Simon Willison's Weblog: openid2

New OpenID Implementations Abound

2008-10-30T17:11:19+00:00

I’ve missed linking to a bunch of OpenID news recently—in particular, Google Accounts are becoming OpenID identifiers and LiveJournal has quietly ugraded its consumer support to OpenID 2.0.

Tags: google, livejournal, martin-atkins, openid, openid2

Yahoo! supporting OpenID 2.0 but not 1.1

2008-01-19T09:10:30+00:00

Yahoo! supporting OpenID 2.0 but not 1.1

Yahoo!’s Allen Tom outlines the reasons Yahoo! are supporting OpenID 2.0 but not OpenID 1.1.

Tags: allen-tom, openid, openid2, yahoo

Quoting Martin Atkins

2008-01-18T07:00:44+00:00

Yahoo!'s provider implementation only supports consumers that talk the Auth 2.0 protocol. Technically the 2.0 spec allows providers to shun 1.1, but it's not recommended for the reason that I'm sure will become obvious once Yahoo! launches: there's no way for your average end-user to distinguish between a 1.1 and a 2.0 implementation.

— Martin Atkins

Tags: livejournal, martin-atkins, openid, openid2, yahoo

Yahoo!, Flickr, OpenID and Identity Projection

2008-01-07T23:33:39+00:00

Via ReadWriteWeb, view source on a Flickr photostream page and search for "openid" and you'll be rewarded with the following snippet:

<link rel="openid2.provider"
  href="https://open.login.yahooapis.com/openid/op/auth" />

Which means that Flickr pages will very soon be able to act as OpenIDs. The provider isn't up and running just yet though; try authenticating with your Flickr OpenID on Jyte.com and you'll get the following message:

Hey there! You have stopped by a bit sooner than we had expected. This feature is still being tested, so please check back in a few days.

The URL of the server is interesting as well: it suggests that Yahoo!'s OpenID support is designed from the start to apply to more than just Flickr. I wouldn't be at all surprised to see similar links start to crop up on all kinds of other Yahoo! properties - anything that has a page which can be considered to represent a user account. This would make a lot of sense, because OpenID is good for more than just authentication. The OpenID protocol allows a user to assert ownership of a URL. This can be used for SSO-style authentication, but it can also be used to prove ownership of a specific account to some other service, a concept I've been calling identity projection.

If users can easily project their Flickr, Upcoming or del.icio.us identities to other sites, developers can start to build all kinds of neat things. Mashups for one get a whole lot more interesting when new users can easily bring their existing profiles from other sites with them. With any luck we'll see Yahoo! start to adopt OAuth for authenticated API calls (which is itself based in part on the Flickr auth API) in the not too distant future, opening up even more possibilities.

A common misconception about OpenID is that it's only really useful if users stick to using one identity. I'd be happy to see every one of my online profiles acting as an OpenID, not for SSO authentication (I'll pick one "primary" OpenID to use for that) but so that I can selectively cross-pollinate some of my profiles to new services.

Back to Yahoo!, another interesting new URL is https://me.yahoo.com/. Again, there's not much to see at the moment but it looks to me like this will become an endpoint for OpenID 2 directed identity. James Henstridge provides a useful explanation here, but the short version is that you'll be able to enter "me.yahoo.com" in to an OpenID field on a site and have Yahoo! pick an obfuscated, unique OpenID for your interactions with that site. This protects your privacy by preventing anyone from outside of Yahoo! from correlating your behaviour across multiple OpenID-enabled services, similar to how Yahoo!'s current BBAuth API provides applications with an opaque hash rather than a user's Yahoo! screen name.

It looks like Yahoo! will only be supporting OpenID 2 and won't provide a fallback for OpenID 1.x consumers. This means you won't be able to use your Flickr OpenID on many existing consumer sites (including this blog), at least until they get around to updating their libraries. I expect Yahoo!'s implementation to be a major influence in encouraging OpenID 2 adoption.

It's three weeks short of a year since I launched idproxy.net, which provides Yahoo! account holders with a third-party OpenID via the BBAuth API. I couldn't be happier to see Yahoo! taking steps towards cutting out the middle man.

Tags: bbauth, flickr, identityprojection, oauth, openid, openid2, yahoo

Flickr to Authenticate OpenID

2008-01-07T22:48:47+00:00

Flickr to Authenticate OpenID

Flickr /photos/username/ pages are now (almost) OpenIDs—they point at a new Yahoo!-wide OpenID server, but it hasn’t been switched on yet. It’s OpenID 2 only, presumably so Yahoo! can protect their users’ privacy by using directed identity to hide individual screen names.

Tags: flickr, openid, openid2, yahoo

James Henstridge: OpenID 2.0

2007-12-07T11:53:25+00:00

James Henstridge: OpenID 2.0

Excellent description of the new features in OpenID 2.0, including a clear explanation of directed identity and attribute exchange.

Tags: attributeexchange, directedidentity, inames, james-henstridge, openid, openid2

OpenID 2.0 Final(ly)!

2007-12-05T21:01:22+00:00

OpenID 2.0 Final(ly)!

Launched at the Internet Identity Workshop. The most interesting feature is probably directed identity, which goes a long way to solving some of the usability issues involved in users having to enter their own URLs.

Tags: directedidentity, iiw, openid, openid2