OAuth and OpenID: the good and the ugly
After a few weeks after I wrote my quite successful answer on Quora about OpenID, the issue appeared again now that Twitter announced more fine grained controls… but only on OAuth and my last harsh tweet I did after I read the good article by Gruber on OAuth triggered a nice response again on Twitter.
First: why are these two issues related in my mind? Because they are both partial solutions to the same underlying problems: identification and authorization, even if they belong to two different domains. OpenID is a way to gain login to multiple websites, while OAuth is a system to get privileges into another system. And they both used similar UX solutions to these slightly different problems.
When you stop looking at the technology and you start looking at human beings, you see that the only thing that I want to do when I use a new service, app or website is giving my credential and eventually grant some kind of access.
If in the physical world someone asks you to identify in some way, it’s because he needs that information to grant or ask you some kind of access. The two issues aren’t really different… except in this very specific – and I hope temporary – stage of the technology evolution.
The OAuth Experience
A normal login experience, the one that almost everyone experience today with Twitter, looks like this:
- The app asks you to login. You log in.
- The app goes on.
Instead, let’s see how a common OAuth process works. In its basic form, it’s 4 steps:
- The app shows you a button to login to the service you want to gain access for.
- A browser or a browser frame is opened on the service login page. You log in.
- Always in the browser, the service asks you to grant access to that app.
- You’re redirected back to the app, that now goes on.
Now, there are three issues here:
- The OAuth solution is longer than a default login. Usually this means going from 2 steps + 2 text inputs + 1 click + 1 load to 4 steps + 2 text inputs + 3 clicks + 3 loads. Almost 2x the actions and 3x the time.
- The OAuth solution isn’t native. You are forced to use a browser, either by redirect or overlay.
- 99% of the times I’m already using a device that *does* know who I am.
As you can see OAuth problem isn’t about technology. I really like all the principles that are behind OAuth, and the reasons pushing people to use it. The problem isn’t in the idea. The idea is good.
The problem is in the actual implementation, that is, OAuth.
But really, I don’t think I’m saying anything new. Just the two cited recently are John Gruber and Loren Brichter, but if you search you’ll find plenty of evidence. Even the ones defending OAuth are saying that there’s some work to do.
So why is this related to my rant on OpenID I linked above? And why did it get so much success?
The reason is that OpenID is different… but not so much. It involves almost the same annoying roundtrip to a third party server. And why? To give you access to a service. OAuth? It’s required to give you access to a service. The only difference is that for OpenID the authorization is given by a system that is designed purely to authenticate you, while for OAuth the system is also granting access to its data.
That said, the difference between OAuth and the standard login system is a huge leap forward, from a technical and security perspective. But…
The difference is nil, from a user perspective. It’s more a matter of trust. Trust is the reason why people are more and more choosing Twitter or Facebook to login… and get access to these systems. One click, and you usually are already logged in, so the annoying 4 steps sequence is reduced.
The small win would be redesign OAuth to allow a more streamlined solution. I really don’t know what this solution could be, but today it’s being won by Facebook (and maybe Twitter) because you are usually already logged in and it takes only one click, and also it motivates the developer to build it because it gives sharing possibilities (a motivation that lacks from Google and Yahoo login propositions).
The point I’m making since a long time ago is that it should be a service already provided at browser level. Or even system level. Our computer and our mobile phone already know who I am. It’s almost ridiculous having to identify yourself every time. It’s like living in a world where everyone constantly forgets about your face until you show them your passport.
I should be able to install a new app on my smartphone, grant access from a nice system interface, and that’s it.
I should be able to install a new software on my computer, grant access from a nice system interface, and that’s it.
I should be able to visit a website, grant access from a nice browser or system interface, and that’s it.
I’m also quite sure that after a few years this could be more secure and almost completely transparent, because it could be using a hidden complex cryptographic keys, not just password that could be forgotten, lost or guessed. And it could easily be an open standard, exchanging data with a nice URI protocol. I could be embedding my key in my wallet and bank account, so I’m safe even if an UFO lands on my home and erases my private key, I could get it back, revoke and re-generate it. In the future it might be able to scan my face or my fingerprint to grant me the first access.
But alwasy, under the hood.
As a user, my computer and my apps should just recognize me.