All posts tagged ‘OpenID’

File Under: Identity, Social, Web Standards

New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes


David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID.

His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect. At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.

“OpenID Connect is an attempt to pull the best pieces of two separate technologies together, to create a single technology stack that’s simpler for everyone to use,” Recordon tells Webmonkey.

The proposed approach combines several interactions around logging in and sharing data with a website or application into one simple step. It also lets a user log in using either a profile URL, a blog URL or an e-mail address. Support for e-mail addresses as identifiers is a big step for OpenID, which currently requires you to type a URL — something that’s confusing to people who are used to typing a user name. Asking somebody to enter an e-mail address requires less of a psychological jump.

OpenID Connect hopes to broaden the technology’s reach as well. Unlike OpenID, it’s been designed to work equally well on every platform in your home: on the web, on the desktop and in mobile apps. “It could even work on your XBox,” Recordon says.

Both OpenID and OAuth have seen wide adoption across social sites and applications over the last couple of years, but both still suffer from various problems of usability (for people trying to log in) and complexity (for publishers who are trying to implement them). This is mostly due to the fact that the two technologies weren’t developed concurrently, and that they were developed for different use cases.

Many of the complexity problems in OAuth were solved by the creation of OAuth 2.0 earlier this year. OAuth 2.0 hasn’t been finalized, but it’s already been adopted by Facebook in its Open Graph API, and by Twitter in @anywhere. OpenID, however, hasn’t been updated since 2007. Three years is an eternity on the web, especially in the mobile space, which has seen the massive growth of the mobile web and the quick proliferation of mobile apps with social networking built in.

Also, the technologies serve two different purposes. OpenID is a way of proving to a server that you are who you say you are, and OAuth is a way of providing an application access to information such as your photos or your address book through web APIs.

“Instead of saying identity and APIs were different things, we wanted to build them together and make them work together,” Recordon says. “This is a smart combination of OpenID and OAuth pieces.”

The idea of OpenID Connect evolved naturally from the work being done by Recordon and his colleagues in the OpenID Foundation, the non-profit that develops and popularizes the technology. Others involved in the creation of this new proposal include Chris Messina, who works at Google and drafted a similar idea earlier this year, and Eran Hammer-Lahav from Yahoo, who recently posted an overview of the improvements in OAuth 2.0. Recordon, who is an engineer at Facebook, just stitched together the pieces and drafted the proposal.

Chris Messina is quick to point out that OpenID Connect is just an idea at this point, not a spec or a complete draft.

“David’s document is a strawman in a very intentional way,” he says. “It is not complete. It’s a starting point. The goal is to start a conversation versus saying, ‘this is a solution.’”

Update: Be sure to read Messina’s follow-up post on his blog.

Continue Reading “New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes” »

File Under: Events, Social, Web Standards

Facebook Adopts Open Standard for User Logins

Oauth logo

SAN FRANCISCO — As we predicted, Facebook is switching to an open standard to handle user authentication across its entire platform of connected websites and applications.

Facebook is ditching its proprietary Facebook Connect system, which lets people use their Facebook username and password to log in to other sites around the web. In its place, the company will implement OAuth 2.0, an open source (and soon to be IETF standard) protocol for user authentication.

Viewed along side the barrage of other major announcements unleashed by Facebook at its F8 developer conference here on Wednesday, the move may only seem like a minor data point. But it is one with the potential to make a broad and deeply significant impact on the social web.

Right now, users expect three choices for logging in to a site with an existing ID: Facebook Connect, Twitter or OpenID. That forces publishers to implement three separate systems — one for OpenID, one for Twitter, which uses OAuth, and one for Facebook, which uses Facebook Connect. But once OAuth 2.0 is up to speed and more sites move over to it, things get simpler for site owners.

Where there used to be three options — Facebook Connect, OAuth and OpenID — there will now only be two. And the two that are left are both open source.

There are still details involving token management, auto-registration and other bits of complex backend plumbing to be sorted out, that Wednesday’s events don’t change.

But the move towards OAuth is a step towards interoperability the social web sorely needs. Most importantly, it will be easier to build pathways connecting OAuth and OpenID, since both are fully transparent, open standards and the proprietary Facebook Connect system has been removed from the equation. The switch paves the way for further integrations between existing technologies.
Continue Reading “Facebook Adopts Open Standard for User Logins” »

File Under: Events, Social, Web Standards

Up Next For Facebook: Expect More Open Interactions

Facebook F8

Facebook essentially copies a bunch of services that are already available on the open internet — chat, e-mail, media sharing, profiles — for its 400 million active users. But it also provides tools to help those users interact with each other while they’re outside Facebook’s walls, and there are signs the company is ready to make those tools more open and more easily integrated into other websites and applications.

The social network has already seen great success with Facebook Connect, its authentication system other websites can use to let their visitors log in using their Facebook username and password, then leave comments or share items with their Facebook friends with a single click. They can also hop around between websites and apps without creating a new account at each stop.

Facebook Connect has certainly fueled the explosive growth of social interaction across hardware and software platforms, as it helps Facebook friends notify each other of their activities on other social websites, the movies they’re renting, or the high score they just got on their favorite iPhone game.

Facebook Connect was first announced in 2008 at F8, Facebook’s developer conference. The next F8 is taking place Wednesday in San Francisco, and Facebook CEO Mark Zuckerberg is expected to announce the next phase of his company’s plans to further extend its sharing platform during his keynote address.

The Facebook Connect system isn’t entirely open — a key reason for its existence is to feed social sharing traffic back into Facebook. But it has much in common with other emerging open standards like OpenID and OAuth. Most social websites use a mix of both Facebook and non-Facebook options to handle user authentication, and Facebook Connect is not fully interoperable with competing technologies.

But several recent events point to Facebook making its own platform work better with open technologies. Last year, the company joined the OpenID Foundation and it began partially supporting the technology by allowing users to log in to Facebook using OpenID credentials. Also last year, the company hired David Recordon, one of the key architects of OpenID and OAuth, and purchased FriendFeed, a website that aggregates people’s social activities. Soon after acquiring FriendFeed, Facebook released its Tornado sharing framework under an open-source license.

Facebook wouldn’t comment on any upcoming announcements when contacted for this story. However, outside developers remain hopeful that the company will continue to grow its sharing platform by making it work in tandem with other open technologies already in place.

Continue Reading “Up Next For Facebook: Expect More Open Interactions” »

File Under: Identity, Programming

To See How OpenID Can Work Well, Look at Stack Overflow

openid logoOpenID, the decentralized identity system that dispenses with usernames and passwords in favor of a single, portable web identity, promises to eventually change the way we login to our favorite websites.

While OpenID holds great promise, the reality today is that users sometimes don’t understand it. It’s an entirely different experience than a traditional login, so it can be confusing, and the user experience varies radically from site to site.

OpenID is, frankly, a work in progress. But, as developer Jeff Atwood recently wrote on the Stack Overflow blog, “I would rather be part of the solution than yet another brick in the wall of the problem… even if it involves a tiny bit of short-term friction.”

Atwood goes on to give an interesting developer perspective on what it’s been like to use OpenID on Stack Overflow. Stack Overflow is an interesting case study since OpenID is the only way to create an account at the site (you can use Stack Overflow without creating an account, but there’s no way to sign up using a traditional username/password).

In other words Atwood and company made a big bet on OpenID and for the most part it appears to be paying off. Here’s some key points for developers that Atwood pulls from Stack Overflow’s OpenID experiences:

  • Google is by far the largest OpenID provider at 61% of all registered accounts
  • The change from “enter your OpenID URL” to “click the logo of the company that provides your identity” is a huge usability improvement (I’d disagree with this one, if anything, Chris Messina’s OpenID Connect proposal seems more like the future of the OpenID UI.).
  • Support for multiple OpenID providers is key, since it gives your users the ability to change OpenID identities whenever they want. This is important, as their current OpenID provider could disappear, locking them out of their account.
  • The OpenID protocol itself can be implemented in unusual or incomplete ways by different providers. Atwood points to specific problems in the way Gmail handles OpenIDs, which require Stack Overflow to request your e-mail address as a kind of fingerprint for your OpenID.

The Stack Overflow crew seems to be happy with its OpenID-only account system. It’s worth noting that Stack Overflow obviously attracts users with a higher-than-average tech savviness, but the lessons Atwood details are relevant even if OpenID is only one of your site’s many sign-in methods.

See Also: