Simon Willison's Weblog: identityprojection

Django People: OpenID and microformats

2008-01-24T02:02:19+00:00

In hindsight, it was a mistake to launch Django People without support for OpenID. It was on the original feature list, but in the end I decided to cut any feature that wasn't completely essential in order to get the site launched before it drowned in an ocean of "wouldn't-it-be-cool-ifs".

I thought that, once launched, the site would see a small amount of activity from a few interested parties and I'd have plenty of time to catch up on the feature backlog. What I didn't expect was that over 750 people would create profiles within the first 24 hours!

So, I spent a few hours this evening integrating my current development version of django-openid, which thankfully had about 80% of the code needed to integrate with Django's built-in authentication mechanism already written. Sadly the other 20% is either incomplete or a bit of a mess, but I've checked it in to a branch on Google Code for anyone who's interested.

Anyway, there are a few new features on the site of interest to OpenID users:

When signing up for a new account, you now have the option to start by signing in with an OpenID. If you do this, you'll be able to complete the signup form without having to pick a password. If your OpenID provider supports simple registration the name, e-mail address and username fields will be filled in for you.
If you already have an existing account, you can associate one or more OpenIDs with that account. You'll then be able to use any of them to sign in to the account. Why multiple OpenIDs instead of just one? Two reasons: firstly, it opens the potential for doing interesting things with multiple OpenIDs from different providers in the future; secondly, it gives you a fallback for if one of your OpenID providers becomes unavailable.
You can freely add and remove OpenIDs from your associations, with one exception: the site won't let you delete your last OpenID if your account doesn't also have a password associated with it, to prevent you from locking yourself out.
While I decided that I didn't want Django People to become yet another OpenID provider, I do want to give people the ability to use their profile page on the site as an OpenID - so that they can prove that they own it (see my recent post on identity projection). To that end, the new account settings page lets advanced OpenID users set up an openid.server and openid.delegate for their profile page, as described in my blog entry from just over a year ago.

One caveat: the site only supports OpenID 1.1, at least for the moment. I had originally planned to go for OpenID 2.0, but demand was such that I decided to get what I had up and running rather than digging in to the OpenID 2.0 libraries.

Microformats

While I was messing around with OpenID, Natalie was updating the site's templates to clean up the crufty code I'd introduced and add some microformatted goodness. The site now uses hCard where you would expect it (country listing pages, skill listing pages and the new search interface) and the profile pages have been updated with a healthy dose of XFN (just rel="me", since there isn't a relevant microformat for "people who live nearby") and Rel-Tag. On Jeremy Keith's suggestion, the profile pages also use hResume - all the more reason to add the Django projects you've worked on to your profile's portfolio.

As usual, post feedback and bug reports as comments on this entry.

Tags: django, django-people, hcard, hresume, identityprojection, microformats, openid, python, reltag, xfn

Yahoo!, Flickr, OpenID and Identity Projection

2008-01-07T23:33:39+00:00

Via ReadWriteWeb, view source on a Flickr photostream page and search for "openid" and you'll be rewarded with the following snippet:

<link rel="openid2.provider"
  href="https://open.login.yahooapis.com/openid/op/auth" />

Which means that Flickr pages will very soon be able to act as OpenIDs. The provider isn't up and running just yet though; try authenticating with your Flickr OpenID on Jyte.com and you'll get the following message:

Hey there! You have stopped by a bit sooner than we had expected. This feature is still being tested, so please check back in a few days.

The URL of the server is interesting as well: it suggests that Yahoo!'s OpenID support is designed from the start to apply to more than just Flickr. I wouldn't be at all surprised to see similar links start to crop up on all kinds of other Yahoo! properties - anything that has a page which can be considered to represent a user account. This would make a lot of sense, because OpenID is good for more than just authentication. The OpenID protocol allows a user to assert ownership of a URL. This can be used for SSO-style authentication, but it can also be used to prove ownership of a specific account to some other service, a concept I've been calling identity projection.

If users can easily project their Flickr, Upcoming or del.icio.us identities to other sites, developers can start to build all kinds of neat things. Mashups for one get a whole lot more interesting when new users can easily bring their existing profiles from other sites with them. With any luck we'll see Yahoo! start to adopt OAuth for authenticated API calls (which is itself based in part on the Flickr auth API) in the not too distant future, opening up even more possibilities.

A common misconception about OpenID is that it's only really useful if users stick to using one identity. I'd be happy to see every one of my online profiles acting as an OpenID, not for SSO authentication (I'll pick one "primary" OpenID to use for that) but so that I can selectively cross-pollinate some of my profiles to new services.

Back to Yahoo!, another interesting new URL is https://me.yahoo.com/. Again, there's not much to see at the moment but it looks to me like this will become an endpoint for OpenID 2 directed identity. James Henstridge provides a useful explanation here, but the short version is that you'll be able to enter "me.yahoo.com" in to an OpenID field on a site and have Yahoo! pick an obfuscated, unique OpenID for your interactions with that site. This protects your privacy by preventing anyone from outside of Yahoo! from correlating your behaviour across multiple OpenID-enabled services, similar to how Yahoo!'s current BBAuth API provides applications with an opaque hash rather than a user's Yahoo! screen name.

It looks like Yahoo! will only be supporting OpenID 2 and won't provide a fallback for OpenID 1.x consumers. This means you won't be able to use your Flickr OpenID on many existing consumer sites (including this blog), at least until they get around to updating their libraries. I expect Yahoo!'s implementation to be a major influence in encouraging OpenID 2 adoption.

It's three weeks short of a year since I launched idproxy.net, which provides Yahoo! account holders with a third-party OpenID via the BBAuth API. I couldn't be happier to see Yahoo! taking steps towards cutting out the middle man.

Tags: bbauth, flickr, identityprojection, oauth, openid, openid2, yahoo