OAuth is a great way to sidestep the dilemma of having to hand over passwords to third-party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs.

But while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.

We’ve looked at the issue in the past, particularly with regard to Twitter’s transition to OAuth, which broke countless small scripts. The good news is that OAuth 2.0 is less complex than its predecessor and removes much of the headache for small developers. Unfortunately, OAuth 2.0 isn’t widely adopted yet, and it’s not quite ready for prime time.

But there is a solution for Twitter. SuperTweet was created by developer David Beckemeyer. The service sits between your script and Twitter, where it does the heavy lifting of OAuth for you. Even better, you don’t have to hand over your Twitter password to SuperTweet — instead, you create a password on the site, approve SuperTweet to access your Twitter account and then connect your script to SuperTweet.

The service isn’t meant for full-blown apps, nor does it support commercial uses. But for individuals and non-profits without the development resources to make the switch to OAuth 2.0, it can bring those simple Twitter scripts back to life.

Of course using SuperTweet means adding another potential failure point between your script and Twitter, but if you can live with that, using SuperTweet is easier than wading into OAuth’s waters.

See Also:

• Does OAuth’s Complexity Alienate Small Apps?
• Twitter Moves to OAuth: The OAuthcalypse Is Nigh
• Gmail Now More Secure With OAuth Support

OAuth is a great way to sidestep the dilemma of having to hand over passwords to third party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs. But, while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.

OAuth assumes a particular use case — you are using a third party service that wants to access your data on some other service. Rather than handing over your username and password, OAuth has you log in to, for example, Twitter and then authorize, for example, Twitterific to access your data.

Where OAuth adds complexity is in the small developer use case, where “your app” and the user of your app are in fact just you — for example, a simple script that lives on your server, grabbing your Twitter stream and storing it on your own server. It’s much, much more difficult to hack up such a script using OAuth than it is with simple password authentication. The barrier to experimentation is astronomically higher with OAuth than with basic authentication.

As Microsoft’s Jon Udell points out on the O’Reilly Radar blog, this tradeoff — protected passwords at the expense of making development more complex — means that hacking together an quick experiment is now much more difficult.

Protecting passwords is good, and no one is arguing otherwise. But where OAuth fails is focusing on the application accessing data at the expense of the individual experimenting with their own data.

In the end, OAuth 2.0 may help ease that pain by offering a cryptography-free option for authentication that doesn’t require half a dozen redirects to get your own data. OAuth 2.0 is already being implemented by Facebook and Twitter, but it isn’t widely implemented on other sites, and it’s still a moving target — as evidenced by initiatives like OpenID Connect and step2, which extend OAuth by adding in elements from OpenID. In the mean time, hacking together a script to access Twitter or other popular OAuth-based APIs is no longer just a matter of quick, late night inspiration.

See Also:

• Twitter Moves to OAuth: The OAuthcalypse Is Nigh
• Gmail Now More Secure With OAuth Support
• OAuth Security Exploit Tests Limits of Open Web Standards

Twitter is killing support for basic user authentication in third-party apps on Tuesday morning, the company says. Instead, Twitter will now require all third-party app developers to use OAuth for user authentication.

This is a planned move Twitter first announced in December, and the company has posted a help page on its developer site with some resources meant to ease the transition to OAuth.

The Twitter API team has been dialing down the number of requests an app can make using the basic authorization method. That number will hit zero at 8AM Pacific time Tuesday.

Some bloggers have given the event the catchy name, “OAuthcalypse” — a bit of a mouthful, but so is “user authentication protocol” — the implication being that when basic authentication is switched off, it will break old software and leave users in the dark. But since Twitter has given developers ample warning of the change, the switch will only lock out a small number of apps.

Twitter’s move mirrors a broader trend on the social web, where basic authentication is being ditched for the more secure OAuth when services and applications connect user’s accounts.

In basic authentication, a website or app will say, “Hey, do you want to share whatever you’re doing here with your friends on Twitter? Give me your Twitter username and password and I’ll hook up your accounts.” By passing along your info, you’re giving that app or website unlimited access to everything in your Twitter account. Pretty dangerous, and not secure.

In OAuth authentication, the website or app will send you to Twitter where you sign yourself in, then Twitter will tell the website or app “Yeah, they are who they say they are.” The website or app only gains the ability to do certain things with your account — post, read, reply, search — while staying locked out from the more sensitive stuff.

The biggest advantage of OAuth is you don’t have to tell your Twitter password to anyone other than Twitter. Also, OAuth connections are token-based, so once a connection is established, you can change your Twitter password without having to re-enter it into the website or app.

The only disadvantage is that old apps that haven’t updated to use OAuth will stop working this week. All of the popular ones (Seesmic, Tweetdeck, etc.) have already updated.

Twitter has been recommending developers use OAuth as an authentication method for some time.

Almost all of the biggest social services, including Facebook and Yahoo, use OAuth to connect their social services together and to let users share photos, status updates and links in multiple places.

In fact, Facebook’s new Like buttons and its Social Graph API, launched in April, use the newer OAuth 2.0 to handle user authentication.

OAuth 2.0 is a simplified version of OAuth. Twitter plans to eventually move to OAuth 2.0 for its entire platform, and Tuesday’s switch is part of that broader transition.

Twitter was originally going to move to OAuth in June, but the transition was delayed because of the increased volume of tweets around the World Cup.

Real-time search link via Dave Winer

See Also:

• New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes
• Twitter Switches on @Anywhere
• Facebook Adopts Open Standard for User Authentication
• Gmail Now More Secure With OAuth Support

Cliqset completed a significant upgrade to its social sharing website Wednesday.

The site now fully integrates Twitter, and it has refined its aggregation system so you get a much more streamlined, easy-to-digest view of your friends’ activities across multiple social sites.

There are literally dozens of changes, both visible and behind-the-scenes, in the new Cliqset. We’ve been testing out the new version (the company is half-jokingly calling it “Cliqset 2.0″) since midday Tuesday, and we’ve found the site has been given a significant boost that makes its aggregation features both more usable and more useful. The changes should be appearing for everyone on Cliqset sometime Wednesday morning.

Cliqset is a social network in itself, complete with followers, status updates and media sharing. But its sweet spot is as an aggregation service. It funnels all of the posts from the people you follow on the web into one single stream. It pulls in Twitter tweets, photos from your Flickr contacts, posts from your Tumblr network, updates from your friends on Facebook, Google Buzz, Yelp, YouTube, Google Reader — Cliqset connects to over 80 services in all.

It sounds, looks and works a lot like FriendFeed. But unlike FriendFeed, which was acquired by Facebook last year and has largely stagnated since, Cliqset continues to innovate.

Here’s one really cool new innovation: When you’re following somebody across multiple social networks and aggregating their posts in one place, you’re going to get a lot of duplicates. The new Cliqset filters out those dupes.

“If somebody’s on three different networks, we’ll know that,” Cliqset co-founder Darren Bounds tells Webmonkey. “We’ll consolidate their posts, de-duplicate the posts, refine them.”

When Bounds says “refine,” he means that Cliqset includes image thumbnails whenever a link to an image is passed along, or an embedded video player whenever someone shares a video. Each status update also gets its own permalink with a larger image or full-size video player, making it look more like a real blog post.

The new Twitter integration runs deep. Cliqset has always connected to Twitter, but now the company has re-written its API to connect directly with the Twitter API.

A persistent search in Cliqset: You get results from multiple sites like Delicious, Vimeo, Twitter and Google Reader all mixed together.

You can post updates, @replies, direct messages or messages to groups of Twitter users from a single text area at the top of the page. It’s just like composing an e-mail: You can address your tweet to as many different recipients as you want and add attachments.

Searching is enhanced as well. You can save persistent searches (which hit both the Twitter Search API and the entire Cliqset ecosystem) and filter the results.

Sure, there are already a handful of excellent desktop Twitter clients that do many of the same things. Cliqset even makes a social client for the desktop, which is being phased out.

Bounds says Cliqset isn’t trying to be just another conduit to Twitter.

“When you’re interacting with somebody here, there’s no differentiation as to whether this person is on Twitter or Cliqset or not,” he says. “We want to blur the line between what is Cliqset and what is the web.”

Indeed, you can use Cliqset to search for new people to follow, manage your lists of who you follow, and interact with others, all regardless of which social network they’re on. Since Cliqset connects to all the majors, it just adds them to your master list, and you see their updates mixed in with everyone else, from everywhere else. Comments and @replies blend together, more closely resembling a real-time chat.

“We don’t feel users should have to know or care about what service the people they want to interact with are on,” Bounds says.

This relaunch integrates Twitter, but Bounds says Facebook and Google Buzz are next on his short list.

“We really want an open, standards-based social web with total interoperability, a completely transparent, blended experience,” he says.

That’s a lofty goal, but it’s within reach, mostly thanks to the many emerging open standards on the social web. It’s here that Cliqset is going all-in, using several of these new protocols to connect everything.

Cliqset integrated Activity Streams in its last relaunch, and it republishes all the actions it aggregates in the Activity Streams format. In this version, Cliqset is using OAuth 2.0 to connect to Facebook and to Twitter. It has also implemented Salmon to publish comments and other interactions back to external services.

You can save customized, curated streams (I have two, named “Music” and “Web Dev”) within Cliqset where you can dump relevant tweets, links and blog posts. Cliqset takes that custom stream, generates an Atom version of it, and republishes it using PubSubHubbub. So, others can subscribe to those streams anywhere on the open web and get updates about those topics in real time.

Foursquare is now a supported service, and you can check in with Cliqset using HTML5 Geolocation through the browser.

To give the new Cliqset a try, head over and create an account. You can connect using Facebook and Twitter (both new options) or a Google or Yahoo account. Cliqset still supports OpenID, though this option isn’t exposed in the new-user sign-up dialog. They don’t want to scare anyone away, maybe? Once you’re logged in, you can connect almost every social web service to your Cliqset account.

If you’re not familiar with aggregators, or if you’re new to Cliqset, this video should help demystify the experience.

Cliqset: Getting started from cliqset on Vimeo.

See Also:

• Cliqset Relaunches, Joins the Real-Time Streaming Club
• Cliqset Debuts a Desktop App for the Real-Time Web
• New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes

David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.

His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.

“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.

The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.

OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.

Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.

Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.

Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.

“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”

The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.

Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.

“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”

Update: Be sure to read Messina’s follow-up post on his blog.

Recordon plans to give a presentation about OpenID Connect on Monday at the Internet Identity Workshop, a quarterly meeting of social web engineers and deep thinkers taking place this week at the Computer History Museum in Mountain View, California.

One of the larger problems OpenID Connect is hoping to solve is one of adoption. Web publishers in particular haven’t warmed to OpenID, since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher.

“In order to seed the adoption of OpenID, we need to make OpenID accounts more valuable,” Messina says.

That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.

“Because of that, we haven’t had a really juicy carrot to provide to publishers to get them to adopt OpenID,” Messina says. “Why would they ditch the data access they have using traditional logins and move to OpenID when they get nothing in return? It’s a step backwards.”

OpenID Connect’s OAuth components would allow publishers to request more information from a user when they log in using OpenID, but do so in a way that lets the user maintain control and only grant access to the specific pieces of data they are comfortable sharing.

Another key problem OpenID Connect aims to solve is one of singular adoption across multiple platforms — the web, the desktop, and mobile phones.

“OAuth 1.0 was originally created because OpenID didn’t work for desktop apps or dashboard widgets,” Messina says. “Increasingly, we’re seeing a need to make these things work in mobile and on the desktop.”

Most social client applications on mobile phones and on the desktop — like those that post status updates and photos to Twitter or Facebook — use OAuth to log you in. But it’s very tricky to for them to add support for OpenID because OpenID was primarily designed for use on websites. The new proposal would allow apps on all platforms to use the same protocol to handle logins and access web APIs.

All of these developments tie into the main goal of OpenID Connect — to make adopting and using decentralized identity systems simpler.

Recordon points to the motivation behind creating OAuth 2.0 as providing the spark to innovate further on social protocols.

“There was a huge push in making OAuth 2.0 so much easier to use,” he says. “We then asked ourselves, ‘How do we make the rest of these technologies easier to use on the open web?’”

To get involved, you can join the public mailing list at specs@openid.net, or sign up for and attend the next Internet Identity Workshop, which runs from May 17 through 19, 2010 in Mountain View, California. There’s a fee for registration, and it varies between $75 for students and $450 for a last minute 3-day pass. The date was recently moved so the IIW wouldn’t conflict with Google I/O.

See Also:

• Facebook Adopts Open Standard for User Logins
• Twitter Switches on @Anywhere
• Gmail Now More Secure With OAuth Support

SAN FRANCISCO — As we predicted, Facebook is switching to an open standard to handle user authentication across its entire platform of connected websites and applications.

Facebook is ditching its proprietary Facebook Connect system, which lets people use their Facebook username and password to log in to other sites around the web. In its place, the company will implement OAuth 2.0, an open source (and soon to be IETF standard) protocol for user authentication.

Viewed along side the barrage of other major announcements unleashed by Facebook at its F8 developer conference here on Wednesday, the move may only seem like a minor data point. But it is one with the potential to make a broad and deeply significant impact on the social web.

Right now, users expect three choices for logging in to a site with an existing ID: Facebook Connect, Twitter or OpenID. That forces publishers to implement three separate systems — one for OpenID, one for Twitter, which uses OAuth, and one for Facebook, which uses Facebook Connect. But once OAuth 2.0 is up to speed and more sites move over to it, things get simpler for site owners.

Where there used to be three options — Facebook Connect, OAuth and OpenID — there will now only be two. And the two that are left are both open source.

There are still details involving token management, auto-registration and other bits of complex backend plumbing to be sorted out, that Wednesday’s events don’t change.

But the move towards OAuth is a step towards interoperability the social web sorely needs. Most importantly, it will be easier to build pathways connecting OAuth and OpenID, since both are fully transparent, open standards and the proprietary Facebook Connect system has been removed from the equation. The switch paves the way for further integrations between existing technologies.

During a panel discussion about OAuth on Wednesday afternoon, Facebook engineer Luke Shepard said that by adopting OAuth, he hopes Facebook will “help drive it to become such a core part of the web, all the tools will end up supporting it.”

Twitter also recently began supporting OAuth 2.0 with last week’s launch of @anywhere, its suite of social-interaction tools.

But what about OpenID? It was one of the key technologies responsible for pushing the idea of single sign-on forward, so why isn’t Facebook supporting it yet?

“Developers aren’t asking for OpenID,” Shepard said when the question was posed to the panel. “They’re explicitly asking for us to make logins simpler and easier, not for us to implement OpenID. So now we’re doing that by implementing OAuth 2.0, because it’s simple and easy. Adding OpenID on top of it would just add a layer of complexity nobody is asking for.”

OpenID is indeed very complex, and because of that, it suffers from usability problems that have kept it from being widely adopted.

“It’s very easy to do user authentication over OAuth 2.0,” Shepard said.

Panel moderator David Recordon, who develops open technologies at Facebook, asked the audience of about 60 or 70 people: “How many of you here want Facebook and Twitter to adopt OpenID?”

Five people raised their hands (I was one of them).

Another panelist, Raffi Krikorian from Twitter, quipped, “That answers your question right there.”

Krikorian did offer a ray of hope for OpenID, though, noting that browser makers may provide the missing links that solve OpenID’s complexity problem.

“Since the browser exists in between the web service and the user, it makes perfect sense for the browser to handle those identity-management tasks,” he said. “I think that would be a huge step forward for the web.”

Another panelist, Yahoo’s Allen Tom, another long-time OpenID advocate, agreed that browser makers could definitely help fix OpenID’s UI problems.

“If browsers can eliminate the confusion in the whole authorization flow around OpenID, that would be ideal.”

See Also:

• Up Next For Facebook: Expect More Open Interactions
• Facebook Shows Off New Tools to Socialize the Entire Web
• Facebook Tags Everyone at F8 with RFID Chips

Facebook essentially copies a bunch of services that are already available on the open internet — chat, e-mail, media sharing, profiles — for its 400 million active users. But it also provides tools to help those users interact with each other while they’re outside Facebook’s walls, and there are signs the company is ready to make those tools more open and more easily integrated into other websites and applications.

The social network has already seen great success with Facebook Connect, its authentication system other websites can use to let their visitors log in using their Facebook username and password, then leave comments or share items with their Facebook friends with a single click. They can also hop around between websites and apps without creating a new account at each stop.

Facebook Connect has certainly fueled the explosive growth of social interaction across hardware and software platforms, as it helps Facebook friends notify each other of their activities on other social websites, the movies they’re renting, or the high score they just got on their favorite iPhone game.

Facebook Connect was first announced in 2008 at F8, Facebook’s developer conference. The next F8 is taking place Wednesday in San Francisco, and Facebook CEO Mark Zuckerberg is expected to announce the next phase of his company’s plans to further extend its sharing platform during his keynote address.

The Facebook Connect system isn’t entirely open — a key reason for its existence is to feed social sharing traffic back into Facebook. But it has much in common with other emerging open standards like OpenID and OAuth. Most social websites use a mix of both Facebook and non-Facebook options to handle user authentication, and Facebook Connect is not fully interoperable with competing technologies.

But several recent events point to Facebook making its own platform work better with open technologies. Last year, the company joined the OpenID Foundation and it began partially supporting the technology by allowing users to log in to Facebook using OpenID credentials. Also last year, the company hired David Recordon, one of the key architects of OpenID and OAuth, and purchased FriendFeed, a website that aggregates people’s social activities. Soon after acquiring FriendFeed, Facebook released its Tornado sharing framework under an open-source license.

Facebook wouldn’t comment on any upcoming announcements when contacted for this story. However, outside developers remain hopeful that the company will continue to grow its sharing platform by making it work in tandem with other open technologies already in place.

Igor Pusenjak has incorporated Facebook Connect into Doodle Jump, the popular mobile game he co-created. Doodle Jump, which has over 3 million users on the iPhone and Android, uses Facebook Connect to allow players to share their high scores with their friends on Facebook. Pusenjak will be speaking on a panel at F8 called “Mobile + Social: Connecting the Dots.”

Pusenjak welcomes the possibility that Facebook could be moving towards open standards for user authentication like OAuth and OpenID by making them work better with Facebook Connect.

“Anything that can help reduce a number of passwords that need to be remembered and info that needs to be typed will both help the end users and small business,” he says in an e-mail. “Many people today are reluctant to create yet another account just to make one purchase.”

As if expecting such a development, the web-based chat site Meebo debuted its own entry into simplified authentication and sharing on Monday. It’s called XAuth, and it allows users to share links with their friends on some pretty large and powerful networks — Google, Microsoft, Yahoo and MySpace were part of the initial launch.

While Meebo says XAuth will eventually be released under an open source license, there are currently several unanswered questions about its design and its privacy implications that may hold it back.

As far as what else to expect from F8, there’s been some speculation that Facebook will provide its users with tools to better share their location. We noted this in March. Others may be anticipating this announcement, too — Google revamped its location-based search and advertising products Tuesday, and Twitter launched a new location-aware feature called “Places of Interest” at its Chirp developer’s conference last week. Both of these rely on users’ location data.

Twitter is actually an exemplar of how open standards can succeed in social sharing. The “Tweet This” buttons currently littering the web use OAuth to let people connect their Twitter accounts to whatever website or app they are using. Also launched at Chirp is @anywhere, a system web publishers can incorporate into their sites to make it easier for readers tweet and add followers directly from a website’s pages. It also uses OAuth.

Raffi Krikorian, the tech lead on the Twitter API team, says his company is active in developing the OpenID and OAuth 2.0 specifications. He thinks the broader adoption of open standards on the social web lead to better interaction between websites and third-party apps.

“We [at Twitter] want to make things more open, and more standard,” he says in an e-mail. “We want to make it easy for application developers to talk to us, and if that has a side effect of talking well with others, then that’s awesome.”

Krikorian is appearing on a panel at F8 that’s billed as a “Fireside chat about open technologies” on the social web. Also appearing on the panel are Allen Tom from Yahoo and Luke Shepard, Naitik Shah and David Recordon from Facebook.

Facebook’s F8 takes place Wednesday in San Francisco. Webmonkey will be at the show bringing you breaking news from Facebook and reactions from developers. Follow us on Twitter, become a fan on Facebook and subscribe to our Events category for real-time coverage.

See Also:

• Facebook Opens Up to OpenID
• Facebook Open Sources ‘Tornado’ the Engine That Drives FriendFeed
• Facebook Joins OpenID in Quest for Universal User Accounts