Thursday, March 31, 2011

All those NASCARs

We did not really make a breakthrough in the last years on the questions of
- Identity Provider Discovery
- security and privacy UI
- Identity in the Browser
- intelligent agents or what ever you call them
- openid UI
- add your favorite here...

Although we did not have a lack of efforts to solve some of these issues
- cardspace
- openinfocard
- azigo's selector
- Kantara login ULX
- openidsamplestore.com
- Janrain's Engage
- ...

We really need browser support. So lets start - again - with: Identity in the Browser.

Requirements:
- user centric
- ask for user consent before leaking information.
- help the users discover the reusable identities they already have.
- don't favor any identity provider.
- not to many user choices. Keep it simple.
- allow the site to detect whether or not identity in the browser is supported or not.

I created a Firefox addon that tries to achieve just that.
http://ignisvulpis.blogspot.com/2011/03/openid-for-firefox4.html
Or at least go in that direction. I concentrated on openid support but I think it is easy to generalize from there.

The DOM level API that allows the site to query the preferred identity provider looks like this:

window.openid.getPreferredOpenidProvider(callback);

The site can detect support by testing for the new child of the window object to be present:
if (window.openid) { don't show the nascar }


Maybe I should not have named this "window.openid" but "window.identity"?!
I guess that is for the W3C to decide. They just added another event to Identity-May:
"W3C Workshop on Identity in the Browser"

I really hope that we get W3C support for Identity. It is not important whether this is called window.openid or navigator.openid or whatever. We have a nice example for another W3C API: Geolocation and I modelled my Identity API suggestion along those lines.

What next?
I) The UI of my addon is not that polished.
addon asking for permission to store openid

a) In this case the file-url is especially ugly and in this case there are not that many alternatives.
In the website case the addon could
- show the site's URL
- show the site's favicon instead of URL
- show the site's icon from the extended validation certificate
- show the site's "other icon" which I don't know how to get in a standardized way
- show the site's name / title from the webpage
- show the site's name from the certificate

b) Should I show which openid the addon is going to provide to the site?
Actually the user does not really care whether this is an openid or whatever.
Here the addon could
- show the user's openid.claimed_id
- show the user's openid.identity
- show the OpenID Provider's (OP) favicon from the openid.op_endpoint
- show the user's icon/image provided by the OP
- let the user add an icon to that openid

II) Should the addon use the Firefox notification-box or the newer notification popups?
The notification box might be to easy to fake by a website but then there is no real point in faking it. Or is it?

III) Learning new OpenIDs notification popup

Here the addon could
- show the user's openid.claimed_id (as seen in the picture above)
- show the user's openid.identity
- show the OpenID Provider's (OP) favicon from the openid.op_endpoint
- show the user's icon/image provided by the OP
- let the user add an icon to that openid

IV) Does the user already have reusable Identities?
- The addon could just open a tab that shows the OpenID Foundation's "get an openid" page.
- I implemented a feature where the browser helps the users find their reusable identities. The browser knows a lot about the sites the user visited and might have stored the user's credentials for some sites. My implementation iterates through all domains with stored credentials and requests the Yadis XRD. If the XRD contains openid information then the domain is shown as an potential "openid you might already have".
This feature is not in the version I have uploaded to Mozilla.
- The addon could use Mozilla's Firefox Sync openid provider. Which would violate the rule not to prefer some identity providers...

V) Mobile support
Firefox mobile is out. The addon currently does not support Firefox mobile. Which brings me to the next point.

VI) The addon could add identities (openids) to form input fields from a context menu. Right click the page or input element and a choice is presented to the user to input the openid into that input field. But on the other hand this should be done better by the site's javascript code after it has detected support through the DOM API.

VII) Support identities issued by mobile operators.
Should be easy... Support mobile wallets.

VII) The openid icon in the url-bar might be too much for other providers. I don't care for now.

Please support Identity in the Browser!

1 comment:

tal said...

I've recently had a similar Firefox OpenID plugin accepted:

https://addons.mozilla.org/en-US/firefox/addon/openid-login/

Maybe we can combine them somehow?