Building the Social Web with OpenID
Upcoming SlideShare
Loading in...5

Building the Social Web with OpenID



Slides from my keynote at PyCon UK 2007.

Slides from my keynote at PyCon UK 2007.



Total Views
Views on SlideShare
Embed Views



21 Embeds 166 29 27 22 17 14 13 8 6 5 5 4 2 2 2 2 2 2 1 1 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Building the Social Web with OpenID Building the Social Web with OpenID Presentation Transcript

  • Building the Social Web with Simon Willison PyCon UK, 8th September 2007
  • Who here has used OpenID?
  • Who uses it regularly?
  • Four problems • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  • Four problems (and their OpenID related solutions) • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  • Usernames and passwords suck
  • “We want to make you aware that media of ours that contained a backup of a portion of the reddit database was stolen recently [...] we wanted to alert you to the possibility that your username, password, and -- in some cases -- e-mail address may have been compromised. ” Steve Huffman,
  • Two lessons • Don’t store plaintext passwords in your application’s database • Don’t use the same password on more than one site!
  • The Web needs Single Sign On
  • ?
  • SSO with a single controlling authority betrays the principles of the Web
  • OpenID is a decentralised mechanism for Single Sign On
  • An OpenID is a URL
  • The OpenID protocol lets you prove that you own a specific URL
  • An OpenID can be used as an authentication credential
  • “Who the heck are you?!”
  • “I’m”
  • “prove it!”
  • (magic happens)
  • “OK, you’re in!”
  • Picking an OpenID is like picking an e-mail provider - you find one that you trust
  • If you have the ability to run your own server software, you can do it for yourself
  • So how do I use it?
  • So my users don’t have to sign up for an account?
  • Not necessarily
  • An OpenID tells you very little about a user
  • You don’t know their name
  • You don’t know their e-mail address
  • You don’t know if they’re a person or an evil robot
  • Where do I get that information from?
  • You ask them!
  • OpenID can help them answer
  • So how does OpenID actually work?
  • <link rel=quot;openid.serverquot; href=quot;; />
  • “I’m”
  • Site fetches HTML, discovers identity provider
  • Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • Redirects you to the identity provider
  • If you’re logged in there, you get redirected back
  • How does my identity provider know who I am?
  • OpenID deliberately doesn’t specify
  • username/password is common
  • But providers can use other methods if they want to
  • Client SSL certificates
  • Out of band authentication via SMS, e-mail or Jabber
  • SecurID keyfobs
  • No authentication at all (just say “Yes”)
  • Just say “yes”?
  • Yup. That’s the OpenID version of
  • Users can give away their passwords today - this is just the OpenID equivalent
  • What if I decide I hate my provider?
  • Use your own domain name
  • Delegate to a provider you trust
  • <link rel=quot;openid.serverquot; href=quot;;> <link rel=quot;openid.delegatequot; href=quot;;>
  • Support for delegation is compulsory
  • This minimises lock in
  • So everyone will end up with one OpenID that they use for everything?
  • Probably not
  • (I have half a dozen OpenIDs already)
  • People like maintaining multiple online personas
  • professional social secret ...
  • OpenID makes it easier to manage multiple online personas
  • Three accounts is still better than three dozen
  • If an OpenID is a URL, is there anything else interesting you can do with it?
  • Yes. Different OpenIDs can express different things
  • My AOL OpenID proves my AIM screen name
  • An OpenID from proves that someone is a current Sun employee
  • A OpenID could incorporate my taste in music
  • My LiveJournal OpenID tells you where to find my blog
  • OpenID and web service APIs naturally complement each other
  • What about phishing?
  • Phishing is a problem
  • I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  • Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • Identity theft :(
  • An untrusted site redirects you to your trusted provider
  • Sound familiar?
  • PayPal Yahoo! BBAuth Google Auth Google Checkout
  • One solution: don’t let the user log in on the identity provider “landing page”
  • Better solutions
  • CardSpace
  • Native browser support for OpenID (Firefox 3, Seatbelt)
  • Competition between providers
  • Doesn’t this outsource the security of my users to untrusted third parties?
  • Yes it does. But...
  • ... so do “forgotten password” e-mails!
  • If e-mail is secure enough for your user’s authentication, so is OpenID
  • Password e-mails are just SSO with an unavoidably bad user experience
  • Best practices for OpenID consumers?
  • “I forgot my password” becomes “I can’t sign in with my OpenID”
  • Allow multiple OpenIDs to be associated with a single account
  • People can still sign in if one of their providers is down
  • People can un-associate an OpenID without locking themselves out
  • You can take advantage of site-specific services around each of their OpenIDs
  • What are the privacy implications?
  • Cross correlation of accounts
  • Don’t publish a user’s OpenID without making it clear that you’re going to do that
  • Allow users to opt-out of sharing their OpenID
  • Any other neat tricks?
  • My online identity exists in dozens of different places
  • I can use OpenID to tie these profiles together
  • Portable contact lists
  • Facebook (and others) currently ask for the user’s webmail username and password
  • Lightweight accounts
  • Pre-approved accounts
  • Social whitelists
  • OpenID and microformats
  • Identity projection
  • Decentralised social networks
  • “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  • An open alternative?
  • Who else is involved?
  • 0 875 1,750 2,625 3,500 Se p '05 O ct N ov D ec Jan '06 Fe b M ar Ap r M ay Ju ne Ju ly Au g Se p O ct N ov D ec Jan '07 Fe b Total Relying Parties M ar Ap r M ay Ju ne
  • How do I build it in to my Python application?
  • Open Source libraries from JanRain
  • OpenID Smart hackers needed
  • Thank you
  • Questions?