OpenID Connect

OpenID Connect

I’ve been thinking about how we make OpenID both easier and sexier for quite a while now. As frustrating as the answer may be to technologists, the problem is not necessarily one that can be solved with more technology. Instead, at some point, you have to move beyond the original constituents of a solution and start to package up the thing in a way that is less alienating, and less “insider baseball”.

“OpenID Connect”, therefore, is what I’m starting to use in casual conversation as my answer to Twitter and Facebook Connect.

It’s really creative, I know. That’s why they pay me the big bucks.

Seriously though, from a marketing perspective — it’s what I want the OpenID Foundation (and our new board) to offer the world in 2010. Essentially I think it’s time we ditched the “Open Stack” concept and put something out there that can stand up in conversation alongside the likes of Facebook Connect, in all its rich and specific expressiveness.

At some point, I want OpenID Connect to be what Facebook and Google and others implement that becomes the interoperable identity interchange protocol for the social web. But we’re not quite there yet, though all the technology is on the verge of being… ready.

Speaking of, from a technical perspective — I’m really just talking about repackaging OpenID as a profile of OAuth WRAP (credit: Recordon). It would provide relying parties with profile data, relationships, access to content, and activity streams — based on Recordon’s anatomy of connect.

Unlike the current incarnation, it would work in real-time, distributed systems, on the desktop as well as in mobile devices. Huzzah!

We’re not even that far away from such a solution. Since OpenID really just bootstraps identity — we need a way to provide relying parties with all the other stuff they’ve come to expect from the Twitter and Facebook Connect APIs… and that’s where the “connect” in “OpenID Connect” comes in.

So, to summarize:

  • for the non-tech, uninitiated audiences: OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.
  • for techies: OpenID Connect is OpenID rewritten on top of OAuth WRAP using service discovery to advertise Portable Contacts, Activity Streams, and any other well known API endpoints, and a means to automatically bootstrap consumer registration and token issuance.

39 thoughts on “OpenID Connect”

  1. Great idea—how would this look on a typical desktop application though? Could I implement a consumer inside of a full-screen game (think: MMORPG) with this?

    If so, I think this could be really great, as that was one of the issues I had with OpenID.

    Thinking back now: with current OpenID, I suppose I could just start a little server on the client’s computer and have the login process in a little HTML frame, but that’s a lot of work for something so small.

  2. @Devyn: definitely take a look at OAuth WRAP. That’s where a lot of energy is going right now to solve a number of the problems that have plagued OpenID… and I think putting the two together is going to make cases like you’ve mentioned much easier in the future.

    There’s no silver bullet here, but I think what I’ve come to realize is that authorization happens at a lower layer than identity — and OpenID got the order somewhat reversed. Certainly if all you need is a way to identify someone, OpenID is fine… most sites need more than that though, and that’s where I think OAuth will come in.

    Anyway, I don’t want to wave too many hands, but yes, I believe that OpenID Connect would be useful in your case, without needing to run a server on the client side (which has been proposed many times!).

  3. Have you mocked up what the next screen looks like once they click the Connect button? Doesn’t this end us in a similar Nascar state?

    Not hating, I like the idea, just seems like the next logical question. :)

  4. I’ll be publishing mockups for how the browser could handle this at an earlier stage later this week.

    The NASCAR problem will persist for some time, I believe, but think that OpenID Connect as a product name from the OpenID community can at least help answer the question: “Should I implement Facebook Connect, Twitter Connect or OpenID?” Soon enough, the answer should be YES!

  5. Oh, I like the button—very sexy. I’m a big fan of glossy black-graphite gradients.

  6. “OpenID Connect is OpenID rewritten on top of OAuth WRAP using service discovery”

    Will this use Googles Step2 project, or something new?

  7. I think you’re really onto something here, Chris. There’s a serious need for something like this – having tried getting the Drupal modules to work over unit time when (insert social media site here) keeps changing the way they do connections is annoying. OpenID makes sense and could fill that void quite well.

    One ID to rule them all, One ID to bind them
    One ID to in the darkness find them.

  8. I agree that OpenID needs some serious product management. I like the OpenID Connect label -> much better then the Open Stack.

    Technically, speaking as an author of OAuth WRAP, making OpenID an OAuth WRAP Profile does not make sense. I do think that an OpenID v Next would be very complementary to OAuth WRAP.

    One of the problems OpenID solves that WRAP does not is discovery and key exchange. I would say that is most of the what OpenID does.

    Great to see the discussion pick up, it is going to be a very interesting year!

    (hopefully we move this discussion to the OpenID DLs!)

  9. I’m a big fan of OpenID but I really think there’s a bigger issue here, a branding one. “OpenID” just isn’t sexy or an approachable brand name. To me, that in itself seems a big barrier to entry in the marketplace.

  10. With what you wrote here, I am getting strong feeling 2010 could be seriously significant for whole OpenID movement!

  11. One of the problems that I run into with OpenID (and other Connect products) is that I can never remember what I used to log into a site with. This is especially problematic with sites that start out with only one option and later add all the buttons. With usernames and passwords my browser will typically fill out the form to remind me. Is there some way for you to get this into the browser and synced through the cloud from the beginning? Why do I have to trust my identity to a third party website at all?

    Another issue is that it doesn’t seem like this tackles the real reasons a site would use Facebook Connect, a captive audience for their updates and access to the largest friend graph for viral transmission. If we are going to rethink the open stack can we start from first principals and solve real issues that publishers and applications have first? Value to them is what is going to really drive adoption, not the consumer value proposition.

    1. @Sam: you’re not alone. This is actually one of the core problems that’s driving some of my work with Mozilla, in trying to get this into the browser. It’s still a long way off, but I’m more convinced everyday that we do need a hybrid browser/social-agent and web solution for this to all work and make sense to users.

      As to driving adoption through social virality… that’s an important point to make. Someone’s going to have to take a leap of faith and adopt OpenID Connect as the standard by which they interact with social web services and web sites — come one, come all! — and they’ll gain a huge advantage by being the most universal, most compatible service provider. Again, we’re a ways off from that reality happening, but I think the tech is lined up — we just need to finalize it, clarify it, productize it, ship it, and then promote it! ;)

  12. Bundling the service as “sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web” makes the whole thing easy to understand but it also makes me think that the data is not going to be distributed (because of complexity of technology and the users own data management) but is going to be dominated by a couple of big players (or even just one) and all the other sites as “clients”

    So this proposal will end up as: sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web AND write it all back to your main location so you can bring it all where ever you go.

    The big player will win by having control and the data to datamine but will loose eyeballs by being just a datastore for other sites.

  13. I don’t know about the technical details but the branding sounds right. I almost always explaining OpenID to non-technical folks as “it’s like facebook connect”.

    1. @Ryan: The “NASCAR” problem is the one I outlined in my post on OpenID usability: namely, the NASCAR is the array of provider logos that confronts a user when he attempts to sign in. He essentially has to pick from among many brands — any or all of which may be familiar to him.

      With OpenID or WebFinger, you just enter the email or URL that you want to be identified by, and proceed to your provider to continue authentication. The problem with this approach, so far, is concern about phishing and provider hijacking.

  14. This sounds very much like what I was hoping OpenID could do. At least I now know it’s something it will be able to do :)

  15. I hate that FaceBook connect has almost become a de facto standard because of it’s ease of use. I’d love to be able to implement OpenID + OAuth on all of our (currently FaceBook connect) sites.

    We (Rehab Studio) did a client project that made use of the YouTube, Flickr and Twitter APIs which all had their own approaches to user identification. OAuth WRAP sounds like it would solve all of this if it were implemented by all the major players :)

    1. All the players (or a good number anyway) are already at the table around OAuth and OAuth WRAP. I believe it’s just a matter of time before they’re able to get the technical details worked out — and when they do, I hope this work will quickly lead to OAuth 2.0, which in turn will pave the way for OpenID Connect.

  16. That was what I was afraid would happen: a convergence, not of the service, but of the concept. By associating identity with a connection service, you make it irrelevant for user to use a niche identity provider, and worth it to stick with the larger provider, allowing people on the edge to move to Facebook more then you’d encourage hackers to play with their Facebook-glued relatives.

    I need to spend more time with Wrap to detail that issue, but I’m afraid that only seems like a move in the right direction.

  17. Big ups to the “OpenID Connect” name but what is it connecting? My url from the OpenID server, my profile from my OpenID provider or are we going to see a Secure Online Identity service where we load our credentials and it automagically grabs our social graph loads all the data and passes it to the service requesting it.

    The OpenID message has become fuzzy to me lately – is OpenID simply trying to give you an alternative to creating multiple usernames and passwords, is it trying to gather all our online indentities into one, is it trying to make our online data more accessible. What?

    Right now I simply use it as a login which can direct people to a specific url. This can also be accomplished by simply filling in the forms provided. Chris could you please reiterate the purpose OpenID?

  18. “I think it’s time we ditched the “Open Stack” concept and put something out there that can stand up in conversation alongside the likes of Facebook Connect, in all its rich and specific expressiveness.”

    This is exactly what I was expecting from OpenID several years ago after the Berkman Identity event. Basically I said OpenID was a tech solution looking for a problem and that it’s all about marketing to consumers and keeping personal data open and free, and of course people looked at me like I was crazy.

    The core case for OpenID has not lived up to expectations. Everyone offers credentials, few accept them as alternative login options.

    People have shown that they really *don’t care* about single sign-on. Well some of us do but it’s not that big of a deal.

    What people care about is Facebook holding their data ransom. OpenID is a time saver, keeping your Facebook data free and open is much more emotional.

    You’re never going to compete with FB Connect, you’re just another of the 10 login options people will have in coming years. Deal with it.

    Suggest decreasing SSO login efforts and become more of a repository for content. You say it yourself: “bring your profile, contacts, data, and activities with you to any compatible site on the web.”

    But there are countless VC funded co’s doing exactly this, so what are you going to do?

    Seems like it gets some traction, then goes away, then someone else innovates, then OpenID has to chase that idea for a while.

    Set a goal, focus, deliver, and repeat.

Comments are closed.