Google’s Open ID Relying Partyr
Session Topic:Google as an OpenID Relying Party Lessons, tips and updates (T1C)
Convener: Tzvika Barenholtz <email@example.com>
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Website with summary on Google's status as an OpenID relying party: http://sites.google.com/site/oauthgoog/UXFedLogin/google-rp-status
The presentation that was given is at the following URL: https://docs.google.com/present/view?skipauth=true&id=ajkhp5hpp3tt_87ds3v38fk
Notes on the presentation slides, by slide number:
1. How is OpenID helping Google?
2. 50% of google account users = Gmail users Other 50% = people with email from yahoo, hotmail, aol, etc… AOL big in USA
3. Basic and insufficient
4. Google wants to show customized search results (with your permission). Wants more logged in people, better email verification Want unified across the Web: Google or Yahoo, login box should always look the same
5. 2 groups of people: Those with/without google accounts What if Google account created already with email address from yahoo? How can we increase retention? Must not make things more difficult and costly to support.
6. OpenID sample store is a best practices sample when a 3rd party website is delegating identity to 3rd party providers: http://openidsamplestore.com Standard instance of the open source OpenCart package where the login system has been changed to use OpenID Need to reduce webdesk costs. There are a dozen videos on the sample site that show the scenarios that people get themselves caught into. The sad reality is that there are lots of edge cases that are horrible.
7. The vision is to get to opened logging to be as simple as regular login. The prototype federatedux.appspot.com is a preview of what Google would like.
8. The approach to RP was gradual. At first, Google verified the email address by doing it inline (instead of sending an email to your inbox). => double-digit increase in the % of accounts verified.
9. OIX Trust framework is an additional layer that OpenID providers need to provide so that the whole process becomes smooth (such as language support, etc…). See http://sites.google.com/site/oauthgoog/
10. The next step after implementing verification was to implement a whole signup flow. With the OpenID process one can give the user a better signup experience. See it live at http://www.mysears.com. Click on Google and create an account. It's brand new and allows you to create a Google account using other providers such as Hotmail. Then it uses that account to login to mysears.com. It's all about making things smoother for users. Discussion: most people want one profile per email account, which is why Google doesn't have multiple emails per account. If people need to "merge" accounts when they get invites from multiple email addresses, they manually share docs on those accounts in Google Docs for example.
12. This schedule could be accelerated if you're starting a website from scratch.
14-15. If you're using an email from a supported provider on your Google account, you can "upgrade" to the federated account to get rid of your password and use OpenID. If you leave your password empty when logging in on Google to such a supported account, you're sent to an OpenID signup flow. Google needs more people to sign up for this and test it.
16-17. Unless a company is in a special case where it provides email, using the two-tab login box from the sample site is the way to go to provide OpenID. Be careful, it's all about reducing the dropoff. Don't try to change something (using password) if it adds steps and makes it worse
19. The next step will be the identity selector. There's a full session on the account selection on wednesday.
21. Google is recruiting more IDPs and RPs. If you have many people logging in with user/pass and have a helpdesk, this is for you. Use companies such as Janrain and Ping if you can, without reinventing the wheel.