More User Friendly Authentication Flow

January 30, 2009 in OpenID by Carsten Pötter | View Comments

plaxo google

Plaxo and Google are currently test-driving the OpenID/OAuth Hybrid Extension which is still a draft. Combining OpenID authentication and OAuth based authorization, this new extension to the OpenID protocol reduces the number of redirects between the OpenID Provider and the consuming site, the Relying Party, if access to further data from the provider is required or desired. This technical reduction of redirects also benefits users as they don’t have to first authenticate with their OpenID, and in a second step grant the Relying Party access to more data like address books.

As you can probably imagine the new extension only works if the OpenID Provider is also the OAuth Service Provider and the Relying Party is also the OAuth Consumer. Other combinations don’t work. Translating this into the Plaxo/Google example, Plaxo is the Relying Party/Consumer and Google is the OpenID/OAuth Provider.

The implementation basically works like this: Plaxo members invite Gmail users who are redirected to Plaxo when clicking the invite link from within their Gmail account. Users are then asked if they want to sign up with their Google account and if they want to import their Google address book. They are then redirected to Google to confirm the sign in request (the OpenID part of the flow) and to grant access to their address books (the OAuth part). By confirming those requests they are redirected to Plaxo again, signed in and the address book is imported as well. For more information on the implementation have a look at the Plaxo and Google blogs.

While this implementation is currently only a test, it shows how the OpenID/OAuth flows can be simplified and made more user friendly. This will certainly help raise acceptance of the protocols not only by users but also by bloggers and oher press who are often in favor of Facebook Connect when comparing it to OpenID.

Update: I almost forgot. There is a demo of the hybrid protocol available at http://googlecodesamples.com/hybrid/ which also features Portable Contacts data. Cool stuff!

Google Hybrid Protocol Demo

Tags: , , , , , ,

  • I agree, browsers and the ease of use will play an important role if OpenID is to succeed. Plugins like Sxipper and SeatBelt are first indications.

    However, OpenID has to work equally good on mobile devices. The number of people using such devices for the internet will certainly grow over the next few years and they want to use their OpenID on those devices as well.
  • It's funny I was just reading the old article on Googles choice for their use of OAuth in their OpenID support and they mentioned OpenSocial and Portable Contacts integration for the future.

    I see a future in OpenID and Data Portability in which we'll have services from all sorts of different websites, consolidated under one log in.

    The only issue left with OpenID is the ease of use, and I'm with everyone who says that the log in part should be handled within the browser (and through Google Gears when certain browsers don't support it).
blog comments powered by Disqus