OpenID and LRDD

In my last article I wrote about the differences between user discovery and provider discovery. In this article, I will explain how both of these discovery flows can be easily be done using the “Link-base Resource Descriptor Discovery” (LRDD) pattern. A resource descriptor is, for the purposes of OpenID discovery, an XRD document describing meta-data about a resource, which can either be a user’s OpenID (i.e., identified by a user identifier) or an OpenID provider (i.e., identified by a provider identifier).

Continue reading

What’s Next for OpenID?

Examining OpenIDOpenID has been around for a while, but has for most of its life been a niche technology. This is not too surprising since it was originally designed for authenticating bloggers wanting to comment on other bloggers’ blogs.

More recently, it has been embraced by some big players like MySpace, Yahoo, Google, and Facebook. Even before it was picked up by the industry heavy-weights, the OpenID community revved the version to 2.0, anticipating some of the use cases beyond blogs. For example, users were no longer required to know their OpenID URL, and enter it at the Relying Party’s (RP) web site. Instead, they could just tell the RP who their OpenID Provider (OP) was, and log into the RP that way.

Still, OpenID 2.0 is in some ways inadequate for today’s requirements.

Continue reading

Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect”

Yesterday Twitter released ‘Sign-in with Twitter’, the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I’m looking at you Facebook).

Sign in with Twitter

It is Open done right.

With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why ‘Sign-in with Twitter‘ cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.

Continue reading

Conceptual Outline for XRD-Based OpenID Discovery

This post is mostly me thinking out loud.

XRD is still very much a work-in-progress, and the OpenID community has yet to consider or endorse the new XRD protocol for its discovery needs. But since many of my readers consider OpenID discovery as the primary use case for XRD, I think this is a worthwhile excursion.

This post will offer one way in which XRD could be used as a new discovery layer for OpenID. Keep in mind that there are other ways XRD could be used for OpenID. The next post on this topic will look into specifying OpenID extensions as well as other ways to describe the provider.

But first, let’s cover the basics…

Continue reading

Clarifying Thoughts on OpenID

Muppets Two weeks ago I posted two items about OpenID. The first praised the significant contribution OpenID is making to the Open Web. The second raised questions about the direction the OpenID user experience is taking, and how the community discussion seems to be taking a very strong corporate voice. Needless to say, some people didn’t like my questions and what they thought I was implying. Ironically, they opted to send their comments in private.

Let me start by reiterating some points about my employer’s position, wearing my Yahoo! hat for a second, something I rarely do on this blog.

  • Yahoo!’s support for OpenID is unequivocal.
  • Yahoo! is an active member of the community, a specification contributor, and a sustaining member of the foundation.
  • Yahoo! has made a commitment not to invent any new or proprietary alternatives to OpenID.
  • We are also committed and actively seeking ways to support OpenID as a relaying party, accepting OpenID logins from other providers.

Continue reading