Friday, July 31, 2009

Revisiting OpenID and the Facebook Implementation

First let me say that I still believe OpenID is a good idea. The ability to link content between sites should always be in the control of the consumer.
I hope that we never see one company on the internet controlling all the user ids.
From these beliefs here are my two cents on the Facebook and Google implementation of OpenID.
1. I think it is awesome that according to the Facebook developers they were able to complete the whole implementation without any more knowledge of Google than what is published in the public API.
I think that is huge. The ability for companies to form a relationship without ever signing a contract has to remove a barrier of entry. Now all that is necessary are some smart guys like the Facebook developers and any company can link in the same way.
2. The use of a Facebook cookie. At first I couldn't imagine how Facebook made this magic happen. Then I cheated and opened up my desktop proxy software and traced the entire process. The key is when you link an account on Facebook they are dropping an opendid_p cookie. This cookie links your information for Facebook. The cookie is always present even after you log off of Facebook. The cookie is the key. The next step is a little known(to me anyways) call that OpenID has enabled in version 2.0 which allows for an immediate check. The identity providing site simply returns the true/false value after checking the authentication.
3. I think this process is a huge improvement over other more clunky redirects. I am excited about the possibilities.

What could be improve?

1. Registration. I wish that I could make all of this happen at one point. Maybe I didn't use Facebook but I want to use Facebook. I couldn't really go from Google to Facebook easily. I still have to complete a full registration and select a new password for Facebook. I keep thinking that Facebook should in some way provision me on the fly once I show up with a Google OpenID.
2. Logoff. I probably don't use every websites logoff functionality. I have to admit it. However, it's still a good idea. Opening a Facebook site and even using the logoff functionality really does not log you out completely. If you still have a Google cookie present then you can navigate back to Facebook and get automatically authenticated. This just doesn't feel right for me.

No comments: