Building the Social Web with OpenID

Slide 1: Building the Social Web with Simon Willison PyCon UK, 8th September 2007

Slide 2: Who here has used OpenID?

Slide 3: Who uses it regularly?

Slide 4: Four problems • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead

Slide 5: Four problems (and their OpenID related solutions) • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead

Slide 6: Usernames and passwords suck

Slide 8: “We want to make you aware that media of ours that contained a backup of a portion of the reddit database was stolen recently [...] we wanted to alert you to the possibility that your username, password, and -- in some cases -- e-mail address may have been compromised. ” Steve Huffman, reddit.com

Slide 9: Two lessons • Don’t store plaintext passwords in your application’s database • Don’t use the same password on more than one site!

Slide 11: The Web needs Single Sign On

Slide 12: ?

Slide 13: SSO with a single controlling authority betrays the principles of the Web

Slide 14: OpenID is a decentralised mechanism for Single Sign On

Slide 15: An OpenID is a URL

Slide 16: http://swillison.livejournal.com/

Slide 17: http://simonw.myopenid.com/

Slide 18: http://simonwillison.net/

Slide 19: http://openid.aol.com/simonwillison/

Slide 20: The OpenID protocol lets you prove that you own a specific URL

Slide 21: An OpenID can be used as an authentication credential

Slide 22: “Who the heck are you?!”

Slide 23: “I’m simonwillison.net”

Slide 24: “prove it!”

Slide 25: (magic happens)

Slide 26: “OK, you’re in!”

Slide 27: Picking an OpenID is like picking an e-mail provider - you find one that you trust

Slide 28: If you have the ability to run your own server software, you can do it for yourself

Slide 29: http://siege.org/projects/phpMyID/

Slide 30: So how do I use it?

Slide 35: So my users don’t have to sign up for an account?

Slide 36: Not necessarily

Slide 37: An OpenID tells you very little about a user

Slide 38: You don’t know their name

Slide 39: You don’t know their e-mail address

Slide 40: You don’t know if they’re a person or an evil robot

Slide 41: Where do I get that information from?

Slide 42: You ask them!

Slide 43: OpenID can help them answer

Slide 46: So how does OpenID actually work?

Slide 49: <link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" />

Slide 50: “I’m simonwillison.myopenid.com”

Slide 51: Site fetches HTML, discovers identity provider

Slide 52: Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)

Slide 53: Redirects you to the identity provider

Slide 54: If you’re logged in there, you get redirected back

Slide 55: How does my identity provider know who I am?

Slide 56: OpenID deliberately doesn’t specify

Slide 57: username/password is common

Slide 58: But providers can use other methods if they want to

Slide 59: Client SSL certificates

Slide 60: Out of band authentication via SMS, e-mail or Jabber

Slide 61: SecurID keyfobs

Slide 62: No authentication at all (just say “Yes”)

Slide 63: Just say “yes”?

Slide 64: Yup. That’s the OpenID version of bugmenot.com

Slide 65: http://www.jkg.in/openid/

Slide 66: Users can give away their passwords today - this is just the OpenID equivalent

Slide 67: What if I decide I hate my provider?

Slide 68: Use your own domain name

Slide 69: Delegate to a provider you trust

Slide 72: <link rel=\"openid.server\" href=\"http://www.livejournal.com/openid/server.bml\"> <link rel=\"openid.delegate\" href=\"http://swillison.livejournal.com/\">

Slide 73: Support for delegation is compulsory

Slide 74: This minimises lock in

Slide 75: So everyone will end up with one OpenID that they use for everything?

Slide 76: Probably not

Slide 77: (I have half a dozen OpenIDs already)

Slide 78: People like maintaining multiple online personas

Slide 79: professional social secret ...

Slide 80: OpenID makes it easier to manage multiple online personas

Slide 81: Three accounts is still better than three dozen

Slide 82: If an OpenID is a URL, is there anything else interesting you can do with it?

Slide 83: Yes. Different OpenIDs can express different things

Slide 84: My AOL OpenID proves my AIM screen name

Slide 85: An OpenID from sun.com proves that someone is a current Sun employee

Slide 86: A last.fm OpenID could incorporate my taste in music

Slide 87: My LiveJournal OpenID tells you where to find my blog

Slide 88: OpenID and web service APIs naturally complement each other

Slide 89: What about phishing?

Slide 90: Phishing is a problem

Slide 91: I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

Slide 92: Fake edition Your identity provider Username and password, please! Username: Password: Log in

Slide 93: Identity theft :(

Slide 94: An untrusted site redirects you to your trusted provider

Slide 95: Sound familiar?

Slide 96: PayPal Yahoo! BBAuth Google Auth Google Checkout

Slide 97: One solution: don’t let the user log in on the identity provider “landing page”

Slide 99: Better solutions

Slide 100: CardSpace

Slide 101: Native browser support for OpenID (Firefox 3, Seatbelt)

Slide 103: Competition between providers

Slide 104: Doesn’t this outsource the security of my users to untrusted third parties?

Slide 105: Yes it does. But...

Slide 106: ... so do “forgotten password” e-mails!

Slide 107: If e-mail is secure enough for your user’s authentication, so is OpenID

Slide 108: Password e-mails are just SSO with an unavoidably bad user experience

Slide 109: Best practices for OpenID consumers?

Slide 111: “I forgot my password” becomes “I can’t sign in with my OpenID”

Slide 112: Allow multiple OpenIDs to be associated with a single account

Slide 113: People can still sign in if one of their providers is down

Slide 114: People can un-associate an OpenID without locking themselves out

Slide 115: You can take advantage of site-specific services around each of their OpenIDs

Slide 116: What are the privacy implications?

Slide 117: Cross correlation of accounts

Slide 118: Don’t publish a user’s OpenID without making it clear that you’re going to do that

Slide 119: Allow users to opt-out of sharing their OpenID

Slide 120: Any other neat tricks?

Slide 121: My online identity exists in dozens of different places

Slide 123: I can use OpenID to tie these profiles together

Slide 124: Portable contact lists

Slide 125: Facebook (and others) currently ask for the user’s webmail username and password

Slide 126: Lightweight accounts

Slide 127: Pre-approved accounts

Slide 128: Social whitelists

Slide 129: OpenID and microformats

Slide 130: Identity projection

Slide 131: Decentralised social networks

Slide 132: “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell

Slide 133: An open alternative?

Slide 134: Who else is involved?

Slide 135: 0 875 1,750 2,625 3,500 Se p '05 O ct N ov D ec Jan '06 Fe b M ar Ap r M ay Ju ne Ju ly Au g Se p O ct N ov D ec Jan '07 Fe b Total Relying Parties M ar Ap r M ay Ju ne

Slide 137: How do I build it in to my Python application?

Slide 138: Open Source libraries from JanRain

Slide 143: OpenID Smart hackers needed

Slide 144: http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

Slide 145: Thank you

Slide 146: Questions?