« LugRadio Live UK 2008 schedule published!
Gaming competition at LugRadio Live this weekend »

OpenID login and APIs

Does anyone have an example of a site which:

  1. Offers OpenID login
  2. Has a remote API that allows you to log in using your OpenID rather than a username and password

How do you provide this, as a site owner? It’s not clear to me that OpenID works for machines to log into things (unless I go and set my OpenID to “always allow access” and then write a screen-scraper module for my OpenID provider).

This seems like something of a flaw in the OpenID concept. Hopefully I’m missing something.

Update: OAuth isn’t the answer here. My use-case for this is, say, a little script that allows me to post to Identi.ca. OAuth requires me (the “Consumer”) to request a “Consumer Secret” and a “Consumer Key” from Identi.ca. From my reading of the OAuth spec, that’s supposed to be specific to the script, not specific to the person running the script, which means that I can’t open-source the script (because then everyone will know my Consumer Secret). So in order for me to write an application that uses OAuth to authenticate to a site, either I can’t open source it, or everyone using the application has to apply for their own Consumer Secret and Consumer Key; at that point you might as well just set a password and not use OpenID! The OAuth spec says that “Service Providers should not use the Consumer Secret alone to verify the identity of the Consumer“, and goes on to “Where possible, other factors such as IP address should be used as well“, which as far as I can tell means “we like closed-source programs; if you want to open source something, then we don’t know how to solve that problem, so you lose”. Correct me if I’m wrong.

This entry was posted on Wednesday, July 9th, 2008 at 8:36 am and is filed under Web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

16 Responses to “OpenID login and APIs”

  1. Sounds like you’re looking for something like OAuth? :-)

    Jeff Waugh
    47 minutes later

  2. Jeff: sorta. OAuth’s core thing is pretty much “give some external thing access to some but not all of my identity on some particular site”. It can be used for access to all my identity on a particular site (which is what I’d want were I logging in). The first draft of this post said “is OAuth the solution here?” and I took it out :)

    sil
    50 minutes later

  3. Hrm. OAuth requires the “consumer” (that’s me, writing my little script to grab data) to get a “Consumer Secret” from the provider. So that’s no good for open-source programs…

    sil
    58 minutes later

  4. If OAuth is the answer, then each site will have to randomly generate each user a Customer Secret and then require you to add it to your program, in the same way that you add your username and password to Twitter clients now. This doesn’t seem ideal to me.

    sil
    72 minutes later

  5. This is pretty much like flickr_upload for linux does: it requires an “API KEY” from Flickr to be able to work. They key of course don’t have to be hardcoded into the software.

    John Bäckstrand
    78 minutes later

  6. OAuth was designed to solve exactly this problem (by members of the OpenID community). The consumer secret is retrieved from the provider using an API call - it doesn’t need to be baked in to the application and the end user doesn’t need to know anything about it. All they have to do is visit a URL and click on the “let application X perform actions on my behalf” button, just like with the Flickr auth API.

    http://simonwillison.net/
    86 minutes later

  7. Simon: right, OK. Sounds a bit fiddly to set up if all you want is a fairly noddy script rather than a full-on application, but I suppose that’s the way in the new world order.

    sil
    91 minutes later

  8. I think Drupal 6 allows open ID based log ins. (create an account, add an open id to it and then you can use the openid to log in etc etc.

    You
    4 hours later

  9. is http://openidenabled.com/files/php-openid/docs/2.0.1/OpenID/tutorial_OpenID.pkg.html helpful?

    lefty
    4 hours later

  10. I’d love to comment, but christ, your comments are a dog’s breakfast, lines a single word long overwriting each other so I can’t read what’s already been said.

    James
    5 hours later

  11. James: yeah, I didn’t bother too much with IE support. I’ve now poked it so comment text isn’t overlain. Still not too bothered about IE support, though.

    sil
    5 hours later

  12. actually, it doesn’t work well on ff 2 either

    xxx
    5 hours later

  13. I kicked up a minor fuss when OAuth was being developed over open source applications, and desktop applications in general (since it’s easy to extract secrets from desktop apps - see: http://ianloic.com/2006/12/23/flickr_authentication_security/). It looks like they made the language more stupid before releasing the spec. FAIL. I need to tell those guys off more often.

    So, one fairly simple approach is to make users of the web application retrieve a token from the web site when they’ve logged in and put that into the desktop program that will be making requests. Make it something that copies & pastes nicely and only expires when you explicitly expire it or change your password.

    Ian McKellar
    13 hours later

  14. I think that Ma.gnolia.com has already done some research about that. They have an API, they provide OpenID login but you can’t use the API with OpenID.

    Last time I talked to them about that they explained me they would have to do the trick Ian explained: have the user copy/paste some token. Because that would be an awkward experience, it wasn’t super high on their priority list.

    Erwan
    18 hours later

  15. Comments look fine in FF3, but not on my Diablo-ized N810…

    Lefty
    25 hours later

  16. What are the differences between OpenID and Shibboleth? http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29

    Anonymous
    33 hours later

Leave a Reply