New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes
David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.
His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.
“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.
The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.
OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.
Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.
Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.
Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.
“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”
The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.
Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.
“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”
Update: Be sure to read Messina’s follow-up post on his blog.
Recordon plans to give a presentation about OpenID Connect on Monday at the Internet Identity Workshop, a quarterly meeting of social web engineers and deep thinkers taking place this week at the Computer History Museum in Mountain View, California.
One of the larger problems OpenID Connect is hoping to solve is one of adoption. Web publishers in particular haven’t warmed to OpenID, since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher.
“In order to seed the adoption of OpenID, we need to make OpenID accounts more valuable,” Messina says.
That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.
“Because of that, we haven’t had a really juicy carrot to provide to publishers to get them to adopt OpenID,” Messina says. “Why would they ditch the data access they have using traditional logins and move to OpenID when they get nothing in return? It’s a step backwards.”
OpenID Connect’s OAuth components would allow publishers to request more information from a user when they log in using OpenID, but do so in a way that lets the user maintain control and only grant access to the specific pieces of data they are comfortable sharing.
Another key problem OpenID Connect aims to solve is one of singular adoption across multiple platforms — the web, the desktop, and mobile phones.
“OAuth 1.0 was originally created because OpenID didn’t work for desktop apps or dashboard widgets,” Messina says. “Increasingly, we’re seeing a need to make these things work in mobile and on the desktop.”
Most social client applications on mobile phones and on the desktop — like those that post status updates and photos to Twitter or Facebook — use OAuth to log you in. But it’s very tricky to for them to add support for OpenID because OpenID was primarily designed for use on websites. The new proposal would allow apps on all platforms to use the same protocol to handle logins and access web APIs.
All of these developments tie into the main goal of OpenID Connect — to make adopting and using decentralized identity systems simpler.
Recordon points to the motivation behind creating OAuth 2.0 as providing the spark to innovate further on social protocols.
“There was a huge push in making OAuth 2.0 so much easier to use,” he says. “We then asked ourselves, ‘How do we make the rest of these technologies easier to use on the open web?’”
To get involved, you can join the public mailing list at firstname.lastname@example.org, or sign up for and attend the next Internet Identity Workshop, which runs from May 17 through 19, 2010 in Mountain View, California. There’s a fee for registration, and it varies between $75 for students and $450 for a last minute 3-day pass. The date was recently moved so the IIW wouldn’t conflict with Google I/O.