2007: the year of OpenID?

[mannu]

Chris Messina has been making posts about OpenID, and I also read similar reports on O'Reilly Radar. Is 2007 going to be the year of OpenID?

I hope so. I've always found it funny how anyone can be impersonated so easily on the internet, be it email or blogs. Imagine when Bill Gates leaves a comment on a blog: who's going to believe it's him?

Comments

[code_martial]

It's a funky tangle of cookies and round-trips between browser, the verification requester and the Open ID server :-)

It works where the site just requires identity verification but there are also cases where application developers might need additional user data to play with. Flickr Auth and Yahoo! BBAuth are things that on the surface are excellent for developers of little applications and mashups that require access to user data. However, they also go a bit further and bring "trust" into picture, which is something Open ID explicitly leaves out. Among other things, the trust factor comes in from having reputed authentication servers.

FWIW, using Open ID as the primary authentication mechanism for small application development is fraught with issues. I lost my zooomr.com account because of the change of identity from www.livejournal.com/~username to username.livejournal.com. It's cool for leaving comments on blogs anyway.

[mannu]

>there are also cases where application developers might need additional user data to play with

I think that's covered under OpenID Attribute Exchange.

[code_martial]

Is there a complete example that shows how OpenID Attribute Exchange works? I wonder if this means that the service provider would have to write wrapper interfaces on top of their existing APIs for OpenID Attribute Exchange. That's what appears to be from the OpenID Attribute Types specification.

This bit makes me slightly uncomfortable. At most the specification should state how to add OpenID credentials to existing WS-API calls. BBAuth allows this without requiring you to change your APIs or return data format. The only extension required is to receive the extra BBAuth parameters and authenticate them before servicing the request. Much easier than writing OpenID Attribute wrappers and a request authorisation mechanism.

[mannu]

I suppose what OpenID Attribute Exchange is adding is another layer of abstraction so that any identity consumer can access a user's profile information from any identity provider, as long as they both implement the same protocol(s).

Can BBAuth be used with any service provider (not just Yahoo)? If so, would the format for exchanging the profile information (first name, last name, etc.) also be the same across service providers? I guess the answer to the first question might be yes, while the second one is no.

[jbritto]

The big push will come when blogger starts supporting openid authentication for comments. I wonder what's holding them back...