Saturday, May 10, 2008

OpenID Patterns: The Good, The Bad, and The Ugly


In looking at how my blog does OpenID login and comments, I was really wishing that it did what I would expect: When someone wants to post a comment, all I care about is their identity (which is mostly just to show that they're not impersonating someone else), and whether or not they are a spammer.

The Good

OpenID and Captcha is all you need to comment
So ideally, my blog could just ask for a commenter's OpenID and have them answer a captcha. Unfortunately, Drupal's current OpenID implementation has the same problem as others I've seen, which is the obsession with people having an "account".

A site's OpenID implementation should not require an account, password, confirmation of email, and an OpenID. I was excited when I realized that Blogger has the right interface for commenting; an OpenID login, and a captcha (don't tell any spammers what it says!):

The Bad

I need your Google password to continue
I was all ready to give Blogger all kinds of props when I noticed that their login screen asks me for my Google password. Now, Blogger is actually owned by Google, but not everyone knows that, and so this looks like a phishing attack.

You should not give out your Google password to a third party web site. It's just a bad idea. One simple example why: Email can often be used to reset your password to another web site that has your private information in it. It's bad enough that sites like Twitter ask for your Google password when creating an account. Google shouldn't make people think it's OK to give third party sites your password by using a login screen like this. That's bad.

The Ugly

I have descended into a no-man's land on LiveJournal
I saw that LiveJournal supports OpenID and I thought I'd try it out. Their comment system looks fine, but then the integration with everything else is just a mess. I'm logged in, but I don't have an "account". The first thing I see when I log in is a link that says "Update your Journal" but when I click it, I get an error message saying that I don't have one. I can configure my account, and it says that it has emailed me instructions (I never got them) and gave me a helpfully random URL as my blog, which, when I click it, is just an error. LiveJournal makes OpenID look broken and hard to use :(

I admit, LJ gave me fair warning, "Our OpenID consumer support is very new. That is, external users logging in with their identity here will find some rough edges while we work on smoothing it all out."
This has been the state of affairs for months, though, and I'm surprised that they can't at least give me a link to somehow create the right kind of account.

If you know of any other really elegant uses of OpenID or OpenID design patterns, please email me, and I'll post whatever I collect later. You can also leave a comment on Reddit. You are welcome to leave a comment below, but you'll have to create an account and answer a captcha. Sorry about that ;)

1 comment:

  1. Interesting post. Have things improved? BTW, the image links appear broken to me.

    ReplyDelete