Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Yahoo!, Flickr, OpenID and Identity Projection

Via ReadWriteWeb, view source on a Flickr photostream page and search for “openid” and you’ll be rewarded with the following snippet:

<link rel="openid2.provider"
  href="https://open.login.yahooapis.com/openid/op/auth" />

Which means that Flickr pages will very soon be able to act as OpenIDs. The provider isn’t up and running just yet though; try authenticating with your Flickr OpenID on Jyte.com and you’ll get the following message:

Hey there! You have stopped by a bit sooner than we had expected. This feature is still being tested, so please check back in a few days.

The URL of the server is interesting as well: it suggests that Yahoo!’s OpenID support is designed from the start to apply to more than just Flickr. I wouldn’t be at all surprised to see similar links start to crop up on all kinds of other Yahoo! properties—anything that has a page which can be considered to represent a user account. This would make a lot of sense, because OpenID is good for more than just authentication. The OpenID protocol allows a user to assert ownership of a URL. This can be used for SSO-style authentication, but it can also be used to prove ownership of a specific account to some other service, a concept I’ve been calling identity projection.

If users can easily project their Flickr, Upcoming or del.icio.us identities to other sites, developers can start to build all kinds of neat things. Mashups for one get a whole lot more interesting when new users can easily bring their existing profiles from other sites with them. With any luck we’ll see Yahoo! start to adopt OAuth for authenticated API calls (which is itself based in part on the Flickr auth API) in the not too distant future, opening up even more possibilities.

A common misconception about OpenID is that it’s only really useful if users stick to using one identity. I’d be happy to see every one of my online profiles acting as an OpenID, not for SSO authentication (I’ll pick one “primary” OpenID to use for that) but so that I can selectively cross-pollinate some of my profiles to new services.

Back to Yahoo!, another interesting new URL is https://me.yahoo.com/. Again, there’s not much to see at the moment but it looks to me like this will become an endpoint for OpenID 2 directed identity. James Henstridge provides a useful explanation here, but the short version is that you’ll be able to enter “me.yahoo.com” in to an OpenID field on a site and have Yahoo! pick an obfuscated, unique OpenID for your interactions with that site. This protects your privacy by preventing anyone from outside of Yahoo! from correlating your behaviour across multiple OpenID-enabled services, similar to how Yahoo!’s current BBAuth API provides applications with an opaque hash rather than a user’s Yahoo! screen name.

It looks like Yahoo! will only be supporting OpenID 2 and won’t provide a fallback for OpenID 1.x consumers. This means you won’t be able to use your Flickr OpenID on many existing consumer sites (including this blog), at least until they get around to updating their libraries. I expect Yahoo!’s implementation to be a major influence in encouraging OpenID 2 adoption.

It’s three weeks short of a year since I launched idproxy.net, which provides Yahoo! account holders with a third-party OpenID via the BBAuth API. I couldn’t be happier to see Yahoo! taking steps towards cutting out the middle man.

Posted 7th January 2008 at 11:33 pm

This is Yahoo!, Flickr, OpenID and Identity Projection by Simon Willison, posted on 7th January 2008.

Tagged , , , , , ,

View blog reactions

Next: Django People

Previous: Comet works, and it's easier than you think

15 comments

  1. I hope this will be half of what it's cracked up to be! Plus, you just convinced me that multiple OpenID's can be useful.

    Devon - 8th January 2008 00:56 - #

  2. It would be great if we could sign in to your blog using OpenID 2.0

    atom - 8th January 2008 01:13 - #

  3. Looks like the OpenID train is non-stoppable now ;-)

    Is this concept "identity projection" elaborated somewhere?

    And would you please also comment on "selectively cross-pollinate"?

    John - 8th January 2008 06:44 - #

  4. There's not much to elaborate: it's really just a term I came up with to describe easily asserting your identity on one site to another. This isn't a new ability; the Flickr / Upcoming / other similar APIs have provided mechanisms for doing this for years, and there's always the low-tech method of simply asking someone for their username and/or profile URL from another service (which is unauthenticated, so you have to trust them to tell the truth).

    The difference with widespread OpenID is that identity projection becomes much, much easier for sites to implement.

    As for selective cross-pollination, I might not necessarily want to have a single identity that I use everywhere due to the privacy implications. With identity projection I can explicitly make those connections only when I need to - for example, when I want two services to be able to share my profile data. Of course, there's always the risk that someone will scrape together the fragments of my identity in to a whole, but that's where stuff like directed identity starts to become important.

    Simon Willison - 8th January 2008 07:19 - #

  5. w00t! I just submitted this news to Mashable. Hm, whether to stick with idproxy or defer to flickr. :P

    I love idproxy and the url it provides, but I wonder whether things will be 'easier' with flickr.

    coxy - 8th January 2008 10:46 - #

  6. Flickr's an intersting one, isn't it? Over time, your photostream might build into a very suggestive (circumstantial) 'proof' of your identity... Though admittedly, I am cr*p at photos of people, so in my case you might have to cross-reference with the places I claim to have visited... ;^)

    Robin Wilton - 8th January 2008 12:24 - #

  7. It's great that Yahoo!'s jumping on the bandwagon. But when will I be able to use my own OpenID to login to Flickr?

    Bodhi - 8th January 2008 12:41 - #

  8. Doubt that Yahoo! would allow ~others~ to log in with credentials issued from a different site. Why? Spam. Awesome to see Yahoo be an open-id provider, and doubly awesome about the idea for autogenerated ~disposable id's~ ... that's really cool.

    Robert Ames - 8th January 2008 16:12 - #

  9. Robert - I'm not interested in using my OpenID identity to log into Flickr (or other Yahoo! services) - they have a long-established login system of their own and it seems unlikely that they'd want it sidestepped; I can appreciate that. Nor am I interested in using Yahoo! as an OpenID provider, as I already have one. But what I would like to be able to do, is tie my existing OpenID presence to my Flickr account - the identity projection that Simon is speaking of.

    Earle Martin - 8th January 2008 18:51 - #

  10. Robert, there's no reason to discriminate against people logging in using OpenID on a spam basis. An OpenID, from Yahoo's point of view can be treated just like a yahoo login name. That is, you have someone log in using OpenID, and then once that's verified you continue them through the regular sign up process that any other Yahoo user would go through -- including some form of CAPTCHA to work against spam.

    Because a user has logged in using OpenID doesn't mean they can be trusted, nor should it. The only thing it should change about the process from a user's point of view is having to enter a password (unless you need to authenticate with your provider still). The only thing it changes from a provider's point of view is the need to ask the user to enter a password.

    Lach - 8th January 2008 22:09 - #

  11. On the terminology of "Identity Projection": I just wanted to point you to a recent Jon Udell post along the same lines that calls it "omnidirectional and unidirectional identity"

    http://blog.jonudell.net/2008/01/02/omnidirectiona l-or-public-or-broadcast-identity/

    Pascal Van Hecke - 9th January 2008 13:53 - #

  12. So, w/ the Directed Identity / multiple-obfuscation point: does this address the phishing concern of the one SSO OpenID being the keys to the kingdom?

    I'm currently using Keepass to manage passwords, and wouldn't dare give up my master password; it seems to me that a single OpenID is one CSRF away from disaster.

    Jeremy Dunck - 9th January 2008 23:43 - #

  13. just started using openid and the future looks bright with 2.0 upcomign

    David - 7th February 2008 19:39 - #

  14. http://www.malayalamsearch.com
    Malayalam Search engine

    s - 15th February 2008 06:27 - #

  15. This has to be the coolest thing I've seen in a while. Just one Id to sign into so many different sites.

    ArticleSeer.Com - 4th March 2008 00:05 - #

Sign in with OpenID

Auto-HTML: Line breaks are preserved; URLs will be converted in to links.

Manual XHTML: Enter your own, valid XHTML. Allowed tags are a, p, blockquote, ul, ol, li, dl, dt, dd, em, strong, dfn, code, q, samp, kbd, var, cite, abbr, acronym, sub, sup, br, pre

A django site