OAuth is a great way to sidestep the dilemma of having to hand over passwords to third-party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs.
But while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.
We’ve looked at the issue in the past, particularly with regard to Twitter’s transition to OAuth, which broke countless small scripts. The good news is that OAuth 2.0 is less complex than its predecessor and removes much of the headache for small developers. Unfortunately, OAuth 2.0 isn’t widely adopted yet, and it’s not quite ready for prime time.
But there is a solution for Twitter. SuperTweet was created by developer David Beckemeyer. The service sits between your script and Twitter, where it does the heavy lifting of OAuth for you. Even better, you don’t have to hand over your Twitter password to SuperTweet — instead, you create a password on the site, approve SuperTweet to access your Twitter account and then connect your script to SuperTweet.
The service isn’t meant for full-blown apps, nor does it support commercial uses. But for individuals and non-profits without the development resources to make the switch to OAuth 2.0, it can bring those simple Twitter scripts back to life.
Of course using SuperTweet means adding another potential failure point between your script and Twitter, but if you can live with that, using SuperTweet is easier than wading into OAuth’s waters.
Google is now letting any Yahoo users sign in to Google using OpenID, the company announced Tuesday.
When you’re signing up for a Google account, there’s now a new button you can click on that says “Verify by signing in at Yahoo.com.” Click it, and you’re sent to Yahoo, where you’re asked to allow Google and Yahoo to link up your accounts.
Tuesday’s development marks Google’s first attempt to be an OpenID relying party — a website that accepts OpenID logins from third-party providers. Also, this only works for Yahoo users for now, but Google says it’s going to start offering support for other OpenID providers soon.
On the surface, this may look like an attempt by Google to poach users away from Yahoo by making it even easier for them to switch. In fact, it’s a real-world example of the type of interoperability that OpenID has been promising to bring to the open web for some time.
Six Apart is shutting down its Vox blogging service. Users have until Sept. 30 to export their data to other services, including Six Apart’s TypePad blogging service. After that, Vox will be gone.
If you’ve got a Vox blog, there are several export options — Six Apart has instructions for moving to TypePad, Posterous and WordPress. There’s also an option to move your photos and videos over to Flickr.
Of course none of those services quite combine the privacy and small social network features that endeared Vox to users, but at least you can retrieve your content in some form.
The export options also make no mention of the fact that Vox is an OpenID provider, which means that, presumably, when your Vox URL is gone, your OpenID is gone with it. That means any site you’ve signed into using your Vox account will no longer let you sign in. In some cases that could mean a total loss of access to the third-party site — exactly the sort of thing OpenID is supposed to help prevent.
UPDATE: Six Apart vice president Michael Sippey responds to this issue in the comments. We’ve added it here:
Quick note. Vox will continue to serve as an OpenID provider through September 30. If a Vox user chooses to migrate their blog to TypePad, OpenID requests at the original Vox address will delegate to TypePad for authentication.
We know that shuttering a service is never easy on users; We’ve invested a lot of time and effort in making sure that there are tools in place to migrate content off of Vox, and that if folks are using Vox as their OpenID provider that there’s a solution in place for them.
If there’s a moral to Vox shutting down, it’s pretty simple: choose your OpenID provider with care. It would seem that the bigger the provider, the safer you are. Alternately you could be your own OpenID provider, ensuring that you retain control over your identity.
Six Apart’s blog does not give any reason for the shutdown, and the company did not respond to requests to comment on this story. However, it seems likely that Vox was simply supplanted by Facebook, Twitter and other, more popular means of sharing content with your web friends.
The social network landscape has also changed considerably since Vox launched in 2006. Much of the initial appeal of Vox — namely, its tightly controlled privacy — is less of a concern for many of today’s users.
Mozilla’s Weave Syncing tool, which syncs your personal data across multiple PCs and mobile devices, has graduated from Labs and is now and official part of the Firefox 4 roadmap.
Currently still an add-on, Weave Sync was recently re-named Firefox Sync. Soon, it won’t be an add-on at all as it’s destined to become a standard feature of the browser.
The final Labs release, version 1.3, is the first to be known by the new name Firefox Sync. The release also has a couple of new features, like a simplified sign-up and setup process and a new action that lets you access all your remote tabs by clicking a single button.
If you’d like to grab the latest version, head over to the new download page. As always, we recommend upgrading all instances of Firefox Sync before actually syncing your data.
By the time Firefox 4 rolls around (later this year or possibly early 2011) Firefox Sync will be just be a standard part of Firefox, no add-on required.
David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.
His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.
“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.
The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.
OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.
Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.
Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.
Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.
“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”
The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.
Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.
“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”
OAuth is a great way to sidestep the dilemma of having to hand over passwords to third-party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs.
Browse Our Tutorials
Cheat Sheets
Color Charts
Cut & Paste Code