I am trying to set up OpenID authentication on a mobile version of a site of mine (ASP.net MVC, dotnetopenid). When i tested it out earlier (Using WAP internet, Sony Ericsson w200i) it redirected to the provider OK but was very slow to start with, then failed completely due to what i suspect was a too large page.
Does anyone know a good way to implement OpenID for WAP users with a slow connection? Do any providers provide a specialised mobile page?
If OpenID is difficult to implement on a phone, are there any alternatives apart from username and password?
There are a couple problems that could happen on a mobile phone:
Request size: OpenID can at times carry a large payload. This might mean a large HTTP GET URL or a POST. Besides making it potentially a slow redirect, if either RP or OP implement OpenID poorly, it can cause the browser to actually abort the request, causing the user experience to break. (DotNetOpenId/DotNetOpenAuth is careful with the sizes of requests and jumping between GET and POST as needed). To mitigate this risk and speed things up, only use OpenID extensions you need and only request attributes you absolutely require.
Incomplete Javascript support: some RPs and OPs rely on Javascript support in the browser to assist in the redirect (particularly when POST is used). Some phones don’t support (enough) Javascript and this again will break the user experience. Most sites and libraries (including DotNetOpenAuth) mitigate this risk by displaying a “Continue” button the user can click if Javascript doesn’t work.
Other than that, there’s nothing really special about OpenID that should make OpenID on the phone not work. One thing to keep in mind though is due to the small form factor of phones, key entry is difficult, and so authentication cookies should probably last longer so users don’t have to login (whether with username+password or OpenID) as frequently. Also, it’s their personal phone, so it’s not as much of a security risk to keep them logged in as a shared computer.