The word ‘open’ has been abused terribly in recent months (I’m looking at you OpenSocial and you AT&T/Verizon) but the recently completed OpenID 2.0 and OAuth Core 1.0 specifications are truly open. They really should be on the radar of every self respecting web developer that works on websites/APIs that require authentication (OpenID) and authorization/access-control (OAuth). Both are integral to any hope we have of evolving the existing world wide web into a truly open social network (or the giant global graph as timbl now calls it)
If you are looking for primers then you need go no further than Simon Willison’s How To use OpenID screencast (5 mins) and Explaining OAuth.
That said, minimal OpenID implementations won’t solve all authentication headaches. Phishing is a problem so I suspect OpenID enabled sites will need to employ white list providers as Tim and Dare highlighted this a while back.
.
Now we (the web community that is) need two things to happen.
- We need the big online identity silos like Google, Yahoo!, Microsoft Live, Facebook and MySpace - the sites whose login page average web users trust - to step up to the plate and act as OpenID providers.
- We need the big API sites like Google Maps/Charts/Base/…, Microsoft Live, Yahoo!/Flickr, Facebook to start working on enabling OAuth access to their APIs.
Note the overlap in the two lists above - yep, those guys own this part of the web. Which will be brave enough to move first? With final specifications in hand, no excuses, please go forth and implement and lets end this www account/data access hell we all live in.
