Late last week, Plaxo and Google unveiled an implementation – currently in limited testing mode – of OpenID and OAuth working together to create an improved user experience. In essence, the implementation affects Gmail users receiving invites to join Plaxo Pulse. They call this a “hybrid approach” and I think it will have a significant impact as it significantly simplifies the flow.
Plaxo created a custom landing page, based on knowing that the user received the invite at a gmail address, which means that the user has a google account, which means that the user also has an OpenID. (It wasn’t clear to me if the landing page is triggered by a query string parameter or wholly different url embedded in the invite itself, or by a referrer check or the like).
Given that knowledge, the landing page offers just two choices: one big button labeled “Sign up with my Google Account” and a non-graphic link which says “Or, use another address.”
If the user clicks “Sign up with my Google Account,” they get the optimized flow, and get a consent page served by Google which tells the user what they are being asked to consent to, including their gmail address and a request to allow Plaxo to access their Google contacts.
What’s great about it is that when the user accepts, they’ve used OpenID to authenticate to Plaxo based on their Google Account, and they’ve used OAuth to authorize Plaxo to access their Google contacts – but the process never mentions either standard. It’s two great things which are even better working together, and it creates a better user experience.
Technology, like design, is at its best when it disappears.
Of course, similar kinds of behavior can be accomplished through Facebook connect – but the difference in this case is that both Plaxo and Google are big supporters of the concept of the “open stack.” All the technologies involved are open, in the sense that they can be implemented by any party (and in fact have associated open source libraries in multiple languages to ease that implementation). To top it off, the whole implementation itself is being released as an open source project called step2.
This means that the same approach – requesting an OAuth token (access to some particularly scoped functionality, like Google contacts access in this example) as part of an OpenID authentication exchange – can be (and most certainly will be) used by Plaxo with other webmail providers, by Google with other social networks / membership sites, and in contexts where neither Google nor Plaxo have any involvement.
For more info:
- Plaxo Blog post – “Introducing Two-Click Signup“
- Google Data APIs blog post – “Bringing OpenID and OAuth Together“
- Watch Google and Plaxo developers discuss the integration on Episode 26 of Social Web TV (and then subscribe to watch the whole series – unfortunately not yet compatible with Miro so you have to go to the site to watch)
- Check out the step2 project on Google Code
- Google’s Federated Login API may be the simplest way to add OAuth and OpenID interaction with Google