One of my favorite discussions of day 1 at the OpenIDDevCamp was around what you could do with an OpenID end-point. About 15 people showed up to whiteboard and talk first at high-level and then drilling down into the details.
Now, a bunch of folks have been talking about this idea of moving to URL’s as identifiers in recent weeks (even me). The idea is simple; your OpenID is an unique end-point that can act to describe for sites where you get specific services from. For example, if I prove that I’m scott.kveton.com then a website could feasibly query that URI and ask “hey scott.kveton.com, you just logged into my site, can I have your friends list?” or “where can I find your calendar?”
We did our best to try to keep the discussion simple first and then drive into the details of the existing technology. Some basic service types we might want to describe included personal contact information, address book (aka social network or friends list), bookmark service, calendar, photo service or instant messaging. Defining them opaquely we get “my photo service is provided by Flickr” or “I use Google for my calendar”. That’s the easy part.
We had two problems to contend with after we’ve described the types of services we want to expose: privacy and ability to query in or out-of-band. How much information do I want public? How can I share it if I want it to be private for only a few people? Since OpenID works within the browser (consider this “in-band”), what if I want a service (like my photo or calendar service) to update something of mine with my permission when I’m not in front of the computer?
When talking about privacy, it looks like we have the components we need already. In the case of the public data, we can accomplish this with microformats or XRDS right at the OpenID URL. My contact information in hCard, my friends in XFN, etc. Using XRDS you could share where you get specific service types. If you want to lock this up a bit, you can use Attribute Exchange. It allows you to share only what you want to who you want. Ideally you’d be using the same URI’s for both in this scenario.
To deal with the in/out-of-band data problem the idea was floated to leverage OpenID + AX for in-band and OAuth + AX for out-of-band. If I’m logging into a site via OpenID with my browser, I could use Attribute Exchange (AX) to move my private (and public if I want) data. If the web service wants to update something for me or my OpenID provider wants to update something on a service, it can use OAuth which ideally would be automatically setup when the user logs in for the first time to the service.
In the future, we could even consider having an XRDS entry to describe how to add or remove entries into my list of services I use. Now you could have a web service ask you if you’d like to use them as your default photo service or calendar. Very cool stuff.
Now, we have the pieces described for what we want to do. The best part is we’ve been able to turn our OpenID end-point into the choke point for our public and private data. I can see all kinds of applications for other types of information you might want to land there as well (can you say your lifestream?). Looks for some folks (maybe those attending OpenIDDevCamp?) will implement these features in the near future. Let’s get some code out there and start playin’ with it!! Yeah! :-)
6 comments
Comments feed for this article
Trackback link
http://kveton.com/blog/2008/01/13/what-canshould-you-do-with-an-openid-end-point/trackback/
January 14, 2008 at 3:33 pm
Pingback from OpenID » Blog Archive » The First OpenIDDevCamp was a Success
January 14, 2008 at 3:37 pm
Pingback from MyStrands Blog » OpenIDDevCamp a success
January 13, 2008 at 3:56 am
Gabe Wachob
Glad to see that “discovery” is getting folks excited. It’s what’s been motivating those of us in the XRI TC since day one (along with some other things, of course). I’ve always described XRI resolution (from which XRDS comes) as a discovery protocol. Discovery before transaction is not exactly a new concept, but to do it at the granularity of individuals (rather than pre-determined business partners or network endpoints, or trading partners, etc) is a new mindset…
BTW, this is the promise of “identifier-based identity” (as opposed to “card-based identity”) - not that one is inherently better than the other. Rather, the analogy to the real world for card-based systems is clearer, so there is more intuitive understanding of the benefits of card-based identity. Identifier-based identity has (probably to us) obvious advantages and its interesting and cool to see ya’ll talking about some of those at OpenIDDevCamp…
January 13, 2008 at 5:03 pm
Luigi Montanez
The default photo service/calendar idea is outstanding. The more we can make the Web act like an OS Desktop, the more users will start to clearly see the advantages of data portability.
I think the next logical step is coming up with some preliminary attribute definitions based on OpenID AX for the in-browser experience. Also, because OAuth is simply for auth, there may be a need for a common attribute exchange format for that as well. Looking forward to more updates from the Camp.
Also, for readers like me who had not heard of XRDS before now, this post is helpful.
January 14, 2008 at 4:25 pm
Michael Anckaert
The use of URL’s as identifiers is natural as more and more people associate them with URL’s.
For the idea about calendar service and such perhaps it would be suitable to make the SREG list expandable and create some sort of list of all possible attributes. Then it would be possible to add a ‘calendar’ attribute and set the value to the location of your calendar. This would make for a very flexible system.
March 29, 2008 at 7:14 am
faineant
Услуги ветеринара. Выезд.
Ветеринарная помощь