Google as an OpenID RP

From IIW

Session: Tuesday Session 5 Space I

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Ilan Caron, Eric Sachs, Yaniv Shuba 

Notes-taker(s): Jacky Wang , Yaniv Shuba

Tags: Technology discussed / demo / google practice 

Notes:  

  1. Currently, Google accepts OpenID login for Blogger, Moderator, FriendConnect, Appengine, FreeMusic (in China)
  2. GAIA - integrate OpenID into Google account management
  3. Create Google account: "easy verification" - half of the Google accounts are created using the yahoo/aol(?) email addresses.  Therefore, we'd like to verify whether the user is the guy they claim to be.
  4. Hybrid onboarding - oauth plugged-in.
  5. Support multiple ID provider protocols, like OpenID, Windows Live ID, and Chinese local ID providers (Renren.com, etc.) 

[Demo1: sync email validation]...

  • What kind of email addresses are considered to be trusted?

Only the email provided by the same IDP.  e.g.: abc@yahoo.com from Yahoo!, which is an IDP. 

[Demo2: federated login demo - share a Google doc to the Yahoo user]

  • How could user move their email, say, from yahoo to aol? The scenario is pretty complicated - it includes moving from federated domain to un-federated domain and vice versa, and federated domain to federated domain.  It's an on-going effort. 
  • What's the checklist that an IDP need to go through before Google trust them?

Eric will start a new session on Wed to discuss it. 


NOTES BY: Yaniv Shuba

Google’s live OpenId RP features:

  • Blogger,Moderator App Engine and China Free Music already function as an RP.
  • Friend Connect - an easy way to make your site an RP. 

Work in progress:

  • Integrate OpenId support into Google's login page.
  • Easy verification - allow e-mail address verification during account creation using OpenId, instead of the regular procedure where a verification e-mail is sent to the user.
  • Hybrid onboarding - authorize Google to get your Yahoo contact information while you sign-in.
  • Google is compiling a list of requirements for IDPs to qualify for being IDPs to Google.
  • The Google login page will have to change to reflect the different use-cases introduced by federated login. 

[Demo1: sync email validation]...

  • What kind of email addresses are considered to be trusted? Only the email provided by the same IDP.  e.g.: abc@yahoo.com from Yahoo!, which is an IDP. 

[Demo2: federated login demo - share a Google doc to the Yahoo user]

  • How could user move their email, say, from yahoo to aol? The scenario is pretty complicated - it includes moving from federated domain to un-federated domain and vice versa, and federated domain to federated domain.  It's an on-going effort.