SlideShare a Scribd company logo
1 of 146
Download to read offline
Building the
Social Web with

        Simon Willison
 PyCon UK, 8th September 2007
Who here has used
   OpenID?
Who uses it regularly?
Four problems

• Usernames and passwords suck
• Signing up for new accounts is a pain
• My online identity exists in dozens of
  different places
• Social software suffers from too much
  overhead
Four problems
       (and their OpenID related solutions)


• Usernames and passwords suck
• Signing up for new accounts is a pain
• My online identity exists in dozens of
  different places
• Social software suffers from too much
  overhead
Usernames and
passwords suck
“We want to make you aware that media of ours
that contained a backup of a portion of the reddit
 database was stolen recently [...] we wanted to
 alert you to the possibility that your username,
 password, and -- in some cases -- e-mail address
          may have been compromised.



                                              ”
          Steve Huffman, reddit.com
Two lessons

• Don’t store plaintext passwords in
  your application’s database

• Don’t use the same password
  on more than one site!
The Web needs
Single Sign On
?
SSO with a single
controlling authority
betrays the principles
     of the Web
OpenID is a
decentralised mechanism
   for Single Sign On
An OpenID is a URL
http://swillison.livejournal.com/
http://simonw.myopenid.com/
http://simonwillison.net/
http://openid.aol.com/simonwillison/
The OpenID protocol
lets you prove that you
  own a specific URL
An OpenID can be used as
an authentication credential
“Who the heck are you?!”
“I’m simonwillison.net”
“prove it!”
(magic happens)
“OK, you’re in!”
Picking an OpenID is
 like picking an e-mail
provider - you find one
     that you trust
If you have the ability to
  run your own server
 software, you can do it
       for yourself
http://siege.org/projects/phpMyID/
So how do I use it?
So my users don’t
have to sign up for an
      account?
Not necessarily
An OpenID tells you
very little about a user
You don’t know
  their name
You don’t know
their e-mail address
You don’t know
if they’re a person
  or an evil robot
Where do I get that
information from?
You ask them!
OpenID can help them answer
So how does OpenID
    actually work?
<link rel=quot;openid.serverquot;
 href=quot;http://www.myopenid.com/serverquot; />
“I’m simonwillison.myopenid.com”
Site fetches HTML,
discovers identity provider
Establishes shared secret
 with identity provider
   (Using Diffie-Hellman key exchange)
Redirects you to the
 identity provider
If you’re logged in there,
you get redirected back
How does my identity
provider know who I am?
OpenID deliberately
  doesn’t specify
username/password
    is common
But providers can
use other methods if
    they want to
Client SSL certificates
Out of band
authentication via SMS,
   e-mail or Jabber
SecurID keyfobs
No authentication at all
   (just say “Yes”)
Just say “yes”?
Yup. That’s the OpenID
version of bugmenot.com
http://www.jkg.in/openid/
Users can give away
their passwords today -
this is just the OpenID
        equivalent
What if I decide I
hate my provider?
Use your own
domain name
Delegate to a
provider you trust
<link rel=quot;openid.serverquot;
 href=quot;http://www.livejournal.com/openid/server.bmlquot;>
<link rel=quot;openid.delegatequot;
 href=quot;http://swillison.livejournal.com/quot;>
Support for delegation
  is compulsory
This minimises lock in
So everyone will end up
 with one OpenID that
they use for everything?
Probably not
(I have half a dozen
 OpenIDs already)
People like maintaining
multiple online personas
professional
   social
   secret
     ...
OpenID makes it easier
 to manage multiple
   online personas
Three accounts is still
better than three dozen
If an OpenID is a URL, is
there anything else interesting
       you can do with it?
Yes. Different OpenIDs can
  express different things
My AOL OpenID proves
 my AIM screen name
An OpenID from
 sun.com proves that
someone is a current
    Sun employee
A last.fm OpenID
could incorporate
my taste in music
My LiveJournal OpenID
tells you where to find
        my blog
OpenID and web
 service APIs naturally
complement each other
What about phishing?
Phishing is a problem
I can has lolcats!?                          BETA


Make your own lolcats! lol
Sign in with your OpenID:
OpenID:                                  Sign in




                    http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
Fake edition
Your identity provider
Username and password, please!
 Username:
 Password:
                         Log in
Identity theft :(
An untrusted site
redirects you to your
  trusted provider
Sound familiar?
PayPal
 Yahoo! BBAuth
  Google Auth
Google Checkout
One solution: don’t let
the user log in on the
  identity provider
    “landing page”
Better solutions
CardSpace
Native browser
support for OpenID
(Firefox 3, Seatbelt)
Competition between
    providers
Doesn’t this outsource the
 security of my users to
 untrusted third parties?
Yes it does. But...
... so do “forgotten
password” e-mails!
If e-mail is secure
enough for your user’s
 authentication, so is
       OpenID
Password e-mails are
  just SSO with an
unavoidably bad user
     experience
Best practices for
OpenID consumers?
“I forgot my password”
becomes “I can’t sign in
    with my OpenID”
Allow multiple OpenIDs
to be associated with a
     single account
People can still sign
  in if one of their
 providers is down
People can un-associate
  an OpenID without
locking themselves out
You can take advantage
of site-specific services
 around each of their
        OpenIDs
What are the privacy
  implications?
Cross correlation of
     accounts
Don’t publish a user’s
OpenID without making
it clear that you’re going
        to do that
Allow users to opt-out
of sharing their OpenID
Any other neat tricks?
My online identity exists in
dozens of different places
I can use OpenID to tie
 these profiles together
Portable contact lists
Facebook (and others)
  currently ask for the
user’s webmail username
      and password
Lightweight accounts
Pre-approved accounts
Social whitelists
OpenID and
microformats
Identity projection
Decentralised social
    networks
“People keep asking me to join
 the LinkedIn network, but I’m
 already part of a network, it’s
      called the Internet.”
     Gary McGraw, via Jon Udell, via Gavin Bell
An open alternative?
Who else is involved?
0
                875
                      1,750
                              2,625
                                      3,500
Se
  p
     '05
   O
      ct
  N
      ov
   D
      ec
Jan
     '06
    Fe
        b
   M
      ar
    Ap
        r
   M
      ay
   Ju
      ne
    Ju
       ly
    Au
        g
    Se
        p
   O
      ct
  N
      ov
   D
      ec
Jan
     '07
    Fe
        b
                                              Total Relying Parties




   M
      ar
    Ap
        r
   M
      ay
   Ju
      ne
How do I build it in to my
  Python application?
Open Source libraries
   from JanRain
OpenID


Smart hackers needed
http://openid.net/

  http://www.openidenabled.com/

http://simonwillison.net/tags/openid/
Thank you
Questions?

More Related Content

Viewers also liked

Triptico vdc definitivo [1]
Triptico vdc definitivo [1]Triptico vdc definitivo [1]
Triptico vdc definitivo [1]
Lokiithaax Mily
 
Social networks
Social networksSocial networks
Social networks
Nada Naji
 
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELSBARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
Manel Cantos
 
Nuevas tecnologías para el aprendizaje
Nuevas tecnologías para el aprendizajeNuevas tecnologías para el aprendizaje
Nuevas tecnologías para el aprendizaje
Luis Domínguez
 

Viewers also liked (20)

Dojo, from scratch to result
Dojo, from scratch to resultDojo, from scratch to result
Dojo, from scratch to result
 
ScaleFail
ScaleFailScaleFail
ScaleFail
 
L'escola nenes cabestany
L'escola nenes cabestanyL'escola nenes cabestany
L'escola nenes cabestany
 
TPM-Lehrgang 2014 - Total Productice Maintenance - Österreich
TPM-Lehrgang 2014 - Total Productice Maintenance - ÖsterreichTPM-Lehrgang 2014 - Total Productice Maintenance - Österreich
TPM-Lehrgang 2014 - Total Productice Maintenance - Österreich
 
Bao cao vn ict index 2013 280813
Bao cao vn ict index 2013 280813Bao cao vn ict index 2013 280813
Bao cao vn ict index 2013 280813
 
Google Cloud Messaging
Google Cloud MessagingGoogle Cloud Messaging
Google Cloud Messaging
 
Triptico vdc definitivo [1]
Triptico vdc definitivo [1]Triptico vdc definitivo [1]
Triptico vdc definitivo [1]
 
Revista Catalunya 109 setembre 2009
Revista Catalunya 109 setembre 2009Revista Catalunya 109 setembre 2009
Revista Catalunya 109 setembre 2009
 
Condensado de Arroz con Piña.
Condensado de Arroz con Piña.Condensado de Arroz con Piña.
Condensado de Arroz con Piña.
 
Social networks
Social networksSocial networks
Social networks
 
2013_SL-Class_120409.pdf
2013_SL-Class_120409.pdf2013_SL-Class_120409.pdf
2013_SL-Class_120409.pdf
 
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELSBARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
BARCELONA MUSEOS - 6 MUSEO CCCB - CASA DE LA CARITAT CONVENT DELS ANGELS
 
Porfolio av gancedo
Porfolio av gancedoPorfolio av gancedo
Porfolio av gancedo
 
Anuario Laboratorios GUINAMA
Anuario Laboratorios GUINAMAAnuario Laboratorios GUINAMA
Anuario Laboratorios GUINAMA
 
How to make Ajax Libraries work for you
How to make Ajax Libraries work for youHow to make Ajax Libraries work for you
How to make Ajax Libraries work for you
 
Nuevas tecnologías para el aprendizaje
Nuevas tecnologías para el aprendizajeNuevas tecnologías para el aprendizaje
Nuevas tecnologías para el aprendizaje
 
cv
cvcv
cv
 
Leveraging Anonymized Patient Level Data to Detect Hidden Market Potential
Leveraging Anonymized Patient Level Data to Detect Hidden Market PotentialLeveraging Anonymized Patient Level Data to Detect Hidden Market Potential
Leveraging Anonymized Patient Level Data to Detect Hidden Market Potential
 
Mitosis y Meiosis
Mitosis y MeiosisMitosis y Meiosis
Mitosis y Meiosis
 
E-Mediat Workshop 3 - Using social networks strategically for NGOs (PowerPoint)
E-Mediat Workshop 3 - Using social networks strategically for NGOs (PowerPoint)E-Mediat Workshop 3 - Using social networks strategically for NGOs (PowerPoint)
E-Mediat Workshop 3 - Using social networks strategically for NGOs (PowerPoint)
 

Similar to Building the Social Web with OpenID

Identity 2.0 - OpenID And User Centric Identity
Identity 2.0 - OpenID And User Centric IdentityIdentity 2.0 - OpenID And User Centric Identity
Identity 2.0 - OpenID And User Centric Identity
Martin Strandbygaard
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
Nao Haida
 
Open id & OAuth
Open id & OAuthOpen id & OAuth
Open id & OAuth
Paul Fryer
 
OpenID: An Executive Briefing
OpenID: An Executive BriefingOpenID: An Executive Briefing
OpenID: An Executive Briefing
David Leip
 
openid-pres
openid-presopenid-pres
openid-pres
xlight
 

Similar to Building the Social Web with OpenID (20)

Identity 2.0 - OpenID And User Centric Identity
Identity 2.0 - OpenID And User Centric IdentityIdentity 2.0 - OpenID And User Centric Identity
Identity 2.0 - OpenID And User Centric Identity
 
Open ID
Open IDOpen ID
Open ID
 
Openid Fossconf
Openid FossconfOpenid Fossconf
Openid Fossconf
 
Identity toolkit
Identity toolkitIdentity toolkit
Identity toolkit
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
 
Risks With OpenID
Risks With OpenIDRisks With OpenID
Risks With OpenID
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
FOSSwire3 + OpenID
FOSSwire3 + OpenIDFOSSwire3 + OpenID
FOSSwire3 + OpenID
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
Open Id
Open IdOpen Id
Open Id
 
Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon
 
Open id & OAuth
Open id & OAuthOpen id & OAuth
Open id & OAuth
 
OpenID: An Executive Briefing
OpenID: An Executive BriefingOpenID: An Executive Briefing
OpenID: An Executive Briefing
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
E Citizen Workshop At Mit V2 Paul
E Citizen Workshop At Mit V2   PaulE Citizen Workshop At Mit V2   Paul
E Citizen Workshop At Mit V2 Paul
 
Digital Identity
Digital IdentityDigital Identity
Digital Identity
 
openid-pres
openid-presopenid-pres
openid-pres
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124
 

More from Simon Willison

Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approval
Simon Willison
 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The Libraries
Simon Willison
 

More from Simon Willison (20)

How Lanyrd does Geo
How Lanyrd does GeoHow Lanyrd does Geo
How Lanyrd does Geo
 
Cheap tricks for startups
Cheap tricks for startupsCheap tricks for startups
Cheap tricks for startups
 
The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)
 
Building Lanyrd
Building LanyrdBuilding Lanyrd
Building Lanyrd
 
How we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphHow we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graph
 
Web Services for Fun and Profit
Web Services for Fun and ProfitWeb Services for Fun and Profit
Web Services for Fun and Profit
 
Tricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationTricks & challenges developing a large Django application
Tricks & challenges developing a large Django application
 
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricAdvanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
 
How Lanyrd uses Twitter
How Lanyrd uses TwitterHow Lanyrd uses Twitter
How Lanyrd uses Twitter
 
Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approval
 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The Libraries
 
Building crowdsourcing applications
Building crowdsourcing applicationsBuilding crowdsourcing applications
Building crowdsourcing applications
 
Evented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesEvented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunnies
 
Cowboy development with Django
Cowboy development with DjangoCowboy development with Django
Cowboy development with Django
 
Crowdsourcing with Django
Crowdsourcing with DjangoCrowdsourcing with Django
Crowdsourcing with Django
 
Django Heresies
Django HeresiesDjango Heresies
Django Heresies
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with Django
 
Web App Security Horror Stories
Web App Security Horror StoriesWeb App Security Horror Stories
Web App Security Horror Stories
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
When Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthWhen Zeppelins Ruled The Earth
When Zeppelins Ruled The Earth
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 

Building the Social Web with OpenID