[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

Peter Williams pwilliams at rapattoni.com
Fri Aug 1 19:56:21 UTC 2008 

You make it sound like the old microsoft passport : a (technically wonderful) piece of engineering, but one conceived for a world ad evidently a "vision" limited to the goals of propreitary controls.

Be interesting to see now if facebook gets hit by the same eu data protection issues that ultimately derailed the passport control concept, where us/eu data flows occur. It was that debacle of poorly thought out control and trust management that of course led to the micrsoft invovlement in user centric control, attribute release, explicit consent per spoke, etc. A fair amount of backroom politicking by sun and the saml/liberty crowd also helped move the eu regulators too, of course!

-----Original Message-----
From: Allen Tom <atom at yahoo-inc.com>
Sent: Friday, August 01, 2008 12:28 PM
To: david at sixapart.com <david at sixapart.com>; OpenID List <general at openid.net>
Subject: Re: [OpenID] Musing on FaceBook, OpenID and the next mountain to climb


David Recordon wrote:
> Is there really anything that Facebook did that couldn't be
> accomplished with OpenID Authentication 2.0 and OpenID Attribute
> Exchange?
Facebook Connect has a nice set of libraries/apis that RPs can just drop
in relatively easily on their site. The JS libraries implement much of
the sign in flow (displaying inline sign-in forms as well as a
permissions screen) which means that the FB Connect user experience is
consistent across all RPs.

They also seem to have implemented Single Sign Out, because signing out
of FB seems to also sign you out of the RP.

Additionally, FB Connect also authorizes the RP to write to the user's
FB News Feed, so there's an authorization component as well. The
authorization seems to expire when the browser session is closed, so
it's not quite like OAuth.

And finally, FB Connect requires that the RP pre-register with FB to get
an api key which presumably allows FB to authenticate the RP, and also
gives FB the ability block the RP if necessary.

Unlike the OpenID/OAuth/AX services currently in the wild, the FB
Connect stack is highly integrated, with built in privacy controls and a
standard UI. But as you correctly stated, I believe most, if not all, of
the stack could have been built upon open standards.

Allen



_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list