Saturday, April 4, 2009

Verifying OpenID works with Gmail, Blogger, and Eviscape

I tried using an OpenID to understand it more fully, and to see how well it works in practice. This initial foray involved Gmail, Blogger, and Eviscape, with Blogger being the OpenID provider. My experiments (shown later on in this blog post) seems to work for the most part, with the exception of a few productivity problems:
  1. Registration at new sites may (in the case of Eviscape) require you to add a site-specific password that is not needed since OpenID provides the authentication.
  2. After having logged into the main web site that manages the OpenID, ideally I should not have to even type in the OpenID itself when browsing to the other site that is aware of my OpenID. However, again in the case of Eviscape, I did have to type in the OpenID. It is a usability issue because the OpenID is a long URI, which will be cumbersome to type in or retrieve from some other page or text file (especially in my case, since I know I will not be able to remember it).
From my experimental scenarios below, this is what I believe the main requirement is for OpenID:
On a given browser session, when the user provides a single username and password, all other sites that are aware of that OpenID, should not then prompt redundantly for any password. If the user closes down the browser completely, and restarts the browser, the user should be required to provide the OpenID and associated password only once when logging into any of the sites previously mentioned, in that new browser session.
Below, I am also using FireFox 3 running on 32-bit Debian Linux on an IBM R51 laptop:

Scenario #1 (Registration with Eviscape prompted for an extra, unnecessary password):
  1. Logout completely from Gmail and Blogger, and close all tabs and windows in the browser to any those websites1.
  2. Without being registered already with Eviscape, register using the OpenID.
  3. At some point in the registration, it prompts for a new password, so give a different password than the one associated with the OpenID provider2. This is unexpected behavior since the registration should provide a way to specify that only the OpenID usename and password is to be used, and not require the user to add a redundant password specific to that website.
  4. Finish registration.
  5. Logout of Eviscape
  6. Login to Eviscape.
  7. Type in the OpenID into the OpenID field.
  8. The site then prompted for the OpenID username and password. Supply the username and password.
  9. The site is now authenticated, which is expected.
Comments: Not once did I have to provide the Eviscape-specific password that I was required to supply during Eviscape registration. Hence, that Eviscape-specific password is unnecessary and redundant. I do realize that the Eviscape login web page has text entry fields for the Eviscape-specific username and password, as well as the OpenID, so obviously they have to support both methods of authentication. But, given that I provided the OpenID, Eviscape should (during registration) offer an option to use the OpenID username and password exclusively, thus avoiding the prompt to create the extra username and password.

Scenario #2 (Initially logging into Eviscape, without being logged into any other sites, using my OpenID):
  1. Logout completely from Gmail, Blogger, and Eviscape, and close all tabs and windows in the browser to any of those websites1.
  2. Connect to the main Eviscape home page and enter in the Blogger-provided OpenID.
  3. A new web page opens up requesting the Google account username and password2. Note that the Google account username is requested, and not the Blogger account name. That makes sense given that my Blogger account was set up to use my Gmail account name and password.
  4. I enter in the Google account username and password. Supply the username and password.
  5. The site then prompted for the OpenID username and password. Supply the username and password.
  6. The site is now authenticated, which is expected.


Scenario #3 (Does OpenID login with Eviscape seamlessly log me into Blogger?):
  1. Do Scenario #2.
  2. Open up a new browser tab, and browse to the Blogger site.
  3. Notice no password prompt is given and that Blogger shows that you are signed in. This scenario works as expected.


Scenario #4 (Does OpenID login with Eviscape seamlessly log me into Gmail?):
  1. Do Scenario #2.
  2. Open up a new browser tab, and browse to the Gmail site.
  3. Notice no password prompt is given and that Gmail shows that you are signed in. This scenario works as expected.


Scenario #5 (Does a Blogger non-OpenID login seamlessly authenticate Eviscape via OpenID?):
  1. I logout completely from Gmail, Blogger, and Eviscape1.
  2. Connect to the main Blogger login page and enter in the Google2 username and password.
  3. Connect to the main Eviscape home page and enter in the Blogger-provided OpenID.
Note that I did not have to provide the Google username and password, but only had to provide the OpenID itself. This is mostly expected, however, it would be nice to not even have to type in the OpenID itself, but that is probably asking too much. Footnotes:
  1. This forces these websites to not use existing authentication state that might be in the browser or on their respective servers.
  2. My OpenID provider is Blogger, and Blogger is managed by Google, so the OpenID username and password is equivalent to the Google username and password.

6 comments:

  1. Hi Brent. That's certainly interesting feedback for the Eviscape team. :-) I've made a note of it over there/here: http://www.eviscape.com/evis/some-interesting-feedback-about-our-implementation-frjfszna/

    cheers,

    Simon.

    ReplyDelete
  2. Thanks Simon. I hope my post is helpful to them.

    As this was my first foray into using OpenID, I bet there are conceptual errors in that post. I'm all ears if that is the case.

    bg

    ReplyDelete
  3. Hi Brent! Eviscape account is mandatory even though you've OpenID. Thats why you found it quite nagging, but its useful too. Here on Eviscape we use "eviscape account - OpenID associataion" instead of flat OpenID for authentication.

    ReplyDelete
  4. Hi iapain,

    Yes, it is mandatory. But is it explained somewhere why the Eviscape-specific authentication is needed in addition to OpenID? Now, if Eviscape was set up that way from the beginning, and the OpenID authentication was added at a later date, I can see why you would want to keep the association, but I don't see why new users that have OpenID's would need to go through the trouble of creating a Eviscape username and password that is separate from OpenID's. It's seems to me that doing so is asking for more information that is really needed in that case, and adds to users confusion.

    ReplyDelete
  5. Hi Brent! Thanks for your feedback. We'r reviewing our OpenID policy and hopefully I'll convey to keep openID away from registration form.

    We had tough time unifying needs regarding OpenID and Eviscape Account. We've negotiated on some and a lot more to come. So in short you'll see dramatic changes regarding Eviscape OpenID as relaying party.

    ReplyDelete
  6. Hi iapain,

    That is understandable given a large pre-existing user community.

    bg

    ReplyDelete