[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

[Eran Hammer-Lahav]

Dick Hardt wrote:
> Last time I looked, OAuth and OpenID were different as well. So much
> for reuse of work in the Open Web. Standardizing this and having it in
> libraries would help developers.

When OAuth came up with its security model and assertion verification process (using tokens) it examined the OpenID solution and concluded that it was too complex for most developers to implement, as well as concerns about its use of DH crypto. The reality is, many people are even having problems with OAuth's signature workflow (which I'll take some blame for as the spec can use improvements and clarifications).

David and I had many conversations regarding the possibility of merging the underlying methods of both protocols. I even wrote about it back in January to almost no community interest (http://www.hueniverse.com/hueniverse/2008/01/the-war-of-the.html). The bottom line is, if you add a feature or two to each one, they can completely replace the other.

> The functionality they wanted to expose is currently not
> in the OpenID specifications -- and I think the user experience is
> superior with Facebook Connect than OpenID.

Like what? Everything I have seen so far is easily doable with both OAuth and OpenID, and both are designed to be extended. Even if you require proprietary extensions to support your use case, it is far better than writing everything by yourself. And yes, I do eat my own dog food.

Yahoo! was unable to implement OAuth Core 1.0 to its satisfaction and existing infrastructure requirements. It needed a small extension that was uniquely based on its proprietary architecture. But instead of pushing more of its BBAuth solution, we worked (hard) internally and with the community and partners to explain our unique requirements and find ways to generalize them for the benefit of others. We got AOL and Google as other large providers to work on this with us, and even pinged Microsoft. The result draft has been posted to the community for public review and Yahoo! is committed to change its implementation if the community will eventually tweak the solution.

Yahoo!'s experience with OpenID wasn't that different with regard to changes and tweaks needed to allow it to pass Yahoo!'s security review. In both cases the executive decision was to find ways to work with open specifications even if proprietary ones can produce quicker or somewhat better (technical) results.

As for the superior user experience, they already moved away from using the sleek iframe layer solution they had before and switched to opening another browser window with full address back instead. I guess they finally realized how bad the security was in their original design. But either way, there is nothing in OpenID to prevent it from driving the same user experience.

> I don't think that the Facebook team wanted to reinvent anything -- so
> if the tech was already available to do what they wanted, they would
> have used them.

(No one expects me to be polite about this one)

HORSESHIT!

First, they never made the effort to truly engage the community and understand either specifications. Second, for the most part, they reused existing Facebook pieces to create Facebook Connect. Those pieces could have been converted or added support for OpenID and OAuth a long time ago. And third, this is exactly what they wanted to do - these are some of the brightest minds in the industry and they know what they are doing.

EHL