Today, Google and Plaxo released a hybrid protocol that combines OpenID, the open online identity standard, with OAuth, the secure data portability standard. Too often, when a Website wants to import your contacts from another Web service, it asks for your login and password credentials. OAuth gets around that by sending you back to the original site where you login and authorize the one-time transfer of data. It is much more secure. And now it works with OpenID.
So far, this is just a test between Plaxo and Google, where a Plaxo member can invite someone via Gmail. Plaxo marketing VP John McCrea argues that this approach is:
- better for the user by being more convenient and more secure;
- better for the identity provider by not asking the user for their password and then scraping their data; and
- better for the site by delivering a higher conversion rate on signup flows and getting more useful data from the user.
It, of course, competes with another approach that is out there: Facebook Connect. But, then, that only works with Facebook.
That pic looks like shit and diarrhea. Great together!
I assume you’ve never have eaten peanut butter chocolate fudge.
You mean salmonella and chocolate?
A Reese’s peanut butter cup looks monolithic from the outside.
with the recent salmonella breakout, that picture doesn’t impress me at all..
however oauth does..
wow what is that pic…
its jb weld you idiot
find a better pic and I’ll swap, complainers.
All I can do is think about this family guy clip:
http://www.clip...o.php/photo/283
haha!
Erick,
Have you ever seen a regular user use OpenID? I’m a fairly technical guy and even I don’t use OpenID because it’s so complicated.
That is exactly the whole point of what we’re working on here. The Two-Click Signup initiative is about great user experience for mainstream users. The flow we’re testing starting today does not involve the user ever seeing OpenID. They just onboard in two clicks.
in fact, it’s so complicated that sometimes i have used it without even knowing that i used it.
I am a regular user of OpenID. I log into my personal blog as well as StackOverflow using my OpenID account on a regular basis. Other sites that let me log in with my OpenID include Dopplr, Scribd, and Postrank.
nope, never in the wild. Only in captivity.
Here’s an example of OpenID being easy to use:
http://www.weca....biz/access.php
If you have an existing ID, there is no reason why using it should be simple. To a degree it comes down to your issuer. I find ClickPass (http://www.clickpass.com) offers an easy way of getting a using a OpenID identity. Too many of them are trying to be too clever.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
Misspelling: “pasowrd”
The whole OpenID thing died long time ago. The only reason, it is still alive (as annoying as it is), is because some high profile tech guys created it and they happened to know how to “buzz” the news.
From the beginning, the whole OpenID implementation was a complete mess and very unfriendly. If it was created by someone else, the tech community would have criticized and ridiculed it until they are blue in the face.
I think it is high time to completely abandon the whole OpenID.
“complete mess”
How bout some facts to go along with that opinion.
Just try it…you will know.
OpenID is very simple compared to all identity protocols that came before it. Mike D sounds like either a FaceBook employee, or a zealot. Only a truly religious zealot could imagine that the future single single on identity protocol for the web would in fact, rely on a single company (FB) and it’s servers, and not be an open protocol.
Yes, that’s right, every human being on earth will one day have a FB account so that we can all bask in the glory of FB Connect signons all over the web.
No… I am not a Facebook Employee although I must say that they did do a great job in simplifying the whole Facebook Connect infrastructure.
I do agree that a single company should not control the single sign on and it should be an open protocol.
OpenID really looks like the future and with the addition of OAuth to point to services that makes it really powerful
BUT
now really what people want is to have a way to sign in using their email address personally i think something like a simple service discovery like if the email address ends in example.com or gmail.com or hotmail.com and even yahoo.com the server will visit http://example.com and find the correct login URL and redirect to there e.g. http://login.ex...om/emailadress/
have a SIMPLE way of discovering the url because a lot of people want to login that way…
then OpenID will truly rock !
regards
John Jones
p.s. you could also look them up on other services such as FB Connect if the service wants to offer that as well as OpenID…
http://www.johnjones.me.uk
How is this a new “hybrid protocol”? Isn’t this a mere extension of an existing one?
Well it’s “hybrid” in the sense that it’s blending OpenID and OAuth–technically it’s an OAuth Extension for OpenID that lets you exchange a pre-authorized Request Token during the OpenID exchange, which can then be swapped for a long-lived Access Token on the back-channel. So it’s really a best-of-both-worlds scenario where the whole is greater than the sum of the parts (both technically and for the user experience).
everyone got that?
Hmmm. I work every day with Joseph, but I’m not sure I followed this “neutron star” posting.
I’m consistently amazed by the throngs of folks, both techie and non-techie, that just crap all over OpenID without a)really taking the time to understand the problem it solves, and b)complaining rather than participating in solving the usability problems it has. I wholly agree that OpenID has suffered from a lack of salient explanation to the masses who have the problem, techie and non-techie alike. And I’d also put forth that most people, techie and non-techie, don’t even know that they have a problem with their digital identity! I’m the first to admit that OpenID is not a panacea, but folks who work towards making it more seamless and accessible stand to make quite a mark on the worlds of identity and the web as a whole. Isn’t that what “Open” is all about? So I say stop complaining and start participating!
Even though many others in the OpenID community have been working on this very solution for some time, my hat’s off to Google for taking this step.
Nate, no one is denying the problem it attempts to solves. But it does not help if it actually does not solve the issue.
Keeping in mind that, Facebook’s 35-54 year old demographic segment not only continued to grow the fastest, but it excelerated to a 276.% growth rate over the past 6 months, there will be more people who will end up using FB Connect, unless Open ID can come up with something simpler.
It does not make a difference how easy or difficult it is to integrate, especially when most publishers or site owners who integrate OpenID on their sites are developers anyway. What makes perfect sense is to make it really simple for regular folks to actually use it.
This is an important issue but it needs to be well thought off.
I guess I didn’t address the fact that I appreciate OpenID mostly because it attempts to be truly “open”. I have no doubt that someone will eventually bridge or extend a connection between the two technologies. I also recognize that OpenID is certainly not appropriate for use in every situation, but nor is FB Connect.
In my opinion, I’d much rather have the ability to express my digital identity via an open standard than ANY wholly proprietary system. Where a concern like FB might not be motivated to adopt an open approach all the time, it’s satisfying to know that there is an alternative.
Let’s just assume that the market will eventually decide.
It took me a few clicks to enable openID logins on my personal blog. I’ve messed around with facebook connect and haven’t made much headway. You mean I need to deploy my own facebook app to let people login to my site? Yeah, that’s simple.
OpenID is a very simple protocol. It certainly has problems, but complexity is not one of them.
I’m not sure if you guys have heard about it yet but theres a firefox based web browser with the openID technology and all that built in. i wrote something about it on my blog around christmas. its excellent, i think you guys at Crunch should check it out and write about it.
http://www.flock.com
Perhaps you should look at their database?
http://www.crun...m/company/flock
Hi everyone!!!!
Sending the user back to the source site for authorization seems to be a much better user experience, makes it clearer to the user that the data is borrowed for the one-time action/session vs. slurped in forever by a potentially untrusted site.
Would be even better if the source site is able to author/control the messaging around the one-time data transfer to assuage these privacy concerns.
Good thoughts. Indeed the source site (Google) customized the consent page for the Plaxo case, specifying the data that we are requesting access to (the user’s Gmail contacts).
..
This story is a good example of complexity transfer — moving complicated parts of the process from the “user experience” below the waterline into the infrastructure layer. OpenID is a good, lightweight, open protocol of authenticating names (URLs), but by itself, it’s often not enough to solve user-level problems at the website. Coordinating data portability via OAuth makes things a lot more complex for the coders behind the scenes, but provides a level of simplicity and automation that should be a big step forward for the end user.
Everyone wants access to all of their data (and everyone else’s often enough) all the time, from anywhere. That’s fine, but it’s a big challenge for service providers. OpenID has provided a key piece of the puzzle, and OAuth another, and it’s definitely time they got more tightly integrated. This is very positive development for the open stack, and for users who will benefit from it.
What Google should do in 1st place is make OAuth work with its own other product: Friend Connect.
It’s amazing that until now you just can’t make them work together.
I agree that “native” OpenID implementations are way too techie for most people to want to use. This sounds exciting though. Is there a version for other sites to easily implement?
We have Google Friend Connect on our site, but it doesn’t integrate with existing contact lists users have in our network, like Facebook Connect does (which we will be adding soon). What is described above seems a much closer match for and genuine rival for Facebook Connect, although it still lacks the cache of a 150 million member network behind it.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
hi motherfockers