll notice that I use `angelogladding.com` to login. The scary “http://” should be assumed by the consumer (relying party).
`openid.aol.com/angelogladding` is ugly but hey you gotta do what you gotta do to provide a namespace to 60 million users out the door.
`angelogladding.livejournal.com` is nothing to complain about considering the alternative: `angelogladding@livejournal.com`
OpenID has considerable forethought baked into its most recent release. If developers *RTFM* and *KISS* in terms of UI and URL construction the entire process of bringing OpenID to pragmatic reality will be expedited significantly. This is the key to any “open, decentralized, free framework” [1], no?
First things first! Every one of you who took the 30+ seconds to write a comment should have prioritized your efforts and gone and registered an OpenID first!
If you already have a blog or profile page, cut&paste the three lines rquired to set up a delegate (google it). The more early adopters we have swimming around the identity pool, the quicker we can start to push the technology on our moms.
[1] http://openid.net
Ted Rheingold http://www.dogster.com
July 25th, 2007Woof woof! As a geek and an administrator of a large non-technical community I love this conversation. I think a lot was more widely understood because of the topic raise and commented on.
For Dogster and Catster, I think the 1 and only reason to use OpenID now is the aim adoption. LJ and WP are nice, but much less likely. However I did a search and we have 1900 members with aim.com emails. That compares to 52,000 aol.com and 130,000 yahoo.com. If those services could be shown the OpenId light as well things would be very different.
We might even consider saying ‘are you an AIM user’ if so you can use your login to create an account via OpenID.
But I don’t think becoming a provider makes senses for us. I happened to speak to Barry, WP’s SysAdmin, who said it was quite a lot of work to set up WP, so we’d have to send the user away and hope they make it back. Until we felt it would be worth the investment to be a provider … though I’m not sure many members would even think/realize to use it if we did support it … it’s definitely still an opaque concept.
I’m really thrilled you thought on our problems like this. It would be great to get it the last mile!
t-
Sjors http://www.svirsk.org/blog/
August 20th, 2007another link for your collection:
http://miksovsky.blogs.com/flowstate/2007/08/openid-great-id.html