Comments on: Making OpenID more useful: let’s detect logged-in state

By: Tune Up Your PC » Post Topic » My pixels aren’t free ad space for your network – ‘Connecting’ needs targeting

Tue, 07 Jul 2009 20:18:27 +0000

[...] In this post I am continuing investigation to solve what Chris Messina dubs the Nascar problem (Luke Shepard has also weighed in on this from an Open ID point of view). [...]

By: Social Lipstick » Blog Archive » Logout: the other half of the identity equation

Fri, 22 May 2009 21:37:04 +0000

[...] subsequent visits, if the user is signed into their provider, then the relying party detects that and automatically logs them into their own [...]

By: history of lipstick

history of lipstick — Thu, 30 Apr 2009 02:20:43 +0000

history of lipstick…

Personally I like AJAX commenting and display. While it’s not a must have by any means, the easier it is to comment the more likely I am to do it….

By: Bill Shupp

Bill Shupp — Mon, 20 Apr 2009 05:58:18 +0000

Allen,

Agreed. This is not such an issue for OPs where there is only one “persona”. But I like the idea of OPs allowing users to pre-select whether or not to communicate their logged state to RPs. Maybe even include a list of personas that the user could select in the resulting dialog on the RP side, with a follow up request for any AX/SREG information (so it is not sent before a persona is authorized).

Regards,

Bill

By: Bertil Hatt

Bertil Hatt — Fri, 17 Apr 2009 21:08:31 +0000

You might want to have a default list of providers (based on the site’s previous users, or more general statistic) and a button “I don’t understand” or “Pick one for me” that choses one at random; even better, a button “Tell me which account I already have” triggers the History script.

By: Your stuff is here, here and here. Rely on it | Coded Style

Your stuff is here, here and here. Rely on it | Coded Style — Fri, 17 Apr 2009 17:45:36 +0000

[...] stuff is here, here and here. Rely on it Luke Shepard posted about avoiding Open ID Nascar and detecting the user’s [...]

By: Allen Tom

Allen Tom — Fri, 17 Apr 2009 01:06:16 +0000

In our experience, we’ve seen that many users have several accounts, each with a different purpose, and they deliberately do not want to link the accounts together. For instance, someone might have a professional persona using one account, and a party persona using another.

We have to be careful to protect the user’s privacy if the user has multiple personas on the RP, each tied to a different OP. If the user happens to be signed into both OPs (for instance, if the user using both Google Docs and Yahoo Mail) knows which account is being used when visiting the RP. This is one of the reasons why Yahoo does not (currently) support checkid_immediate — we want the user to be aware of which account or persona is being used when signing into an RP.

In the Facebook case, where everyone uses their Real Identity, juggling multiple personas isn’t really an option, however that might be the case for other OPs.

By: Jon Menzies-Smith

Jon Menzies-Smith — Thu, 16 Apr 2009 08:50:56 +0000

Something you have neglected to mention is the case for users who have not yet visited the provider site, what happens if the browser history is cleared and how should you behave for shared pcs. You end up getting yourself back into the same predicament.

I certainly wouldnt want to have to visit openid or log into facebook in order to be presented with the options to log in.

By: Chris Messina

Chris Messina — Thu, 16 Apr 2009 04:50:07 +0000

Also, in opposition to Niall’s hacked approach, there’s no saying when (or if) browser makers will fix this bug (few sites seem to use defaults anyway — maybe :visited will go away?) and furthermore (or worse) it complicates things by creating inconsistent user experiences across devices with different browsing histories.

In other words, on your personal laptop, perhaps you can test that someone’s been to Yahoo, Google and so on… but on the office system that’s locked down, perhaps history is cleared on a regular basis and you’re unable to get the same results on the other machine. That means that you’re delivering varying user experiences with no rhyme or reason, because the mechanism is opaque to the user.

Allowing the OP to advertise whether the user’s signed in or not is a nice compromise, where you can opt in for added convenience or choose not to in favor of preserving privacy.

By: Luke Shepard

Luke Shepard — Thu, 16 Apr 2009 03:22:08 +0000

Niall, I think I agree with David - while clearly tempting, reading browser history is too broad and doesn’t allow user control. With the browser history hack, the user has really only two choices: either she allows all or none.

At least if the provider chooses to release that information, then it is under the control of the provider. As David points out, the provider can act on behalf of its users, and allow for some to opt out. And as we’ve seen, some providers will leak this info, and others will refuse - so we can let the marketplace decide the right balance between openness of data and privacy.

Chris- totally agree (which is why I included the objection). But I think this is an incremental step. Once/if this becomes widespread, I think it could be one step along the way to a better, but more complicated solution (like the central discovery service).