FOWA Notes: The Future of OpenID - Simon Willison

The Future of OpenID - Simon Willison

3 weeks ago there was still a question mark over OPenID, it was a niche proposition.

AOL supports openid ...

Last night on techCrunch

It's definitely time to declare openID a winner and the hope for making a single-sign on world an reality.

What problems does it solve.

Web auth sucks.

First thing I think is what is my username?
What's my password again?

Email usernames: which one did I use. I might not have access to corporate accoutn any more.

Yahoo's long registration is bad, people would love to not have to do this anymore.

Too many passwords, username etc.

Single sign-on, not a new idea.

MS passport - do you trust them
Typekey - Maybe you trust ben and Mena Trott? What if they turn evil.

OpenID takes single sign-on and decentralizes it. you pick who you want to manage it.
Your id is a url

This namespaces your id a makes a globally unique identifier.

If I log-in to zoomr with it redirects me to Livejournal, where I have to login. Then I have to say do I want zoomr to be allowed.
If permission is granted permanently livejournal will then allow zoomr to log me in seamlessly.

Single sign-on with just a username.

What about account creation? allows the user to set-up persona.

Logging into Myopenid allows me to share more info with magnolia.

How does this all work?

Identity for

Has a link with a rel attribute. to say which server to use. rel="openid.server"

Screw LiveJournal and MyOpenId this is meant to be decentralised.

rel="openid.delegate" in addtion to openid.server allows me to provide a secondary provider.

Who supports it

AOL, digg (soon), Typekey etc.

My blog display openid comments with yellow border. You can also see a history of the comments you have made.

OpenId doesn't dictate the auth method.
Jabber auth
RSA keyfobs allows you to use openid with your yahoo account. Created using the Y auth API.

If you don't provide OpenID and you have a auth API someone can build it for you.

Dumb networks
The internet is a dumb network.
It gets packets from A to B
It's up to A and B (apps) to decide what to do with it.

OpenID is a dumb network too.

What can we build with OpenID that we could't have before openID?

Profile sharing between apps?

Lightweight accounts, much more likely to login with a single sign-on to fix a typo on wiki for example.

use openId to extend the life of cookies

With openID you can pre-approve people. I have a group of people I trust to delete spam on my blog.

use openID internally. Corporate SSO

OpenID and microformats
Your OpenID can embed your public contact details

Get shared contact automatically.

Site specific openID hacks
Aol send updates over AIM.

Social Whitelists
Came from discussion about moderation with Tom Coates.
Blacklists fail.
Publish a list of openids you trust, those people skip the moderation.
Syndicate the trusted whitelists from your friends.

You can get cred for stuff.
People can make claims about you.

You can create a group on Jyte, this has a group export. You could create a invite only group on Jyte and then put this into another site's functionality.

Decentralised social networks.
Profiles of you and your friends across the net.

Problems with openID?


If the id provider is faked, your identity can be stolen. makes the user type the address in the addres bar, there are no links.
Cardspace by MS displays info about the company before you allow the site access to your id.


Providers can compete on their defences to phishing.

What if my OpenID goes down?
Email the user a reset token
Allows users to associate multiple openids with their account.

Privacy - a.k.a I don't want my boss to know that I'm furry (wikifur)

Use multiple openIDs

OpenID is hard to explain

It's taken 30 mins to explain to a room full of geeks.
It's ready for early adopters.

Your help is needed. Or if you like this is a business opportunity.
  Free for 90 days

Don't just implement it. Innovate with it.

Q: If an openID provider closes, how do I access the data?
A: That's a problem for the application developers to solve.

Q: OpenID works on the web. What about using that in offline apps.
A: OId doesn't solve that.

Show Comments