Doing OpenID right

So, everyone* is now accepting OpenID for authentication. 

But with doing so, many sites are actually hurting OpenID and themselves. 
Here's why: they've integrated it badly.

There are obviously many parts of the OpenID integration people can fuck up, but here are the three common cases:

#1 Your login page shoots a large text box right into your user's face.
Also it goes on to explain a long way what OpenID is, etc, yadda.

This is plainly wrong for two good reasons: 
a) your site breaks user expectations of a login page (where's the username + password boxes?)
Live sample for doing it wrong: stackoverflow. They also get bonus points for listing Google as the first provider but not having read Google's freely available research about UI design for OpenID.
(You should understand that most users out there have an account with one of the large providers and don't host their own OpenID stuff. Really.)

b) no ordinary user cares for OpenID.
This is just a simple fact of life. Users want to get things done, not think about some cool whizzbang technology your site's using to make your life simpler. They do care a lot about you making their lives easier, though - so let's move on to case #2 and see what that means.


#2 Your site uses OpenID only for authentication.
OpenID can do so much more for you and your users, please actually use it.

Authentication is probably the number one reason for implementing OpenID. Yep, it makes your life easier: you (as a site operator) no longer need to store user credentials and keep them safe and so on. But why stop there?
In the same request you make for authenticating your users, you can also request profile data (if it's available), like an email address, a nickname, user's real name, etc. Obviously not every OpenID provider will have this info, but if it does and you use it to pre-fill user profiles on your site, your users will thank you.

Again, stackoverflow is a nice example of doing this completely wrong.
Their welcome screen for new users: 
stackoverflow-openid-signup.png
Yep, a scary "are you sure you want to create a new account" page. Instead of asking users how they would like to appear on the site instead of "unknown <providername>". Really: the way to go - for creating new users - is: ask about profile data and provide a (small) link to merge with an existing account.


#3 Require seperate logins across sister sites.

This obviously only applies to you if you have sister sites, but probably you do if you're focusing multiple countries or multiple interest groups.

Yep, there are OpenID providers (like Google) out there which will give you per-realm tokens. And this is good (privacy, you know). But this is not something you want to slam into your user's face. It's your site's problem, so solve it.

And it's easy to solve: make a central realm, probably your main site (e.g. "amazon.com" if you were Amazon and had amazon.(com|co.uk|de|fr) as sites) for logging in. This way you'll have only one token and be done with it.


* obviously greatly exaggerated, but the time to solve this problems is now.