November 2006

I got a note from Myk Melez yesterday who had a great question about OpenID:

Hey Scott,

I went to open an account on a web site today, and it offered to let me log in via OpenID. It pointed me to openid.net to get more info about OpenID, which told me that I can run my own OpenID provider or “use a third-party identity provider”.

My (perhaps stupid, but I’m an OpenID newbie and very much an end user for this technology) question is: what third-party identity providers can I use, and how do I pick between them?

-myk

Doing OpenID stuff all-day, every-day I sometimes forget that the answers to obvious questions aren’t all that obvious. This is question falls into that category.

As some people may know, OpenID is a decentralized protocol for doing single sign-on on the web. An OpenID is a URL that you can use to sign into sites that support OpenID. These OpenID URL’s look something like user.foo.com (for example, mine is kveton.myopenid.com). OpenID’s are served up by OpenID identity providers (sometimes referred to as an IdP). In the first example, the identity provider would be ‘foo.com’, in my case, its MyOpenID (full disclosure: MyOpenID is developed by JanRain the company I run). Because of its decentralized nature, it means anybody can provide OpenID identity services and participate in the complete eco-system. There is no membership fee to join, committee to cajole or people to convince. If you bring up an an identity provider that conforms to the OpenID specification, you can deliver OpenID’s that can be used on any site that supports OpenID’s.

There is a growing number of these identity providers in the marketplace today. The complete list can be found here. We run MyOpenID.com which we strive to be completely up-to-date with the OpenID protocol as well as delivering new features to help users do more with their OpenID’s. Verisign and claimID are also great OpenID identity providers as well. The best thing here is that consumers have a choice in the marketplace. If you don’t like your OpenID identity provider you can switch to a different one.

So what do you need to think about when choosing an OpenID identity provider? Since your OpenID is a URL, you will want to make sure you pick one that you know will be around for awhile. As you go around the Internet using your OpenID you’ll be making contributions that are linked back to your OpenID (effectively your identity). If your provider should go out of business or not keep up with features and the protocol, you could lose access to that identity that you may have spent considerable time using. You also want to look at what kind of features the identity provider has. Do they let you customize it? Control your personal data to your liking?

For the vast majority of users going with a well-respected OpenID identity provider will meet their needs. However, some people might want to use their own domain because no matter how great the identity provider is, they may not want their identity associated with it. In that case, you’ll want to look at delegation. With just two lines of HTML and your own domain, you can delegate your OpenID to any provider you like. So instead of having to use user.foo.com you could delegate you.yourdomain.com to user.foo.com and use the you.yourdomain.com to sign in at all of the OpenID enabled sites. If the user.foo.com provider goes away or does bad things, you simply change the delegation to another provider that supports OpenID. You still have you.yourdomain.com so the contributions you’ve made across the Internet will still link to you. This is definitely a great feature for “early adopters”.

I got a note back from Myk earlier today:

Yes, thanks, it helps enormously! Before this info I had no idea how to get an openID. Now I’ve got one from myopenid.com (mykmelez.myopenid.com) and am using delegation so that my ID can be melez.com/myk.

With the following two lines of HTML he was able to accomplish this:

Its that easy. Thanks for the question Myk.

Update: I’ve tried to make the delegation information more clearer. Thanks for the heads-up Ian.

If you currently run a site with a large number of users and are looking at adopting OpenID you have a few things you need to consider. I’ve been talking with Larry Halff from the social bookmarking site Ma.gnolia (which kicks ass btw) and they are looking at adopting OpenID. Larry has quite a few users and so he had to take those folks into account before implementing OpenID.

What we have seen with the open source projects that are adopting OpenID is to simply tie it to an actual account within the system. For example, the Drupal plugin does this. This is the easiest mechanism since you can then tie the OpenID to attributes that you need specifically for your application. In the case of Drupal, they have the concept of an avatar. OpenID’s simple registration does not have this attribute so you can’t get it from the identity provider (yet - more on that later). So when a user logs in with an OpenID, their OpenID is tied to a new account within that Drupal installation. Then you get the benefit of all of the “extra” attributes that you might want to have for that account.

In Larry’s case at Ma.gnolia, when the user logs in for the first time, they ask for the ‘nickname’ of the user via the simple registration mechanism. When they get that back from the users’ identity provider, they check to see if it matches an existing Ma.gnolia account. If it does, the user is presented with a dialog to enter that Ma.gnolia user’s password. This allows the user to link an existing Ma.gnolia account to an OpenID (so they don’t have to re-enter all of their bookmark information again). If it doesn’t match, they create a new Ma.gnolia account and tie it to the OpenID via a seperate OpenID associations table.

Now, as I mentioned before, simple registration is pretty limited in its abilities at this time. However, there is a mechanism for arbitrary attribute exchange that has been proposed. In the case of Drupal, a site running Drupal could upload attributes that would be tied to the user at their identity provider (with the users’ permission of course) and these attributes could be used for any Drupal site. The ability to have rich profile information via attribute exchange is something that is going to make OpenID a really powerful platform for delivering digital identities.

We here at JanRain pride ourselves on our responsiveness to the community and our customers. We strongly believe in OpenID as a platform and put our money where our mouth is by having a highly robust and secure identity provider. From time to time we get messages from users who believe they have found a security vulnerability in our libraries or MyOpenID server. We take these reports serviously and when there is a problem we patch things very quickly and release an update. We’ve done this with our libraries as well as MyOpenID. We have had people make claims about our security before and we have had to refute them. This is just part of participating in an open community.

On Friday 11/24/2006 at 11:28 AM PST we received an email from Dmitry Shechtman that stated the following:

Hello,

I think I just found a big hole in your site’s security.

I successfully signed up for an existing account with a different email address.

Regards,

Dmitry

Dmitry is the author of the phpBB OpenID plugin that we’ve all been looking forward to seeing. I’m really excited about this plugin as I believe forum adoption will be critical to the success of OpenID. Dmitry has been using MyOpenID.com as a test server while he works on implementing the plugin. The message was received and was immediately put in our support queue. By 3pm I got a note from one of my engineers who had looked at the problem saying:

If you signup for an account and you use the same password as an account
that already exists, it effectively works like confirming a change of email
address. I’m guessing this is what happened with this guy. I tried signing up
for an account I already have, and it only works if I enter the same password
that is already set for the account.

You can actually still see this behavior on the MyOpenID.com site right now. If you go to the new account registration screen and enter in the username and password of an existing account (you have to know both of them) and then enter an email address in, a mail will go out for that MyOpenID account even if the email is different from the original email used to create the account. This is effectively like changing your email address. The functionality is flawed in that its confusing. We’ll be fixing this in the next couple of days. However, you still have to know the username and password of the account to make it work. If someone has that, the account is already compromised.

Since we determined that is was not a security vulnerability but really a usability problem, we waited until Saturday to reply to Dmitry. I did my best to respond to the public claims made by Dmitry on Saturday but he was not convinced. He disabled access to the test.phpbb.cc site for any MyOpenID accounts and continued to state that there was a security vulnerability.

I chatted with him via IM today and tried to talk through the issues that he saw and hopefully have him post a retraction about the MyOpenID service. His concern was that we could have easily changed the behavior of the site to solve this problem over the weekend and he would never know. Drilling down further, he actually said that he hadn’t looked all that hard at the problem on Friday. This puts the burden of proof on us to show that we haven’t “secretly” changed the sites behavior over the weekend to avoid an embarrassing announcement. If we screw up, we’re at fault and we’ll take any and all actions necessary to fix the problem as well as admit to the mistakes we might have made. That’s our duty in providing identities for end-users and something we believe very strongly in.

Just for the record; we have not made any changes to the MyOpenID service since Thursday afternoon and we have done nothing to try to cover up this claimed security vulnerability. Go try it out for yourself; the behavior is still there today.

Update: I fixed the link to the phpBB OpenID plugin site.

Update v2.0: Fixed some links that broke when Dmitry moved some things around on the forum links above.

I’ve probably just drank too much of the Koolaid and always have OpenID on the brain … but I’m really excited by a few articles/notes that I found this weekend.

Evan Prodromou had a great round-up on Web 2.0 over at LinuxWorld. One of the first things he mentioned was OpenID which is starting to gain some momentum. Evan introduced OpenID to his site (WikiTravel.org) and even gave us some props for our libraries. OpenID is “dead simple” which is the key to its uptake and the reason its gaining momentum so quickly.

The Fedora Project recently had their Fedora Summit where they discussed using OpenID as well. They are even kicking around making it so when a user boots up Fedora for the first time, they could get an OpenID account … hopefully for use on all of the OpenID enabled Fedora tools like bug tracking, forums, wiki’s and others.

The same themes keep driving home; simple, easy and decentralized. Yes, there are a lot of possibilities for what OpenID could be doing but today its about doing one thing and doing it well; authentication. The rest of it will come with time.

Update: Fixed the Fedora OpenID link … thanks Evan!

I’ve had a lot of different projects, communities and people come to me and say “Hey, I want to learn more about OpenID and I’d really like some help on implementing it for my site.” Ask for and ye shall receive.

I’m excited to announce what I hope is the first of many Mash Pit: OpenID events. We really wanted to do an event that was more hacking than talks. We figured doing something like a MashPit was the best way to do that. We’ll have a good group of OpenID-savvy people here that day covering languages like PHP, Ruby, Python, Perl and others. Bring your laptop and yourself and we’ll help you OpenID enable your application, site or kitchen sink.

The first event will be 1/17/2006 at 4pm here in beautiful Portland, OR and hosted by JanRain (full-disclosure: these guys are awesome)*. More information can be found at the wiki or the Upcoming.org listing.

* - Super full-disclosure: I work at JanRain … :-)

Update: Tweaked links to move over to mashpit.pbwiki.com.

So it wasn’t created to be an OpenID tutorial but Rauol from over at Zooomr has created a great video to explain the OpenID login process, why its a URL as well as how it works with Zooomr. Very cool stuff.

Thanks for doing that Rauol!!

Congrats go to Corey and the rest of the OSL crew for winning the InfoWorld 100 Award for Education.

With the rackathon humming along, the new data center on-line and lots of hosted projects, the OSL continues to do amazingly awesome things. I’m really glad to see them continuing to thrive and I’m sure they are happy I’m not in there mucking with people’s systems anymore * … hahaha … :-)

Way to go OSL! Keep up the great work!

* - I never actually “mucked” with anyone’s systems … more like fiddled. And I’m an excellent “mucker” BTW.

Dave McClure was kind enough to share “Half-baked” with us at Citizen Summit. This was one of the most fun exercises I’ve done in a long time.

The rules are as follows:

• Introductions
• Group chooses 50 words that are written on a whiteboard
• Everyone counts off in 5’s and then groups up
• Groups get together and pick 2 of the words from the 50. First to pick is last to pitch. The words become the name of the company so word1word2.com is the website.
• Now, the teams have 5 minutes to do the following:
  1. Name
  2. Product/concept
  3. Revenue model
  4. Marketing plan
  5. Logo
  6. Tagline
• Present in 5 minute pitches on what you came up with.

Now this is pretty hard. Not impossible mind you but pretty hard. The key is to just go. Go. Talk it out. Be crazy. Just run with it. This is supposed to be fun people … :-)

Just a few of the words that we came up with: rumsfeld, fee, bacon, donuts, fish, citizen, terrorist, bingo, socket, toast, purple, grass, canadian, fuck, sex, suck, thong, vaporize, glue, drunk, pulley, emo, papa smurf, platypus, canter, vegan, create, borscht, snort, tara hunt.

What did this motley crue (yes, as in Tommy Lee) come up with those words? Check it out:

• SexBingo: You guessed it, SexBingo in such a way that helps Michael Arrington get laid. The more he gets laid, the more posts on TechCrunch you get, the more visitors you get, profit. Easy enough.
• PovertyMachine: This was actually a good one. Tools for people to be able to manage their non-profits. Hmmmm … seems like somebody always does one of these … :-)
• MidgetWidget: I know what you’re thinking; another widget play. But you’re wrong sucker! Its widgets for use in the real world! That’s right, little toys that kids can use and engage with just like widgets on your computer! Its pure (evil) genius!
• VaporizeGrass: This was what I conned my team into choosing and to their credit, they actually put a pretty good idea together. Flash mobs that bid on the ability to get paid for “mowing” your lawn. The difference is that the people that show up pick just one blade of grass each. Voila. Vaporized. How do we market? Plain and simple; spam baby.
• DonutDivorce: Why should getting divorced take longer than it takes to eat a donut? It shouldn’t. A Web 2.0 play, Donut Divorce is all about bringing together your social network to help you battle your estranged spouse on-line. That’s right, duke it out on-line pitting your social networks against that of your soon to be divorced spouse. How do they make money? Easy; they get 10% of the settlement. And, part of that settlement goes to the people that participate in the social discussion about the divorce. Now that’s gold!!

So a totally fun exercise and something that would be a great “ice breaker” for a conference to get folks thinking and blood pumping. Totally fun. Thanks Dave.

Thanks to Chris, Tara and Ben for putting on Citizen Summit today. About 20 people gathered at Citizen Space and listen to a few folks talk about what they are up to and what’s happening next. I really love the space you have put together there … co-working here we come! :-)

Great talks from Pandora, Tantek from Technorati, Dave did the Half-baked exercise (which was a hoot) and just a really engaging time was had by all. I also finally got to put a face with a few names I’ve been hearing for so long and that was great as well.

Huge props go out to the Citizen Agency crew … the best is yet to come!

We have had quite a few people approach us and ask about doing a Zooomr deal. For months now, new accounts on Zooomr have been created over on our OpenID server. Other sites have come to us wanting a way to support OpenID’s but they don’t want to host an OpenID server. When we originally worked with Zooomr to host their OpenID’s it was a one-off thing. Well, no longer.

I am excited to announce the launch of our Affliate Program aimed at sites that want to use OpenID but don’t want to have to manage an OpenID server or their users’ identities. Now with just a few clicks of your mouse you can have a place for your users to get OpenID’s. In addition, sites will get added to our ever-growing directory of sites that support OpenID. There are hundreds of sites that support OpenID today and that number is growing everyday.

By hosting identities for end-users we’re hoping that sites that support OpenID can focus on their “main thing”; blogging, photo sharing, wiki’s, etc. OpenID lowers the barrier to engagement for users and increases stickiness on sites; no more forgotten usernames or passwords. If you’re a developer and interested in OpenID enabling your site, head over to our sister site www.openidenabled.com and learn more about the open source libraries, patches and tools available for making that happen.

If you’re interested, by all means head over to the Affiliate Program Signup and get started today! If you have questions/comments/ideas, feel free to let us know.