What an RP Needs
From IIW
http://www.slideshare.net/jsmarr/what-an-rp-wants-part-2
What an RP Wants - Part II, Joseph Smarr, 11/02/09
What we said in February
- Hybrid OpenID/OAuth is a game-changer
- Plaxo/Google integration proved the “Chasm of Death” can be crossed
- 92% success rate
- We need all the major players to become first-class OpenID Providers (OPs)
- More user data (profile/email + contacts)
- User-friendly (not scary) consent UI
- Auto-login on return (checkid_immediate)
- Commitment to do what it takes for both sides to be successful
- What’s happened since(ship early & often)
What’s happened since
- Faceboook became an OpenID RP and joined the OpenID Foundation
* Plaxo built a deep 2-way integration with Facebook (using Facebook Connect)
- MySpace rolled out full Hybrid/Open Stack (though without validated email address)
- Microsoft declared they’ll do OpenID for real (though were vague on timing)
- Yahoo rolled out Hybrid.

What hasn’t happened since Still waiting for more great OPs
- Facebook (Hybrid RP)
- Microsoft (Doing OpenID, but OAuth?)
- AOL (OpenID, but not 2.0 or Hybrid)
- Twitter (OAuth, but OpenID?)
- Plaxo (Hybrid RP and PoCo Provider)
- LinkedIn (?) Still waiting
So, where do we stand?
- Significant progress, though more slowly than we might have hoped
- But the fact is, I cannot recommend a new startup bet their business on being an RP. Why?
- Still a bunch of unsolved issues and un-met needs… for more great OPs
What an RP Wants - nope.... What an RP NEEDS.
More high-quality OPs
- Desktop / mobile / API best practices
- Solution to the “Nascar problem”
- Confidence that RP users are 1st class
- Virtuous cycle
Desktop / mobile / APIs
- OpenID login is a web-only solution
- As an RP, how do my users log in to:
- My rich desktop client
- My iPhone app
- My REST API
- My TV widget
- Option: use OAuth flows as a bridge
- Pop a browser for OAuth flow
- Log in using (web-based) OpenID
- Need some way to tell the client to continue
- Option: direct auth API proxied to OP?
- Simpler UI, but assumes username/passwod
- Do this for all users, or just RP users?
- Consistency vs. complicating the base case
Solution to the “Nascar problem”
Solution to the “Nascar problem”
- How many buttons?
- What about smaller OPs?
- What to do for return users?
- Visits from other computer?
- E-mail addresses as IDs?
- What about OPs that aren’t webmail providers
 Confidence in RP users
- Part perception issue, part reality
- What happens when an OP dies?
- If users get trained by login buttons, can I ever move/change them?
Virtuous Cycle
Conclusion:
- We’ve still got a lot of work to do.
- Why I still believe…(picture of the community at IIW)