Sean Middleditch » OpenID Not The Best Bet

OpenID Not The Best Bet

So, I’ve tried toying around with OpenID a bit, and I’ve come back feeling a little unimpressed.

There are two problems. First, it is still a super pain in the ass to setup an OpenID server. None of the servers I could find were installable with a simple tarball unpack and config script - they all required source modifications and even then didn’t really work. There are toolkits for building OpenID servers, but no ready-to-run servers.

The biggest problem though is just the user-experience as a whole. Having to type in anything at all is still kind of clunky. I want single sign-on - if I am online, any site I go to should be able to verify I am the entity I was last time (with the ability to easily allow/deny sites from doing so). I shouldn’t need to type anything in. The amount of information available to the system should be more than enough for any site, be it a simple blog comment form, a forum, or an online store.

I’m all for having a server to centralize this, but I don’t think the technology should be built around users interacting with this server. The server should be a storage medium at most, not the actual UI. Instead, I am imagining a browser extension (which should be possible for Gecko, IE, WebKit, and Opera) that exposes a new JavaScript object, something like window.AuthService. This object allows the site to query information about the current user, including name, email, contact information, etc. It will also be able to retrieve a user ID (which would probably be an email address, or something else guaranteed to be unique per-user) as well as a site token. This token would be a completely unique and cryptographically strong random identifier that is associated with the user ID and the site domain. In particular, each user/site combo gets a different token.

So, I connect to google.com, and it wants to know who I am. It queries window.AuthService.userId and window.AuthService.siteToken and gets ’sean@mojodo’ and ‘F583AC9…4AC’ back. It then uses these to log the user in, or create a new account (which in many cases could be completely silent).

The first time a site attempts to access the AuthService object, the browser can display a popup (or one of those notice bars that are becoming popular) informing the user that the site wishes to identify him, and allow him to accept the authorization (possibly selecting between multiple profiles), permanently accept it, deny it, or select the access level (id and token only, id token and contact info, etc.).

The central server comes into play by allowing the browser to configure such a server (which could easily just be an LDAP server) to grab identifies from. Browsers set up in public terminals could be configured to ask for the server login information when the user first accepts an AuthService request (and not store this information past the end of the browser session). This allows users to keep their authentication information somewhere central, but keeps the UI solely in the browser allowing for a far better user experience.

Obviously a lot of details need to be worked out, including the exact interface (would it be better to use HTTP headers rather than or in addition to JavaScript?), the UI needs to be nailed down, etc.

I’ve considered writing a Mozilla extension for this (as well as extensions for WHAT-WG Connection class and Server-Sent DOM Events), but writing extensions for Mozilla is such a byzantine process and the documentation on how one might register new objects in windows (and do so securely - the docs just say it’s insecure if not done right, warning you not to do it, which is fucking useless compared to just explaining how to do it correctly and securely) that I haven’t been able to get anywhere on any of those ideas.

In the end though, I think OpenID is pretty much dead technology. At most it might become very slightly popular with blogs for posting comments, but it’s usefulness pretty much ends there. The UI sucks and the ease of user control and information handling is too lacking.

Thursday, February 14th, 2008 Computers, Development Trackback URL for this entry

6 Comments

  • 1. MJ Ray replies at 15th February 2008, 8:29 am :

    Maybe I’m not understanding what you’re wanting to do with it, but I didn’t find either Clamshell or NoseRub (which is more than just an openID server) particularly difficult to set up.

  • 2. James replies at 15th February 2008, 6:41 pm :

    Sounds like you want Appalachian. Your solution sounds like it’s giving every website that asks for one your userid which sounds like a bad plan. Also, “Browsers set up in public terminals could be configured” is a pipe dream - relying on anything more than HTML forms is asking for failure.

  • 3. Sean Middleditch replies at 20th February 2008, 8:22 pm :

    James, I think you missed something I wrote. The user would be prompted (in the browser chrome) as to which identity to give the site, or possibly denying the site any identity at all.

    I also see no problem with the “browsers set up” comment, since they _already_ do that - they are configured to forget cookies between sessions and the like. That same setting would ideally by default block the saving of auth server info.

    I don’t believe that “only relying on HTML forms” is a solid idea. Just think, it wasn’t so many years ago that XMLHttpRequest didn’t exist at all, or that SVG was unheard of, or that many common DOM functions we take for granted didn’t exist or were only available in one or two browsers. The Web evolves. I fully and whole-heartedly believe that authentication really, really needs to be simplified, and that it needs to be done in an actual user-friendly, secure, easy, no-pain manner for users - even if that means doing what we’ve already done many times before and push a new technology into the common Web browsers.

  • 4. James replies at 2nd March 2008, 6:57 pm :

    “Browser chrome” and expecting internet cafes to be competently admined is the pipe dream. Most of them aren’t going to bother installing an add-on to provide the chrome, meaning sites will have to have fallbacks to existing tech. But my real point is why do you think you have to invent a whole new tech, instead of just improving the OpenID experience. Did you even look at Appalachian?

  • 5. Sean Middleditch replies at 3rd March 2008, 12:38 am :

    Again, I don’t see it (long term) as being an issue of an “add-on.” Just like a dozen other technologies that are built-in to every browser and expected of the modern website, I think authentication will be there sometime in the future. This probably won’t be for at least 5 years.

    It’s worth nothing that in truth we already are capable of doing something very close to this today using SSL client certs or Kerberos tickets. It’s just a matter of browsers adapting the additional UI for selecting an identity per-site and including the login mechanism.

    I mention wanting to build an add-on now only because someone needs to build a proof-of-concept and initial design before we can really expect this to take off and become a de facto standard.

  • 6. James replies at 11th March 2008, 8:11 pm :

    Like Clickpass are doing?

    To repeat myself: But my real point is why do you think you have to invent a whole new tech, instead of just improving the OpenID experience?

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <blockquote cite=""> <code> <em> <strong>