All posts tagged ‘oauth’

File Under: Identity, Social, Web Standards

New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes


David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.

His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.

“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.

The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.

OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.

Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.

Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.

Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.

“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”

The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.

Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.

“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”

Update: Be sure to read Messina’s follow-up post on his blog.

Continue Reading “New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes” »

File Under: Events, Social, Web Standards

Facebook Adopts Open Standard for User Logins

Oauth logo

SAN FRANCISCO — As we predicted, Facebook is switching to an open standard to handle user authentication across its entire platform of connected websites and applications.

Facebook is ditching its proprietary Facebook Connect system, which lets people use their Facebook username and password to log in to other sites around the web. In its place, the company will implement OAuth 2.0, an open source (and soon to be IETF standard) protocol for user authentication.

Viewed along side the barrage of other major announcements unleashed by Facebook at its F8 developer conference here on Wednesday, the move may only seem like a minor data point. But it is one with the potential to make a broad and deeply significant impact on the social web.

Right now, users expect three choices for logging in to a site with an existing ID: Facebook Connect, Twitter or OpenID. That forces publishers to implement three separate systems — one for OpenID, one for Twitter, which uses OAuth, and one for Facebook, which uses Facebook Connect. But once OAuth 2.0 is up to speed and more sites move over to it, things get simpler for site owners.

Where there used to be three options — Facebook Connect, OAuth and OpenID — there will now only be two. And the two that are left are both open source.

There are still details involving token management, auto-registration and other bits of complex backend plumbing to be sorted out, that Wednesday’s events don’t change.

But the move towards OAuth is a step towards interoperability the social web sorely needs. Most importantly, it will be easier to build pathways connecting OAuth and OpenID, since both are fully transparent, open standards and the proprietary Facebook Connect system has been removed from the equation. The switch paves the way for further integrations between existing technologies.
Continue Reading “Facebook Adopts Open Standard for User Logins” »

File Under: Events, Social, Web Standards

Up Next For Facebook: Expect More Open Interactions

Facebook F8

Facebook essentially copies a bunch of services that are already available on the open internet — chat, e-mail, media sharing, profiles — for its 400 million active users. But it also provides tools to help those users interact with each other while they’re outside Facebook’s walls, and there are signs the company is ready to make those tools more open and more easily integrated into other websites and applications.

The social network has already seen great success with Facebook Connect, its authentication system other websites can use to let their visitors log in using their Facebook username and password, then leave comments or share items with their Facebook friends with a single click. They can also hop around between websites and apps without creating a new account at each stop.

Facebook Connect has certainly fueled the explosive growth of social interaction across hardware and software platforms, as it helps Facebook friends notify each other of their activities on other social websites, the movies they’re renting, or the high score they just got on their favorite iPhone game.

Facebook Connect was first announced in 2008 at F8, Facebook’s developer conference. The next F8 is taking place Wednesday in San Francisco, and Facebook CEO Mark Zuckerberg is expected to announce the next phase of his company’s plans to further extend its sharing platform during his keynote address.

The Facebook Connect system isn’t entirely open — a key reason for its existence is to feed social sharing traffic back into Facebook. But it has much in common with other emerging open standards like OpenID and OAuth. Most social websites use a mix of both Facebook and non-Facebook options to handle user authentication, and Facebook Connect is not fully interoperable with competing technologies.

But several recent events point to Facebook making its own platform work better with open technologies. Last year, the company joined the OpenID Foundation and it began partially supporting the technology by allowing users to log in to Facebook using OpenID credentials. Also last year, the company hired David Recordon, one of the key architects of OpenID and OAuth, and purchased FriendFeed, a website that aggregates people’s social activities. Soon after acquiring FriendFeed, Facebook released its Tornado sharing framework under an open-source license.

Facebook wouldn’t comment on any upcoming announcements when contacted for this story. However, outside developers remain hopeful that the company will continue to grow its sharing platform by making it work in tandem with other open technologies already in place.

Continue Reading “Up Next For Facebook: Expect More Open Interactions” »

File Under: Identity, Social, Web Apps

Gmail Now More Secure With OAuth Support

Google has announced OAuth support for Gmail. The new features means that third-party applications can now access your Gmail account without needing your username and password.

OAuth allows outside applications to access your Gmail account with a single click — you’ll be redirected to Gmail where you can approve (or reject) applications that want access to your contacts and mail. Twitter has had OAuth support for a while, so if you’ve ever given a third-party website or application the permission to post something to your tweet stream, you’ve used this type of interaction before.

At the moment OAuth support is a Google Labs feature. Interested developers can get an overview of the process on the Google Labs site.

The most obvious benefit is social networking sites which often want to import your address book so you can find your friends on the new site. Previously, that meant handing over your username and password, something savvy users were loath to do. Now, outside sites can grab your address data without forcing you to give away the keys to your e-mail account.

Perhaps more important in the long-run, OAuth support also means that outside applications can interact with your mail. For the launch of OAuth support, Syphir has developed an iphone application that allows you to apply complex filters to your mail and use those filters to push, for example, only messages from your boss, on to your iPhone.

Unlike other push notification and Gmail apps in the iTunes Store, Syphir’s SmartPush never sees or stores your Gmail password thanks to the new OAuth support.

Other examples include Backupify, which will backup your Gmail account for safe, off-Google storage. Previously Backupify used traditional IMAP, which meant the site stored your username and password. Thanks to OAuth that’s no longer necessary.

Although OAuth is intended for webapps, it’s possible that desktop e-mail clients — like Mozilla’s Thunderbird — may also adopt the OAuth method.

See Also:

File Under: Uncategorized

Go Go Gadget OAuth Support

I Can Has Open

Passwords are a little bit more secure now that Google added OAuth support to its iGoogle Gadgets. Developers can now use their gadgets to easily grab data from OAuth-enabled APIs. Using OAuth, users do not have to give their passwords to developers. Instead, if a developer wants data from a service, the user enters the password into the service itself, providing the developer permission to access their data.

MySpace updates, AOL Mail and Google Book Search are the first gadgets to use OAuth. Finding the MySpace gadget via the iGoogle search is difficult, as there are pages of results by non-MySpace developers. Some of these ask for your password in an insecure manner, without OAuth. If you have a MySpace account, try adding the official MySpace gadget.

MySpace OAuth experience from Google Gadget

Adding the MySpace gadget gives a good idea of the user experience provided by the OAuth process. Rather than username/password fields within the iGoogle box, there’s a sign in button. Click it, and an OAuth page pops up providing a MySpace login page. Once you’ve signed in, the popup disappears and the gadget is populated with your MySpace data: updates, status, bulletins, and inbox.

Behind the scenes there is an exchange of keys that ensures the gadget maker really does have your permission to access the data. Those keys are permanent, so the sign in process is a one time deal for each OAuth gadget, not something you’ll have to do every time you visit your iGoogle page. For an example of how OAuth works, check out my FireEagle tutorial.

The update to gadgets is world’s beyond password-sharing, but there should still be phishing worries. Emulating the popup process would be easy and there’s nothing to signify that the page I’m seeing really is MySpace. Luckily, that’s the same problem that many are already trying to fix. A solution to the problem for banking sites, for example, will probably be the same solution for OAuth.

[Photo by Eran Sandler]

See also: