A neat feature
of the OpenID technology is that it allows you, the developer, to verify that the
user indeed has ownership of a URL endpoint. I had stated earlier that lifestreaming
services are going to find this feature very useful. Services like FriendFeed,
Plaxo Pulse (and of course, MyBlogLog) can enable users to verify ownership of their
various online identities/profiles, thereby promoting more authentic activity
feeds and eliminating the impersonation scenarios that will inevitably come up.
More generally, once a user has proved to your service that he owns a particular URL endpoint using OpenID,
interesting things can follow. Your service could retrieve (you should do this under user
consent and control, of course) user attributes that lie at the verified URL
endpoint. The retrieval is significantly easier if the attributes are marked
up with the appropriate microformats. I am sure people will come up with many interesting features by combining this simple, yet powerful, capability with technologies
like YADIS, FOAF/XFN, MicroID.
Now, for
the big news of the day. Today, we rolled out support for MyBlogLog profile
URLs as OpenID identifiers (Ian Kennedy's post on the MyBlogLog blog). With this change, we have also eliminated the only-one-custom-OpenID-identifier
per-account restriction. This means that you can select both your Flickr photostream AND your MyBlogLog
profile URL as your OpenID identifiers, in addition to creating a pretty
me.yahoo.com identifier. Simon, we heard you loud and clear. :-) This change is especially
exciting because the folks at MyBlogLog have been awesome about implementing support for hcard,
XFN, FOAF, in addition to hosting a pretty rich profile complete with the New With Me
activity streams feature. We hope that you will find this change useful and
that it can act as an enabler for more fun applications of the OpenID technology
in the future.
To set your MyBlogLog profile URL as your OpenID identifier, start here (requires logged-in state).
If you've been following someoftheposts on this blog, you've hopefully drank the kool-aid on the view of identity standards like OpenID and OAuth as the fundamental building blocks for more interesting and interoperable apps on the web. At Yahoo!, we've been thinking hard about the value of adopting open standards instead of pushing proprietary products that have been in existence prior to these standards. We have also been talking to and working with the OAuth and OpenID communities on technical, business, and legal fronts. To put our money where our mouth is, in January 2008, we launched the public beta of the Yahoo! OpenID Provider, with an emphasis on significantly improving the OpenID user experience and allowing users to have the convenience of a single identity without the burden of understanding the technical underpinnings of OpenID.
Today, Ari Balogh (new Yahoo! CTO - see video below) publicly announced the broader Yahoo! Open Strategy at the Web 2.0 Expo keynote session (see Cody Simms' post on the Yahoo! Developer Network blog for the juicy details). A key element of this announcement is that, in the not-too-distant future, we will be supporting OAuth as THE STANDARD for authenticated API access for 3rd party developers that want to innovate on top of Yahoo!'s incredible assets and diverse array of services. This auth mechanism will work with web applications, thick-client (installed) applications, and embedded applications! For those who are not familiar with OAuth, it is a community-driven standard that allows 3rd party developers to securely access APIs that expose user data residing on services like Yahoo!. This is done in a way that:
the user doesn't have reveal his Yahoo! password to the 3rd party application - A good general practice
the 3rd party application only has access to the stuff that is necessary for its use, and nothing else (eg. only access my Address Book, and not my Mail or my billing information) - Scoped access is better than global, unfettered access to all my data
the user can easily revoke access if he no longer trusts or uses the 3rd party application - User is always in control
If you are familiar with Yahoo! BBAuth, you can think of OAuth as a standard way of doing what BBAuth enables. As a developer who's building interesting things on top of Yahoo! APIs and APIs of other companies that support OAuth, you will not need to write a whole lot of custom code to integrate with 'N' different authentication APIs which all essentially do the same thing. Besides, you can take advantage of open source client libraries for OAuth to reduce the time to implement the auth component of your service or mashup - instead, you can focus that time on building features that really delight your users.
Our announcement today represents a big win for the OAuth community's efforts and is a harbinger of even more interesting things in the near future. As always, stay tuned for more...
In case you haven't been keeping track, the fine folks at MyBlogLog have been working on some prettycoolthings recently. This afternoon, I was playing with my MyBlogLog profile. This brought me to their new About Me widget (its actually at least 2 months old, so yeah, I am slow). This is exactly what I had been looking for - a simple widget that can display who I am on the services I use across the web. It took me a bit longer than I would have liked to get the widget colors to somewhat match with this blog, but here it is (as of Feb 21, 2008):
Note that the About Me widget isn't the only benefit I get out of listing my services on MyBlogLog. I am eagerly looking forward to the activity aggregation/lifestreaming/activity streams functionality that they are going to release in the near future.
Now, it would be even cooler if I could optionally also verify all of my identities above, without providing my ID and password for each service. I wonder if any open technologies can be leveraged for this purpose. Wait! How about this one or maybe this one? ;-)
