[FOWA Talk] Use OpenID Beyond Authentication
One of the talks at the Future of Web Apps (FOWA) showed me a way to use OpenID that I hadn’t realize yet. Many people, when they think of OpenID, think of it as a way to log in a.k.a. authenticate themselves towards a system. Clearly you could give them anything you want as long as you give them the same OpenID every time you drop by.
Matt Biddulph from Dopplr though, showed some ways how OpenID could be used beyond authentication. Dopplr for example lets you add more than one OpenID account to your Dopplr account, which enables you to login to Dopplr with any OpenID provider. This becomes quite redundant when you add more than two OpenIDs, but Matt Biddulp showed that you can use people’s OpenID for more purposes besides authentication.
I already knew, you could use an OpenID to verify that a person is simply a member of a certain group of people. Much like you could use your student card to get discount at a cinema, an OpenID from your university would show that you are a student. Extending on this your national OpenID could prove your nationality, and your corporate OpenID could prove the company you work for.
Note that the actual identity of the user is not relevant and doesn’t really need to be checked as only the type of the OpenID is the important part. Even better, there is no extension like XRI needed to make this even work.
+
A second example though showed how OpenID+Microformats would be able to give any application a nice read-only API. Imagine that you have an app, and you would like to give your user a simple way to add their friends from their other networks. A simple way to do this would be to let the user provide the OpenIDs of some other networks. Checking with the OpenID server if this OpenID really belongs to that user would be enough for you to then simply fetch the Microformatted contact lists from their profile pages on those sites, and compare that info with your own list of users.
Many networks like Twitter and Jaiku already present their friend lists using Microformats, but they don’t yet provide their users with an OpenID login that would allow any other app to actually verify if user X on your application is actually user Y on that other site. Currently Dopplr just scrapes your Twitter profile page for friends when you give them a username, so you could give them any name you want, but if Twitter would become an OpenID provider than they could use this to check if you are really that person on that network.
alper http://www.alper.nl
October 7th, 2007Dopplr checks your Twitter contacts on their
fnvalue to see if they match with the Dopplr database. A bit messy, but it seems to work for now if your name is not too common.Full node equivalence across social networks using rel=”me” links to tie the different networks together and store all that in a regularly updated store is still a bit off.
Alcides http://alcides.ideias3.com
October 7th, 2007There is a problem in my opinion, is that sometimes Names don’t match. I am thinking of Pownce that uses “Firstname L.” and when I am spidering my XFNetwork it gives me repeated contacts.
This is the kind of system that only works if everybody uses it, that makes its implementation kinda hard.
Reinier http://zwitserloot.com
October 7th, 2007I wrote an hCard parser last week (read about it here) so I have some experience with it these days. During some discussion or other, Alper mentioned to me some service that treated hCards as equal if their fn reported the same name.
Warnings bells immediately went off in my head. While I more or less agree with the concept of fast iterations, that doesn’t mean you can make decisions that will obviously blow up in your face shortly. “John Smith” could -never- be added to such a system. There are far too many of them.
While there’s no easy way to do it, a -little- more effort wouldn’t go amiss: The hCard spec dictates that if the ‘fn’ property looks like a proper name, that you fill in the blanks for the ‘n’ property (n = name specified out in given, last, additionals, and honorifics). Firstname L. actually gets parsed as LastName I. - it would be a broken hCard if that’s the ‘fn’. However, the fact that there’s some ‘n’ implication going on does mean you can reduce LastName Q. to “initial = Q, lastname = LastName” which allows you to say: It COULD be the same as “Quentin LastName”.
Unfortunately the vast majority of hCards I’ve seen don’t include birthday, which would definitely help. While there will still be collisions for lastname + initial + birthday, there should be a lot less; few enough that you can base a service on it without being certain that it’ll blow up the moment you get even slightly popular.
Unfortunately uniquely identifiying information is often used in legacy services as an authenticator. If someone knew my full name, birthday, and social security number (a useful thing to stuff into the UID field of an hCard, if it weren’t a security leak), they could pose as me far too easily. I really dislike those systems as it’s not that hard to figure that stuff out, but putting it all in your hCard so your hCard is uniquely identifiable sounds like a bad idea.
Still, such a service should try and compare a few more datapoints (email, url, bday, tz, n, fn - and then use a heuristic that rates % chance of similarity).
Cristiano Betta http://cristianobetta.com/
October 7th, 2007@Alcides and @reinier:
Totally true, but the clue of this system was not to give you a definite list of people that are 100% sure your friends. The idea is to give you a shortlist of very potential friends. The user on Dopplr is obviously presented with this list and he/she can then go through the list and tick certain users on/off.
In all this works maybe only slightly worse, but is way saver than giving away your Gmail inlog information to any service.
(BTW: Even when you give away your username/pass to your Gmail to a service, this still wouldn’t always lead to 100% if people sign up with a different email on every service. I for example user ****@cristianobetta.com where **** is the service name when I signup.)