Archive for the ‘Identity’ Category

File Under: Identity, Social, Web Standards

New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes


David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.

His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.

“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.

The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.

OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.

Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.

Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.

Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.

“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”

The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.

Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.

“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”

Update: Be sure to read Messina’s follow-up post on his blog.

Continue Reading “New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes” »

File Under: Identity, Programming

To See How OpenID Can Work Well, Look at Stack Overflow

openid logoOpenID, the decentralized identity system that dispenses with usernames and passwords in favor of a single, portable web identity, promises to eventually change the way we login to our favorite websites.

While OpenID holds great promise, the reality today is that users sometimes don’t understand it. It’s an entirely different experience than a traditional login, so it can be confusing, and the user experience varies radically from site to site.

OpenID is, frankly, a work in progress. But, as developer Jeff Atwood recently wrote on the Stack Overflow blog, “I would rather be part of the solution than yet another brick in the wall of the problem… even if it involves a tiny bit of short-term friction.”

Atwood goes on to give an interesting developer perspective on what it’s been like to use OpenID on Stack Overflow. Stack Overflow is an interesting case study since OpenID is the only way to create an account at the site (you can use Stack Overflow without creating an account, but there’s no way to sign up using a traditional username/password).

In other words Atwood and company made a big bet on OpenID and for the most part it appears to be paying off. Here’s some key points for developers that Atwood pulls from Stack Overflow’s OpenID experiences:

  • Google is by far the largest OpenID provider at 61% of all registered accounts
  • The change from “enter your OpenID URL” to “click the logo of the company that provides your identity” is a huge usability improvement (I’d disagree with this one, if anything, Chris Messina’s OpenID Connect proposal seems more like the future of the OpenID UI.).
  • Support for multiple OpenID providers is key, since it gives your users the ability to change OpenID identities whenever they want. This is important, as their current OpenID provider could disappear, locking them out of their account.
  • The OpenID protocol itself can be implemented in unusual or incomplete ways by different providers. Atwood points to specific problems in the way Gmail handles OpenIDs, which require Stack Overflow to request your e-mail address as a kind of fingerprint for your OpenID.

The Stack Overflow crew seems to be happy with its OpenID-only account system. It’s worth noting that Stack Overflow obviously attracts users with a higher-than-average tech savviness, but the lessons Atwood details are relevant even if OpenID is only one of your site’s many sign-in methods.

See Also:

File Under: Events, Identity, Social

Twitter Switches on @Anywhere

This is an @anywhere hovercard

This is an @anywhere hovercard

SAN FRANCISCO, California — Twitter’s @anywhere features are now live for developers to start using, the company has announced.

Developers can begin using the system to integrate different kinds of Twitter engagement directly into their sites or apps. You can find details about it at the new Twitter developer site (which also launched Wednesday) at

@Anywhere basically provides a way to let Twitter users follow other people and send tweets directly from within your web page or app.

The key component is the “hovercard” — you’ve seen them on the Twitter website for the last month or so. Any time you see somebody’s Twitter handle mentioned, you can hover over that person’s handle and a little window pops up showing their profile photo, location, short bio, number of followers, and — the key part — a “Follow” button you can click and add them to your follow list right there, without leaving the page.

The announcement was made by Twitter’s head of platform Ryan Sarver at Chirp, the company’s developer conference happening here.

You can start dropping hovercards onto your site using “a few lines of JavaScript” (outlined on the documentation page at Twitter’s development site).

It’s interesting to see so much excitement around hovercards, which have a lot in common with hCards, the microformat standard for publishing and sharing contact information on the web. Microformats have been around for a while but they haven’t really been widely adopted, and it will be interesting to see if rebooting the idea on top of the Twitter platform — a social layer that makes them more accessible and relevant– will give new life to the concept.

The other components of @anywhere are the “Connect with Twitter” (a remote sign-in system) and the Tweetbox, which you can embed in your page and let people send tweets directly from the page.

Sarver brought out some media partners to talk about how they’re deploying @anywhere features. There were some impressive presentations from The New York Times, Yahoo and MSNBC News. If you’re reading a story on one of their websites, you can see a hovercard when you hover over a journalist’s name and start following them immediately.

One other announcement from Sarver: Twitter is turning on an as-yet-undocumented feature called Annotations this week. It allows developers to add any kinds of metadata they want to tweets. The obvious one is content-specific tags, but we should see other implementations of Annotations when developers start playing with them at the Chirp Hack Day taking place tonight and Thursday.

File Under: Identity, Social, Web Apps

Gmail Now More Secure With OAuth Support

Google has announced OAuth support for Gmail. The new features means that third-party applications can now access your Gmail account without needing your username and password.

OAuth allows outside applications to access your Gmail account with a single click — you’ll be redirected to Gmail where you can approve (or reject) applications that want access to your contacts and mail. Twitter has had OAuth support for a while, so if you’ve ever given a third-party website or application the permission to post something to your tweet stream, you’ve used this type of interaction before.

At the moment OAuth support is a Google Labs feature. Interested developers can get an overview of the process on the Google Labs site.

The most obvious benefit is social networking sites which often want to import your address book so you can find your friends on the new site. Previously, that meant handing over your username and password, something savvy users were loath to do. Now, outside sites can grab your address data without forcing you to give away the keys to your e-mail account.

Perhaps more important in the long-run, OAuth support also means that outside applications can interact with your mail. For the launch of OAuth support, Syphir has developed an iphone application that allows you to apply complex filters to your mail and use those filters to push, for example, only messages from your boss, on to your iPhone.

Unlike other push notification and Gmail apps in the iTunes Store, Syphir’s SmartPush never sees or stores your Gmail password thanks to the new OAuth support.

Other examples include Backupify, which will backup your Gmail account for safe, off-Google storage. Previously Backupify used traditional IMAP, which meant the site stored your username and password. Thanks to OAuth that’s no longer necessary.

Although OAuth is intended for webapps, it’s possible that desktop e-mail clients — like Mozilla’s Thunderbird — may also adopt the OAuth method.

See Also: