Introduction To Open Web Protocols

Introduction to Open Web Protocols (Open ID, OAuth, Atompub and OpenSocial)

Mohanaraj Gopala Krishnan

MSCOSCONF 2 June 2009

mohangk.org/blog

@mohangk on twitter

Questions for you

Experience using or developing any of the following services ?

OpenID, Oauth, Atompub or OpenSocial ?

Might not even know about it ?

Under the hood technologies

User your Gmail / Yahoo password on more then one site ?

Use a twitter client that makes you login via twitter website ?

Blog using a client – e.g. Windows Live Writer

Use any of Google APIs – Gmail, Youtube, Docs

Use applications on Orkut, Friendster, MySpace or Ning ?

What do we mean by the Open Web ? http://www.flickr.com/photos/mag3737/1914076277

The open web is a set of philosophies

Decentralization - not owned by any one company

Transparency - view the “source”

Openness - The protocols, docs, code or specification must be available without penalty of patents, copyright

User choice - As easy to leave as it was to join - take data and information with you

3rd Party Integration/Innovation - hook into the system at all levels, innovate without asking permission

Civil Society and Discourse - many-to-many and one-to-many communication, allowing for millions of conversations

Not about technologies "...However, if we define the Open Web in terms of these technologies , then we risk losing sight of what makes the web special and being able to have the intellectual nimbleness to evolve the infrastructure of the web." -Brad Neuberg, Dojo, Google Gears developer http://www.flickr.com/photos/uhop/2250235637 http://codinginparadise.org/weblog/2008/04/whats-open-web-and-why-is-it-important.html

Having said that,

This is a talk about the web specifications that embody those philosophies

Open Web technologies being developed on many fronts

Client end

Browser - Firefox – Gen Kanai's talks

Server technologies

Apache, PostgreSQL, Linux, BSD - tools that power the web, most mature

Web specifications

Driven from need for collaboration, but has value beyond it

What is OpenID ?

OpenID is a specification that allows people to log into a web site using credentials provided by another web site.

Distributed authentication

Key concepts

User

Identifier - unique identifier that will be reused at all sites

Identity provider (OpenID Provider, IdP, Server)

Relying party (Consumer)

As an end user

You can reuse your username and password which sites that work as relaying parties (not all IPs are Rps – Facebook is the largest RP)

Single place to maintain/update your identity

Need to have an account with an identity provider

As a developer

Exist mature libraries for many languages

Build on the security expertise of others

If you develop public websites

OpenID as its gaining traction 500 million users, over 25,000 sites accept OpenID logins*

Makes it easier for new users to join as they do not need to re-enter all information

If you develop internal websites

Can use OpenID as a form of SSO for multiple internal application - looses out of the “distributed” nature however

* http://www.janrain.com/openid

OpenID flow www.johnmerrells.com/.../05/openid-diagram-1.png

What is OAuth?

A simple open standard for delegated Web API authorization

Let other sites access your data without telling them your password

Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384

Key concepts

End Users

Share information between online services without disclosing passwords

Web service (Service providers)

Allow for secure access to your API in a user controlled, secure manner

3rd Party application (Consumers)

A standard authorization scheme for the web

VS

http://www.flickr.com/photos/leelefever/133949029/

OpenID vs OAuth

Goals are different

OpenID is about sharing a single identity with different consumers

OAuth is about sharing your data with different consumers without sharing your identity

Not mutually exclusive

Love triangle End user Service provider Consumer

http://www.flickr.com/photos/factoryjoe/2658493767/

As an end user, why bother?

Never give your passwords to 3 rd party websites

Even if not malicious, what if compromised ?

WTF ?!

“ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/

As a developer, why bother?

Large adoption - Goog, Y!, MySpace

Interop - Leverage the services

Can be used as a replacement for HTTP basic auth

SSL might not be always necessary

Part of the Open web stack

Atompub + OpenID + OAuth + XRDS +OpenSocial

What is the Atom publication protocol (Atompub) ?

A manner of updating Atom feed information on a server from a client

The feed format is Atom Syndication format - RFC 4287

Atom publication protocol – RFC 5023

Key concepts

Is a RESTful HTTP protocol – uses HTTP “correctly”

Consists of

Entry – basic unit of content

Feed – a collection of entries

Allows for data beyond HTML

The atom:content element allows for storing of more data then just HTML

Being used as a way to expose data on the web

Google has extended Atompub and the Atom syndication format to expose their applications data online

Microsoft as well has used it as the basis of the Live web services

http://dev.live.com/blogs/devlive/archive/2008/02/27/213.aspx

Example

As a developer, why bother ?

If you're building apps

More web APIs are being exposed as an extension to Atompub or being built in a RESTful manner

If you're exposing your building a web service/API

Building your Web API on top of Atompub will ensure that it benefits from all the RESTful principles

Allows your users to leverage existing tooling and know how in accessing Atompub or RESTful web services

OpenSocial

A set of open, standard APIs for building social applications

Widget/ Portal based

Front ends are implemented in Javascript, HTML, CSS. Uses Javascript to query backends.

Backends expose RESTful web APIs to query backends that return data either as JSON or Atom feeds.

Leverages OAuth for security

Examples http://www.flickr.com/photos/29501676@N00/1826112130/

http://apps.myspace.com

~ 1000+ apps

iGoogle – a non social site OpenSocial container

Google Friend Connect – A hosted OpenSocial solution

Applications available as part of Google Friend connect

Deals with proliferation of online social sites http://widgetsummit.com/media/slides/opensocial.pd f - Chris Schalk, Google Developer Advocate Paul Lindner, Engineering Manager, hi5

http://widgetsummit.com/media/slides/opensocial.pd f - Chris Schalk, Google Developer Advocate Paul Lindner, Engineering Manager, hi5

Key concepts

Platforms that can run the OpenSocial widgets are called “containers”

The containers expose a standard set of underlying data APIs

People & Friends

Access friends information programmatically

Activities

See what you’re friends are up to

Share what you are doing

Persistence

Provide state without a server

Share data with your friends

http://widgetsummit.com/media/slides/opensocial.pd f - Chris Schalk, Google Developer Advocate Paul Lindner, Engineering Manager, hi5 Javascript front end querying the data apis

http://widgetsummit.com/media/slides/opensocial.pd f - Chris Schalk, Google Developer Advocate Paul Lindner, Engineering Manager, hi5 Javascript front end accessing data from outside OpenSocial container

As a developer, why bother ?

If you're building apps for social networks

Huge deployment

375,000,000 users , 4,500+ apps, pipeline of 100+ containers world wide http://widgetsummit.com/media/slides/opensocial.pd f - Chris Schalk, Google Developer Advocate Paul Lindner, Engineering Manager, hi5