Implementing The Social Web - Fowa Miami 2009

Implementing the Social Web with OpenID, OAuth, and All That Jazz! David Recordon & Chris Messina February 22, 2009 Future of Web Apps Miami, USA

About Us chrismessina daveman692

All of you?

What’s going on?

Repetition.

http://dataportability.org/

http://www.ﬂickr.com/photos/jagelado/16631508/

http://www.illustratorworld.com/artwork/2238/

“Open Data is increasingly important as services move online.” —Tim O'Reilly (OSCON '07)

data inside! \"It's like ﬂying on an iPhone!\" http://flickr.com/photos/sathishcj/1868113345/

My 20+ Social Networks

http://xkcd.com/256/

Social Applications • Each with a few great features (UNIX philosophy) • Creating combined value • Building blocks for new value • No social graph of their own! http://www.slideshare.net/stoweboyd/building-social-applications

Portable Contacts About The vision for Portable Contacts has been around for a long time. Sites large and small share the goal of providing users a secure way to access their address books and friends lists without having to take their credentials or scrape their data. But only in recent weeks has it begun to feel that now is the right time to rally the community and the industry to work together to make this vision real by developing an open spec for exchange of contact info that everyone can embrace. Why now? The momentum began building for 'data portability' last year, and we are now at a point where there is strong support for the principle that users should be in control of their data and have the freedom to access it from across the web. And the major players have all recognized that they and their users are better off with secure contacts APIs (rather than having third-party services ask for users' credentials in order to scrape their data). As a result, we're seeing major Internet companies making contacts APIs available, such as Google's GData Contacts API, Yahoo's Address Book API, and Microsoft's Live Contacts API (with more to come). Not surprisingly though, each of these APIs is unique and proprietary. We believe this creates the ideal conditions for developing a common, open spec that everyone can benefit from. Just as OAuth has provided a standard to unify the various proprietary schemes for delegated authorization, we believe we can do the same thing for securely sharing address book and friends list data. Goals The goal of Portable Contacts is to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all activity strea.ms over the web. Specifically, we seek to create: A common access pattern and contact schema that any site can provide Well-specified authentication and access rules Discuss. Standard libraries that can work with any site and absolutely minimal complexity, with the lightest possible toolchain An initiative from the DiSo Project. requirements for developers. First draft specs: Activities in Atom; Activity Schema. A measure of our success will be the elimination of the \"password anti-pattern,\" by making it far easier to implement Portable Contacts than to engage in scraping, as well as a dramatic increase in the number of sites that both provide and consume who-you-know data. Our Approach Our design is focused around ease of adoption, which means a few things. First, our emphasis is on simplicity of design and targeted use cases. For example, version 1 is simply about access, and defers for now on the more complex issues around update and sync. Second, we're taking a modern approach to who-you- know data by unifying traditional contact info and social network data, in order to properly represent the current diversity of the social web ecosystem. Third, we're using existing standards wherever possible, including vCard, OpenSocial, XRDS- Simple, OAuth, etc. And lastly, we're designing something that should be easy for current service providers to adopt. We started by reviewing all the major existing contacts APIs and targeting the capabilities that they all share and provide. We believe this pragmatic balance is the best and quickest way to achieve our shared goal of widespread adoption. Here is the current draft spec, the wiki, and the mailing list. This project is being undertaken by Joseph Smarr, Chris Messina, and others.

Products Services Advertising Blog About Home > Blog > Time for Action: What We’re Opening Next Six Apart News & Events Six Apart Blog About the News Blog Mena's Corner January 30, 2008 Time for Action: What We’re Opening Next Welcome to the official Six News & Events Apart blog. Anything that by David Recordon - Comments (7) ProNet affects our company or the A few months ago, we announced that we were opening the social graph and entire blogging industry is up invited others to join us. An effort like that encompasses many different for discussion, since 2002. Dollarshort technology projects and all kinds of different companies; in just a few months the You'll find out about public idea of opening up social networks has received a lot of attention. Today we're appearances that we make, Our co-founder and excited to share an amazing new plugin for Movable Type that allows you to President Mena Trott new product announcements, aggregate, control, and share your actions around the web and we're the first to has been sharing her major company news and stories on her personal bring this sort of functionality to free and open source blogging tools...but I'm blog Dollarshort since even some peeks behind the getting ahead of myself. It's worth revisiting some of the successes the openness 2001. scenes. movement has accomplished in just the past few months: Subscribe Google's OpenSocial released new versions of its APIs and we hosted a wildly Featured successful hackathon to help support the creation of new widgets for the standard. At Your Service: The Next OpenID 2.0 shipped and both Google and Yahoo! are now supporting OpenID, Evolution of Six Apart bringing hundreds of millions of new IDs to the community. Bringing Blogging To Your The group DataPortability.org was formed and released a video reinforcing these Social Networks themes around openness. And finally, we've made good on our promise to let you show off all the services Recent Comments David Recordon said: We obviously you belong to, with TypePad and Vox automatically letting you list your accounts want to ship Action Streams in around the web on your blogs using Microformats to link to your profiles. And as both TypePad and Vox, since we of today, the same ability is available for Movable Type. see them as such an incre... Jo Carter said: When is Vox getting action streams? :)... aubs said: This is fantastic and exactly what I've been looking for on my site. Will this feature be added to T... David Recordon said: In Vox, when you're editing your Account you'll see the Contact Information page

control over showing and hiding each of your actions, which is the kind of privacy Delicious! Gourmet Visits the control that we demonstrated when we were the only partners to launch a strictly Food Blogosphere opt-in version of Facebook Beacon. Right now, no one has shipped a robust and Teaching Bloggers To Fish decentralized complement to services like Facebook's News Feed, FriendFeed, or Plaxo Pulse. The Action Streams plugin, by default, also publishes your stream MT in 2008: Open, Powerful and Easy using Atom and the Microformat hAtom so that your actions aren't trapped in any one service. Open and decentralized implementations of these technologies are important to their evolution and adoption, based on our experiences being Post Archive involved in creating TrackBack, Atom, OpenID, and OAuth. And we hope others April 2008 join us as partners in making this a reality. March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 This is also a story of an individual's actions having an amazing impact. The initial November 2006 development of these new features was started by Mark Paschal, a Movable Type engineer and long-time member of the MT community, during one of our weekly October 2006 hackathons. It's a really satisfying example of how a good idea can go from a September 2006 brainstorm to a real shipping product extremely quickly. (And is even cooler if you August 2006 remember that we're hiring.) Because Activity Streams is a completely free and open source framework that is extensible, it's easy for any coder to contribute to July 2006 the project with your own improvements. Just join the MTOS mailing list to June 2006 become part of the Movable Type Open Source community and start hacking with May 2006 the team that's created the platform. Mark writes more about building the Action Streams plugin on MovableType.org, the open technologies it uses, and how April 2006 third-party developers can further extend it. March 2006

About DiSo Project Blog Links Chat Open, distributed, social. Find Blogroll Silo free living. Chris Messina Stephen Paul Weber Social networks are becoming more open, more interconnected, and more distributed. Many of us Steve Ivy in the web creation world are embracing and promoting web standards - both client-side and Will Norris server-side. Microformats, standard APIs, and open-source software are key building blocks of these technologies. This model can be described as having three sides: Information, Identity, and DiSo - Distributed Interaction. Diso Code DiSo on Flickr DiSo (dee • soh) is an initiative to facilitate the creation of open, non-proprietary and DiSo on Ma.gnolia interoperable building blocks for the decentralized social web. DiSo on Twitter DiSo Wiki Our first target is WordPress, bootstrapping on existing work and building out from there. So what does that mean? DiSo Project We’re building Wordpress plugins that implement or build on: Visit this group microformats like XFN, hCard, XOXO — wp-contactlist, wp-profiles Archives OpenID — wp-contactlist, wp-openid-server June 2008 OAuth May 2008 …and others December 2007 Meta Register Log in WordPress | Sandbox

“Connect”

Viewing Virtuous Cycle of Sharing Sharing

Anatomy of “Connect” • Profile (identity, accounts, profiles) • Relationships (followers, friends, contacts) • Content (posts, photos, videos, links) • Activity (poked, bought, shared, blogged) • Goal: Discovery of people and content

Joseph Smarr (Plaxo)

Portable Contacts About The vision for Portable Contacts has been around for a long time. Sites large and small share the goal of providing users a secure way to access their address books and friends lists without having to take their credentials or scrape their data. But only in recent weeks has it begun to feel that now is the right time to rally the community and the industry to work together to make this vision real by developing an open spec for exchange of contact info that everyone can embrace. Why now? The momentum began building for 'data portability' last year, and we are now at a point where there is strong support for the principle that users should be in control of their data and have the freedom to access it from across the web. And the major players have all recognized that they and their users are better off with secure contacts APIs (rather than having third-party services ask for users' credentials in order to scrape their data). As a result, we're seeing major Internet companies making contacts APIs available, such as Google's GData Contacts API, Yahoo's Address Book API, and Microsoft's Live Contacts API (with more to come). Not surprisingly though, each of these APIs is unique and proprietary. We believe this creates the ideal conditions for developing a common, open spec that everyone can benefit from. Just as OAuth has provided a standard to unify the various proprietary schemes for delegated authorization, we believe we can do the same thing for securely sharing address book and friends list data. Goals The goal of Portable Contacts is to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all activity strea.ms over the web. Specifically, we seek to create: A common access pattern and contact schema that any site can provide Well-specified authentication and access rules Discuss. Standard libraries that can work with any site and absolutely minimal complexity, with the lightest possible toolchain An initiative from the DiSo Project. requirements for developers. First draft specs: Activities in Atom; Activity Schema. A measure of our success will be the elimination of the \"password anti-pattern,\" by making it far easier to implement Portable Contacts than to engage in scraping, as well as a dramatic increase in the number of sites that both provide and consume who-you-know data. Our Approach Our design is focused around ease of adoption, which means a few things. First, our emphasis is on simplicity of design and targeted use cases. For example, version 1 is simply about access, and defers for now on the more complex issues around update and sync. Second, we're taking a modern approach to who-you- know data by unifying traditional contact info and social network data, in order to properly represent the current diversity of the social web ecosystem. Third, we're using existing standards wherever possible, including vCard, OpenSocial, XRDS- Simple, OAuth, etc. And lastly, we're designing something that should be easy for current service providers to adopt. We started by reviewing all the major existing contacts APIs and targeting the capabilities that they all share and provide. We believe this pragmatic balance is the best and quickest way to achieve our shared goal of widespread adoption. Here is the current draft spec, the wiki, and the mailing list. This project is being undertaken by Joseph Smarr, Chris Messina, and others.

Why do people have to... • create a new account on every service? • re-enter their profile? • give away their passwords to every site that asks? • re-discover their friends? • re-friend their friends! • learn new ways to share and communicate?

Why do developers have to... • deal with [forgotten!] passwords? • create yet another profile form? • support every new service API that comes out? • force members to invite everyone they know? • implement an unsafe method for importing contacts? • create widgets for incompatible social networks? • manually interpret feeds for activity streams?

So... How will our customers benefit? How will developers?

The Open Stack

The Open Stack (so far)

The Open Stack (so far) ! Identity & Profile OpenID + AX ! Discovery XRDS-Simple ! Authorization OAuth ! Relationships & Contacts Portable Contacts ! Activities Atom Activity ! Gadgets OpenSocial

Industry Trends User control of data User-centric web services Location-aware services Real-time content delivery Interoperable application platforms Content aggregation and syndication Increasing quantities of data to work with Democratization of digital media creation tools

Sign in to see and export additional Trends data. openid, oauth Search Trends Tip: Use commas to compare multiple search terms. Searches Websites All regions All years openid oauth OpenID Development Moves Along; Fear Of Universal Access Still Palpable Profy - Dec 7 2007 Yahoo! to support OpenID Bigmouthmedia News - Jan 18 2008 Google, IBM, Microsoft, Yahoo! join OpenID Foundation Telecom Paper (subscription) - Feb 8 2008 MySpace joins OpenID ITWeb - Jul 23 2008 Google supports OpenID with Google Accounts TechWhack (press release) - Oct 30 2008 MySpace, Flock and Vidoop Collaborate to Develop OpenID Identity in the Browser Rank by openid Centre Daily Times - Dec 2 2008 More news results » Regions Cities Languages 1. South Korea 1. Seoul, South Korea 1. Korean 2. Russian Federation 2. Meguro, Japan 2. Russian 3. Czech Republic 3. Moscow, Russian Federation 3. Czech 4. Japan 4. San Francisco, CA, USA 4. Japanese 5. Ukraine 5. Chiyoda, Japan 5. English 6. Taiwan 6. Tokyo, Japan 6. Swedish 7. Norway 7. Prague, Czech Republic 7. Danish 8. Sweden 8. Portland, OR, USA 8. Dutch 9. New Zealand 9. Austin, TX, USA 9. Finnish 10. India 10. Taipei, Taiwan 10. Chinese

ReadWriteWeb ReadWriteTalk Enterprise Jobwire About Subscribe Contact Advertise RSS RWW Daily by Email Your email address RSS RWW Weekly Wrap-up Your email address Search ReadWriteWeb Home Products Trends Best of RWW Archives MySpaceID: MySpace Sides with the Open Stack Written by Rick Turoczy / December 8, 2008 10:50 PM / 1 Comments « Prior Post Next Post » A few months ago, MySpace began to reveal details about its answer to Facebook Connect - MySpace Data Availability. At the time, we were left to guess what the offering would contain. What we did know was that - in stark contrast to the proprietary nature of Facebook Connect - MySpace had chosen to rely on the Open Stack, using OpenSocial, OAuth, and OpenID to build its service. Now, MySpace has released that functionality - renamed MySpaceID - and, in so doing, it has helped Open Standards take another step forward, as well. For added effect, MySpace has chosen to include Google Friend Connect, a service that Facebook has yet to use. The mix of MySpaceID and Google Friend Connect enables MySpaceID partners to deliver even more social functionality, without a great deal of development time. RWW SPONSORS What's more, it fires a very real shot across Facebook's bow. And continues to set the stage for the tag-team match between the more proprietary Facebook-Microsoft and the more open MySpace-Google. The initial release is both limited in scope - it allows MySpace users to connect their profile information to third party sites and find MySpace friends who use those sites - and limited in sites that support it - the launch partners are Netvibes and Vodafone. That said, MySpaceID is still a decided step forward for the open Web and data portability. Everything Old Is New Again For those of you who were around for Web 1.0, this is all probably starting to seem incredibly familiar. At that time, everyday users began exploring \"the Internet\" within constrained proprietary

For Developers | Discuss | Demand | OpenID Foundation | Worldwide What Where How is OpenID? can I use it? do I get one? « PayPal joins OpenID Foundation Board as we enter 2009 Facebook joins OpenID Foundation Board with a commitment to better user experience Posted February 5th, 2009 at 11:30 pm GMT by David Recordon and Chris Messina Today we’re excited to join Facebook’s Mike Schroepfer in announcing that they have joined the OpenID Foundation’s board as a sustaining corporate member. Luke Shepard, a key member of Facebook’s Platform and Connect teams and a huge internal advocate for OpenID, has been selected as their representative and joins the current board of seven community elected board members and six sustaining corporate members: Google, IBM, Microsoft, PayPal (joined last week), VeriSign and Yahoo!. Additionally, to maintain the ratio of community and corporate board members, Joseph Smarr will be joining the board as our eighth community member. As the OpenID community entered 2009 two key topics have become the focal points on the road to mainstream adoption: user experience and security. Given the popularity and positive user experience of Facebook Connect, we look forward to Facebook working within the community to improve OpenID’s usability and reach. As a first step, Facebook will be hosting a design summit next week at their campus in Palo Alto which follows a similar summit on user experience hosted at Yahoo! last year. The summit will convene some of the top designers from Facebook, the DiSo Project, Google, JanRain, MySpace, Six Apart and Yahoo!, focusing on how existing OpenID implementations could support an experience similar to Facebook Connect. Facebook’s financial contribution along with its membership on the board signals the company’s enthusiasm to work more closely with the OpenID community, building up momentum towards their adoption of OpenID as a standard. Facebook furthering its commitment to openness couldn’t have come at a better time to make 2009 an amazing year for OpenID and the wider social web. For press contacts, please call OpenID Foundation board members David Recordon at 503.341.3009 or Chris Messina at 412.225.1051.

Documentation Community Resources Tools News News Developer Blog Press Platform Updates Opening Up Facebook Status, Notes, Links, Recent News Share Archived Posts and Video to Facebook Platform Opening Up Facebook Status, Notes, 2009 4:54PM, Friday Feb 6th Links, and Video to Facebook Platform February (3) Published by Chris Putnam February 6, 2009 January (8) We're launching several new APIs for Facebook Platform today. These new 2008 Next Steps in Openness interfaces open up access to the content and methods for sharing through December (12) February 5, 2009 several Facebook Applications -- including Facebook Status, Notes, Links (what November (8) we used to call Posted Items), and Video -- to go along with the APIs already Postcards from January Garages October (3) available for uploading and viewing through Facebook Photos. We've seen February 2, 2009 September (6) increasing engagement with over 15 million users updating their status each August (7) day and sharing over 24 million links per month. We wanted to make sure this January Platform News July (15) January 31, 2009 content and the ability to share this content was available through our June (8) standard APIs. May (11) Try Out the New FBJS April (7) January 30, 2009 Specifically, your applications can now directly access all of a user's status, March (7) links, and notes via new methods and FQL calls. Your application will have February (9) Facebook Connect and Apple’s iPhoto access to any status, notes, or links from the active user or their friends that January (11) ’09 are currently visible to the active user. In addition, we're opening new APIs for 2007 January 29, 2009 you to post links, create notes, or upload videos for the current user, and December (5) we've made setting a user's status easier. Shalom from Facebook Developer November (5) Garage Israel! October (10) We're pretty excited to see what kinds of ideas you can come up with to help January 16, 2009 September (4) users create and share more content. For example, a travel application could August (5) make it really easy for users to create and share notes and upload photos and Changes in Facebook Platform July (2) videos from a recent trip. Users could then display that content within a Leadership June (1) profile tab for that app. Or a news website could use Facebook Connect to January 16, 2009 May (2) allow users to easily post links from the site and feature all of the most recent April (1) Extending FBML with Custom Tags links that a user's friends have shared from that website. March (3) January 13, 2009 February (3) Every user is subject to limits on the length and size of the video files they Subscribe January (3) can upload, just like they are when uploading through Facebook. Use 2006 video.getUploadLimits to determine a specific user's limits. To increase video

Break

Through the Tech

Identity & Profiles

Relying Parties (aka places you can login with OpenID) OpenID - As viewed by JanRain’s MyOpenID.com

OpenID-enabling Your Own URL...

OpenID Enabling ExpoCal http://cal.web2expo.com/ Existing users: Sign in and click the the \"add OpenID\" link at the top right New users: Click \"login\" and sign in with your OpenID, skipping the signup process :)

Tools Used • iCalicio by Kellan Elliot-McCrea and Evan Henshaw-Plath • Ruby and Rails • gem install ruby-openid

ExpoCal User Model • Stores login name and hashed password • We need to add an optional OpenID column class AddOpenId < ActiveRecord::Migration def self.up add_column :users, :openid, :string add_index :users, [:openid], :name => :users_openid_index end def self.down remove_column :users, :openid end end

Using the OpenID Library • FilesystemStore saved OpenID transaction state • OpenID::Consumer handles the protocol details def consumer store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store') store = OpenID::FilesystemStore.new(store_dir) return OpenID::Consumer.new(session, store) end

Add OpenID to UI • <input name=\"openid_identifer\" /> <h2>Or, login with OpenID</h2> <%= start_form_tag(:controller=>'account', :action => 'openid_start') %> <p><label for=\"openid_identifier\">OpenID</label><br/> <%= text_field_tag 'openid_identifier' %></p> <%= submit_tag 'OpenID Login' %> <%= end_form_tag %>

Handle login form submit def openid_start openid_request = consumer.begin(params[:openid_identifier]) case openid_request.status when OpenID::SUCCESS return_to = url_for(:action => 'openid_finish') trust_root = url_for(:controller => '') server_redirect_url = openid_request.redirect_url(trust_root, return_to) redirect_to(server_redirect_url) when OpenID::FAILURE flash[:notice] = \"Could not find your OpenID server.\" redirect_back_or_default(:controller => '/account', :action => 'index') end end

Redirect to OpenID Provider

Handle Server Response def openid_finish openid_response = consumer.complete(params) case openid_response.status when OpenID::SUCCESS openid = openid_response.identity_url @user = User.find_by_openid(openid) unless @user @user = User.create(:openid => openid, :login => openid) end self.current_user = @user flash[:notice] = \"Welcome #{@user.openid}\" when OpenID::FAILURE flash[:notice] = 'Verification failed.' end redirect_back_or_default(:controller => 'talk', :action => 'list') end

Done! Time to implement OpenID in iCalico: 45 minutes For a restful plugin: http://agilewebdevelopment.com/plugins/openidauthentication

OpenID User Interface

After Brian Ellin

factoryjoe

user@email.com

friendster

Hotmail

elderly

I HATE YOU!!!!!!!!!!!!!!!!!!!!!!!!LADY GAAAGGG

Previous attempts

Pop-up flow

http://boogle.com Courtesy Balsamiq

http://boogle.com

http://boogle.com http://boogle.com/signin

http://boogle.com

http://boogle.com/#ﬁnish Welcome back, Chris Sign out

hCard

vCard for HTML

BEGIN:VCARD SOURCE:http://factoryjoe.com NAME:FactoryCity (Chris Messina) VERSION:3.0 N;LANGUAGE=en;CHARSET=UTF-8:Messina;Chris;;; ORG;CHARSET=UTF-8:Vidoop FN;LANGUAGE=en;CHARSET=UTF-8:Chris Messina ADR;LANGUAGE=en;CHARSET=UTF-8:;;;San Francisco;;; PHOTO;VALUE=uri:http://factorycity.net/images/avatar.jpg URL:http://factoryjoe.com URL:http://factoryjoe.com/blog URL:http://twitter.com/factoryjoe URL:http://ﬂickr.com/photos/factoryjoe URL:http://friendfeed.com/factoryjoe URL:http://brightkite.com/people/factoryjoe/ URL:http://mento.info/factoryjoe URL:http://ma.gnolia.com/people/factoryjoe URL:http://factoryjoe.tumblr.com URL:http://www.new.facebook.com/proﬁle.php?id=502411873 END:VCARD

Discovery

XRDS-Simple (light weight service discovery for the web)

OpenID <?xml version=\"1.0\" encoding=\"UTF-8\"?> <xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\"> <XRD> <Service priority=\"0\"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>

Portable Contacts <?xml version=\"1.0\" encoding=\"UTF-8\"?> <xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\"> <XRD version=\"2.0\"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=\"0\"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>

How it works...

<XRDS xmlns=\"xri://$xrds\"> <XRD xml:id=\"oauth\" xmlns:simple=\"http://xrds-simple.net/core/1.0\" xmlns=\"xri://$XRD*($v*2.0)\" version=\"2.0\"> <Type>xri://$xrds*simple</Type> <Expires>2009-03-25T05:38:13Z</Expires> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>http://www.partuza.nl/oauth/request_token</URI> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>http://www.partuza.nl/oauth/authorize</URI> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>http://www.partuza.nl/oauth/access_token</URI> </Service> <Service priority=\"10\">

Authorization

\"your valet key for the web\"

http://adactio.com/journal/1357

Miami, Florida

A protocol for developing password-less APIs.

Advanced OAuth Wrangling Kellan Elliott-McCrea XTech 2008: The Web on the Move http://www.slideshare.net/kellan/advanced-oauth-wrangling

About Documentation Code Blog Community Extensions CODE We have setup a code repository on Google Code for gathering libraries and other supporting examples. These libraries are contributed by members of the community and have not been tested or are necessarily known to work. If you would like to test them and report issues, please visit our Issue Tracker. C# Eran Sandler has contributed a basic C# class that performs signing. ColdFusion Harry Klein has contributed a ColdFusion library which is also listed at R I A Forge. Java A Java library and examples were contributed by John Kristian, Praveen Alavilli and Dirk Balfanz. OAuth for Spring Security is also available, contributed by Ryan Heaton. This project is not hosted in the OAuth repository. Javascript John Kristian has contributed a Javascript Library. Jifty

OpenID & OAuth Hybrid

+

Hybrid (Draft) • Designed for when the OpenID Provider and OAuth Service Provider are the same entity • Puts the OAuth parameters into the OpenID request and response flow • Provides one user authorization page for identity plus API access

TOC TOC 8. Requesting Authentication When requesting OpenID Authentication via the protocol mode \"checkid_setup\" or \"checkid_immediate\", this extension can be used to request that the end user authorize an OAuth access token at the same time as an OpenID authentication. This is done by sending the following parameters as part of the OpenID request. (Note that the use of \"oauth\" as part of the parameter names here and in subsequent sections is just an example. See Section 5 for details.) openid.ns.oauth REQUIRED. Value: \"http://specs.openid.net/extensions/oauth/1.0\". openid.oauth.consumer REQUIRED. Value: The consumer key agreed upon in Section 7 . openid.oauth.scope OPTIONAL. Value: A string that encodes, in a way possibly specific to the Combined Provider, one or more scopes for the OAuth token expected in the authentication response. TOC TOC 9. Authorizing the OAuth Request If the OpenID OAuth Extension is present in the authentication request, the Combined Provider SHOULD verify that the consumer key passed in the request is authorized to be used for the realm passed in the request. If this verification succeeds, the Combined Provider SHOULD determine that delegation of access from a user to the Combined Consumer has been requested. The Combined Provider SHOULD NOT issue an approved request token unless it has user consent to perform such delegation. TOC TOC 10. Responding to Authentication Requests If the OpenID authentication request cannot be fulfilled (either in failure mode \"setup_needed\" or \"cancel\" as in Sections 10.2.1 and 10.2.2 of [OpenID] ) then the OAuth request SHOULD be considered to fail and the Provider MUST NOT send any OpenID OAuth Extension values in the response. The remainder of this section specifies how to handle the OAuth request in cases when the OpenID authentication response is a positive assertion (Section 10.1 of [OpenID] ). If the end user does wish to delegate access to the Combined Consumer, the Combined Provider MUST include and MUST sign the following parameters. openid.ns.oauth REQUIRED. Identical value as defined in Section 8 . openid.oauth.request_token REQUIRED. A user-approved request token. openid.oauth.scope OPTIONAL. A string that encodes, in a way possibly specific to the Combined Provider, one or more scopes that the returned request token is valid for. This will typically indicate a subset of the scopes requested in Section 8 . To note that the OAuth Authorization was declined or not valid, the Combined Provider SHALL only respond with the parameter

ReadWriteWeb ReadWriteTalk Enterprise Jobwire About Subscribe Contact Advertise RSS RWW Daily by Email Your email address RSS RWW Weekly Wrap-up Your email address Search ReadWriteWeb Home Products Trends Best of RWW Archives Comcast Property Sees 92% Success Rate With New Mobile retail software designed for in-store retail tasks. E.g. stock OpenID Method counting, receiving etc. www.handpoint.com Written by Marshall Kirkpatrick / February 10, 2009 2:33 PM / 22 Comments « Prior Post Next Post » Dell Business Computers The most-watched geek event of the day has to be the OpenID UX Business Computer Powered By Intel® (User Experience) Summit, hosted at the Facebook headquaters. The Core™ 2 Duo On Sale Online, At Dell www.nz.dell.com most discussed moment of the day will surely be the presentation by Comcast's Plaxo team. New Zealand Site Features 130,000 Members. Discover Why Plaxo and Google have collaborated on an OpenID method that may It's So Popular! www.smilecity.co.nz represent the solution to OpenID's biggest problems: it's too unknown, it's too complicated and it's too arduous. Today at the User Experience Summit, Plaxo announced that early tests of its new OpenID login RWW SPONSORS system had a 92% success rate - unheard of in the industry. OpenID's usability problems appear closer than ever to being solved for good. This experimental method refers to big, known brands where users were already logged in, it requires zero typing - just two clicks - and it takes advantage of the OpenID authentication opportunity to get quick permission to leverage the well established OAuth data swap to facilitate immediate personalization - at the same time, with nothing but 2 clicks required of users. Plaxo, primarily known for the noxious flood of spam emails it delivered in its early days, is now an online user activity data stream aggregator owned by telecom giant Comcast. The Plaxo team has been at the forefront of the new Open Web paradigm best known for the OpenID protocol. The Flow The method Plaxo has been testing is called an OpenID/OAuth combo, in collaboration with

2 clicks!

What Plaxo Found • Better for the user: higher success rate with no password anti- pattern • Better for the provider: Happy users and no automated data scraping • Better for the site: Higher conversion rate; more informed social graph

Relationships & Contacts

Portable Contacts API

Since September • Integrated with the OpenSocial REST People protocol • MySpace, hi5 and Plaxo are PoCo Providers • Microsoft’s LiveFX Framework (sort of) supports PoCo • Integration with Gmail demoed in September; “coming soon” • Handful of PoCo consumers (including an Android app) • Engaging the IETF around vCardDav compatibility

{ \"startIndex\": 10, \"itemsPerPage\": 10, \"totalResults\": 12, { \"id\": \"703887\", \"displayName\": \"Mark Hashimoto\", \"name\": { \"familyName\": \"Hashimoto\", \"givenName\": \"Mark\" }, \"birthday\": \"0000-01-16\", \"gender\": \"male\", \"drinker\": \"heavily\", \"tags\": [ \"plaxo guy\" ], \"emails\": [ { \"value\": \"mhashimoto-04@plaxo.com\", \"type\": \"work\", \"primary\": \"true\" }, { \"value\": \"mhashimoto@plaxo.com\", \"type\": \"home\" } ], \"urls\": [ { \"value\": \"http://www.seeyellow.com\",

\"photos\": [ { \"value\": \"http://sample.site.org/photos/12345.jpg\", \"type\": \"thumbnail\" } ], \"ims\": [ { \"value\": \"plaxodev8\", \"type\": \"aim\" } ], \"addresses\": [ { \"type\": \"home\", \"streetAddress\": \"742 Evergreen Terrace\\nSuite 123\", \"locality\": \"Springﬁeld\", \"region\": \"VT\", \"postalCode\": \"12345\", \"country\": \"USA\", \"formatted\": \"742 Evergreen Terrace\\nSuite 123\\nSpringﬁeld, VT 12345 USA\" } ], \"accounts\": [ { \"domain\": \"plaxo.com\", \"userid\": \"2706\" } ] } ] }

Filtering { \"id\": \"1\", \"name\": \"Chris Messina\", \"urls\": [ { \"value\": \"http://factoryjoe.com/blog\", \"type\": \"blog\" } ] }, { \"id\": \"2\", \"name\": \"Joseph Smarr\", \"emails\": [ { \"value\": \"joseph@plaxo.com\", \"type\": \"work\", \"primary\": \"true\" }, { \"value\": \"jsmarr@gmail.com\", \"type\": \"home\" } ], } } filterBy=name&filterOp=startswith&filterValue=Chr

Filtering { \"id\": \"1\", \"name\": \"Chris Messina\", \"urls\": [ { \"value\": \"http://factoryjoe.com/blog\", \"type\": \"blog\" } ] } } filterBy=name&filterOp=startswith&filterValue=Chr

Filtering { { \"id\": \"2\", \"name\": \"Joseph Smarr\", \"emails\": [ { \"value\": \"joseph@plaxo.com\", \"type\": \"work\", \"primary\": \"true\" }, { \"value\": \"jsmarr@gmail.com\", \"type\": \"home\" } ], } } filterBy=email&filterOp=contains&filterValue=plaxo.com

The Microformat XFN

Adding XFN

David Recordon Hacker. Scuba Diver. Entrepreneur. Contact Me Tuesday David Recordon San Francisco CA 94158 David tweeted, \"@factoryjoe agreed that \"Connect\" applications help reduce friction and make the social web easier to use. Want to elaborate in a comment?\" recordond@gmail.com david@sixapart.com David posted O'Reilly Radar: Anatomy of \"Connect\" David is attending San Francisco XMPP and Jabber Technologies Meetup at Yahoo Brickhouse David tweeted, \"RT @factoryjoe: Latest BBC Digital Planet podcast focuses on Tweetups and OpenID (starts at 10:53) -- featuring me! ;) http://tr.im/digitalp\" Find Me Elsewhere David posted Governments Can Be Pimp Too! LiveJournal Profile Twitter Profile Facebook Profile LinkedIn Profile Upcoming Profile Ma.gnolia Profile David posted Government perspectives on open data Digg Profile Flickr Profile Dopplr Profile FriendFeed Profile David posted New Zealand: KiwiFoo and Webstock Dopplr David tweeted, \"It's impossible to get angry with my email when I have a giant giraffe next to every message. Thanks Gmail!\" David tweeted, \"Plotting a brewery tour around Wellington on Segways. #webstock\" David is in Wellington until February 21st and has planned trips to: David posted Monsoon Poon Miami from February 22nd to 24th South Lake Tahoe from March 6th to 8th San Jose from March 9th to 12th Austin from March 13th to 17th David posted Webstock Tech Equipment

About Me

About My Friends

Google’s Social Graph API

Periodically checking for new people.

Activity Streams (*emerging work)

“Lifestreaming”

Today • Last.fm • Jaiku • Facebook newsfeed • FriendFeed • etc.

The challenge • Develop a format for expressing activities • Compelling experiences from activity feeds • The zero-knowledge test • etc.

FriendFeed Services

The Benefits • Staying in touch across the web • An open, emergent ecosystem of activities • Filtering, search, automation & stats • Optimal, compelling, custom experiences • Coalescing, merging, de-duping • etc.

Examples

last.fm

sweetcron (yongfook.com)

Facebook

FriendFeed

boxee.tv

Movable Type Motion

Eventbox

Anatomy of an activity

Actor verb object [context]

factoryjoe tweeted Niches Bitches! [via SMS]

Actor verb object {indirect object} [context]

Chris bought Planet Earth {for Brynn} [at Amazon.com]

Activities on the Social Web

I visit davidrecordon.com

I decide I want to follow his activities Sign in to follow Dave!

I sign in with my OpenID

Before I’m sent back, I’m asked whether I want to follow Dave

I say yes, and am asked which activity types I!m interested in... Add contact Dave Recordon Add subscriptions Worst username evar. Contact details San Francisco, CA Status updates davidrecordon.com Photos Bookmarks Your message (optional) Blogs Hi there! We met that conference daveman692 last week. I’ve subscribed to your updates on my site. Six Apart Location -Chris Music Movies Slide presentations Events Travel Local reviews Books Access requires permission from Dave Inspired by Jyri Engeström

Should any of the selected types be protected, I will be asked whether I want to request access Dave’s contact details, photos and location are protected. Would you like to request access to these items? Please note that Dave may deny your request. No thanks OK

If I say OK, an OAuth request will be sent which Dave will later be able to approve, deny or ignore

...And Dave’s public activities will show up in my activities dashboard.

...And if Dave later approves my request, his protected activities will show up too

Activities on the Open Web

I visit stammer.com

I decide I want to join this community Sign in to start posting!

I sign in with my OpenID

Before I’m sent back, I’m asked whether I want to authorize Stammer to postback my activities Stammer can post the activities you take on their site to your proﬁle. Would you like to allow this? If you’re not sure, you can decide later. These activities will not be made public unless you want them to be. You can always revoke this permission later. Decide later OK

If I say yes, I am returned to Stammer, authenticated. As I use the site, my actions are posted to my activity stream

If I defer, I am returned to Stammer, authenticated. As I use the site, my actions are posted to my activity dashboard, where I can choose to share my activities later

Sound familiar?

Current work

ATOM Extension

<entry> <id>tag:photopanic.example.com,2008:activity01</id> <title>Geraldine posted a Photo on PhotoPanic</title> <published>2008-11-02T15:29:00Z</published> <link rel=\"alternate\" type=\"text/html\" href=\"/geraldine/activities/1\" /> <activity:verb> http://activitystrea.ms/schema/1.0/post </activity:verb> <activity:object> <id>tag:photopanic.example.com,2008:photo01</id> <title>My Cat</title> <published>2008-11-02T15:29:00Z</published> <link rel=\"alternate\" type=\"text/html\" href=\"/geraldine/photos/1\" /> <activity:object-type> tag:atomactivity.example.com,2008:photo </activity:object-type> <source> <title>Geraldine's Photos</title> <link rel=\"self\" type=\"application/atom+xml\" href=\"/geraldine/photofeed.xml\" /> <link rel=\"alternate\" type=\"text/html\" href=\"/geraldine/\" /> </source> </activity:object> <content type=\"html\"> <p>Geraldine posted a Photo on PhotoPanic</p> <img src=\"/geraldine/photo1.jpg\"> </content> </entry>

Starter verbs/objects

Weblog Entry Note Photo Video Bookmark ...

What can we observe?

MySpace already supports this

...we’d like to get this into OpenSocial

The Benefits • Staying in touch across the web • An open, emergent ecosystem of activities • Filtering, search, automation & stats • Optimal, compelling, custom experiences • Coalescing, merging, de-duping • etc.

http://activitystrea.ms

Gadgets

Builds on the Open Stack.

Three Main APIs Combination of JavaScript, REST, templates, and proxied HTML • Activities (what people are doing on a site) • People and Profile information • Persistent data storage (joined across friends) • Containers are free to add their own APIs such as photos

Containers

Run like open source.

Container Code

REST Libraries http://icanhaz.com/opensocialcode Next Blog» Create Blog | Sign In SEARCH BLOG FLAG BLOG Search powered by Site Feed OpenSocial now friends with PHP, Java, Ruby, and Python Wednesday, December 17, 2008 at 11:49:00 AM With more and more containers introducing server-to-server APIs based on the OpenSocial REST and RPC protocols (think MySpace, LinkedIn, Plaxo, orkut, and iGoogle just for starters), it has never been a better time to jump into OpenSocial development. These new protocols allow you to write engaging social Subscribe via email applications for these containers using the language of your choice -- JavaScript is no longer the only option. Enter your email To help you get started using the OpenSocial REST and RPC protocols, we have assembled a set of address: client libraries for PHP, Java, Ruby and Python. Each library enables developers to retrieve profile information and persistent data from supporting containers without having to concern themselves with managing network connections, signing requests, or other lower-level details. To check out the code, point your browsers to the Source tab linked from each project's home page: Subscribe OpenSocial PHP Client Library OpenSocial Java Client Library Delivered by OpenSocial Ruby Client Library FeedBurner OpenSocial Python Client Library These libraries are completely open sourced under the Apache 2.0 license, and contributions are not only welcomed but encouraged. In addition to a wiki page explaining the patch submission process, each Archives project hosts an issue tracker which have already been populated with known issues and requested

Sign in Home News Help About: This OpenSocial application provides the ability to write and save JavaScript code samples to execute against OpenSocial containers. This helps rapidly test sample OpenSocial code. Code samples can be saved and loaded. You can give other developers links to code samples for instructional or debugging purposes. Available on the following containers (click to use): Versions: OpenSocial 0.7 This version is compatible with containers supporting version 0.7 of the OpenSocial API. [ View XML ] OpenSocial 0.8 This version is compatible with containers supporting version 0.8 of the OpenSocial API. [ View XML ] http://osda.appspot.com/

Log in / create account page discussion view source history Building an OpenSocial App with Google App Engine Lane LiaBraaten, Google Developer Programs\\ September 2008 While you can write OpenSocial apps that run solely in JavaScript and use the Persistence API to store data on the container, many OpenSocial apps communicate with a third-party server for data storage or application logic. Integrating with your own third-party server allows you to add new dimensions to your app, like providing a data API, hosting static content, or allowing configuration through an admin console. navigation In this article, we'll build an app that is similar to the gift-giving application built in the OpenSocial tutorial . When a user views the app, they Main Page see a drop-down menu of gifts (such as a peanut, or a red pistachio nut) and another drop-down menu containing a list of their friends. The Containers user can give any of these gifts to a friend and the gift transaction will be displayed. The app will also display any gifts that the user has JS API Reference received. You can find all the source code used to run this application in the opensocial-gifts project on Google Code Project Hosting. You Articles & Tutorials can also install this app on the orkut sandbox. Contributing Recent changes The original gift-giving app is built using 100% client-side OpenSocial code and is therefore subject to a number of limitations imposed by the Random page container rendering the app, such as the amount of data the container will let you store, and the access controls related to when you can read Help and write data. With Google App Engine, you can manage all this data on an external server, freeing your app from any constraints imposed by search the container. Viva la revolución! Contents [hide] Go Search 1 Audience toolbox 2 Architecture What links here 2.1 Google App Engine app (app.yaml and gifts.py) Related changes 2.2 Database model (db_model.py) Upload file 2.3 Admin interface (admin.py) Special pages 2.4 JSON data API (api.py) Printable version 2.5 OpenSocial application spec (gifts.xml) Permanent link 3 Setting up a Google App Engine app 4 Using Google App Engine to store data 4.1 Defining the data model 4.2 Populating the datastore 4.3 Accessing the datastore 5 A simple Google App Engine web interface 5.1 Creating a request handler 5.2 Forwarding requests 5.3 Identifying the user http://bit.ly/osgae

A Sample Gadget <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Module> <ModulePrefs title=\"Gifts part 1 - Friends\"> <Require feature=\"opensocial-0.8\"/> <Require feature=\"dynamic-height\" /> </ModulePrefs> <Content type=\"html\"> <![CDATA[ <script type=\"text/javascript\"> function loadFriends() { var req = opensocial.newDataRequest(); req.add(req.newFetchPersonRequest(opensocial.IdSpec.PersonId.VIEWER), 'viewer'); var viewerFriends = opensocial.newIdSpec({ \"userId\" : \"VIEWER\", \"groupId\" : \"FRIENDS\" }); var opt_params = {}; opt_params[opensocial.DataRequest.PeopleRequestFields.MAX] = 100; req.add(req.newFetchPeopleRequest(viewerFriends, opt_params), 'viewerFriends'); req.send(onLoadFriends); } function onLoadFriends(data) { var viewer = data.get('viewer').getData(); var viewerFriends = data.get('viewerFriends').getData(); html = new Array(); html.push('<ul>'); viewerFriends.each(function(person) { if (person.getId()) { html.push('<li>', person.getDisplayName(), '</li>'); } }); html.push('</ul>'); document.getElementById('friends').innerHTML = html.join(''); gadgets.window.adjustHeight(); } function init() { loadFriends(); } gadgets.util.registerOnLoadHandler(init); </script> <div id='main'> Your friends: <div id='friends'></div> </div> ]]> </Content> </Module>

A Sample Gadget <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Module> <ModulePrefs title=\"Gifts part 1 - Friends\"> <Require feature=\"opensocial-0.8\"/> <Require feature=\"dynamic-height\" /> </ModulePrefs> <Content type=\"html\"> <![CDATA[ <script type=\"text/javascript\"> ... </script> <div id='main'> Your friends: <div id='friends'></div> </div> ]]> </Content> </Module>

A Sample Gadget <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Module> <ModulePrefs title=\"Gifts part 1 - Friends\"> <Require feature=\"opensocial-0.8\"/> <Require feature=\"dynamic-height\" /> </ModulePrefs> <Content type=\"html\"> <![CDATA[ <script type=\"text/javascript\"> function loadFriends() { var req = opensocial.newDataRequest(); req.add(req.newFetchPersonRequest(opensocial.IdSpec.PersonId.VIEWER), 'viewer'); var viewerFriends = opensocial.newIdSpec({ \"userId\" : \"VIEWER\", \"groupId\" : \"FRIENDS\" }); var opt_params = {}; opt_params[opensocial.DataRequest.PeopleRequestFields.MAX] = 100; req.add(req.newFetchPeopleRequest(viewerFriends, opt_params), 'viewerFriends'); req.send(onLoadFriends); } function onLoadFriends(data) { var viewer = data.get('viewer').getData(); var viewerFriends = data.get('viewerFriends').getData(); html = new Array(); html.push('<ul>'); viewerFriends.each(function(person) { if (person.getId()) { html.push('<li>', person.getDisplayName(), '</li>'); } }); html.push('</ul>'); document.getElementById('friends').innerHTML = html.join(''); gadgets.window.adjustHeight(); } function init() { loadFriends(); } gadgets.util.registerOnLoadHandler(init); </script> <div id='main'> Your friends: <div id='friends'></div> </div> ]]> </Content> </Module>

A Sample Gadget ... function loadFriends() { var req = opensocial.newDataRequest(); req.add(req.newFetchPersonRequest(opensocial.IdSpec.PersonId.VIEWER), 'viewer'); var viewerFriends = opensocial.newIdSpec({ \"userId\" : \"VIEWER\", \"groupId\" : \"FRIENDS\" }); var opt_params = {}; opt_params[opensocial.DataRequest.PeopleRequestFields.MAX] = 100; req.add(req.newFetchPeopleRequest(viewerFriends, opt_params), 'viewerFriends'); req.send(onLoadFriends); } function onLoadFriends(data) { var viewer = data.get('viewer').getData(); var viewerFriends = data.get('viewerFriends').getData(); html = new Array(); html.push('<ul>'); viewerFriends.each(function(person) { if (person.getId()) { html.push('<li>', person.getDisplayName(), '</li>'); } }); html.push('</ul>'); document.getElementById('friends').innerHTML = html.join(''); gadgets.window.adjustHeight(); } function init() { loadFriends(); } gadgets.util.registerOnLoadHandler(init); ...

1) Markup existing public data. 2) Stop leaking passwords! 3) Support OpenID for sign in.

Discussion! chris@citizenagency.com david@sixapart.com

Implementing The Social Web - Fowa Miami 2009

0 comments

Notes on slide 1

2 Favorites