OpenIDidproxy.net: Use your Yahoo! account as an OpenID
In an ideal world, some or all of the sites with large user databases (Yahoo!, AOL, Google, Amazon and so on) would act as OpenID providers, allowing their users to sign in to OpenID supporting sites around the Web. Until that happens, people who want to use OpenID need to sign up for Yet Another Account to do so.
idproxy.net, launched today, is my attempt at speeding up the process. It uses Yahoo!’s Browser-Based Authentication API to allow you to sign in with a Yahoo! account, then lets you create one or more OpenIDs (of the form something.idproxy.net) to use with sites that support the OpenID standard.
In effect, it lets you use your Yahoo! account as an OpenID.
Phishing protection
I’ve built in a couple of features to help protect users against phishing attempts.
The first is based on Andreas Gohr’s MonsterID. When you log in for the first time, you are asked to pick one from a selection of four random monsters. Your monster will greet you when you log in to the site, helping defend against malicious sites that try to copy the “logged in” view.
The second is a landing page based on my suggestion from last week, which requires you to log in manually or with a bookmark rather than presenting you with a login link directly. This is similar to MyOpenID’s SafeSignIn feature, but it’s on by default and you can’t turn it off.
The nature of the site means that a successful phishing attack would have to compromise your Yahoo! account as well. Yahoo! have their own phishing prevention in the form of the Yahoo! personalized sign-in seal (similar to the idproxy.net monster, but visible before you log in).
Other providers
An older (unreleased) version of the site included support for Flickr, Upcoming and Google authentication. I’ve dropped those in favour of Yahoo! for a couple of reasons. Firstly, supporting just one form of authentication makes the site easier to explain. Secondly, none of those APIs were designed with single-sign-on in mind. All three exist primarily to give a third party service access to your data; as such, their authentication flows include permission pages which warn that idproxy.net will have access to your private photos, events or calendar.
I’m very open to suggestions and feature requests. The top of my list at the moment is an interface for viewing and changing the list of sites which always have access to your identity.
Cool stuff. I think people should be able to adjust their "profiles", i.e. change the real name and the monster icon. And someone should come up with better looking monsters really ;).
Great! Works better than SafeSignId (records the requests from RP). "Monster" upload would be nice (I'd upload my mirror monster ;)).
Going to blog about it, bye!
Worked like a charm, and gave me a chance to set up my Y! "safe seal".
One thing: I tried to register "Iñtërnâtiônàlizætiøn", but was told that it could not be registered -- I wasn't sure if this meant it had already been created or if it was exposing a bug in the charset handling.
A valiant effort, and a great POC, but my gut feel says this won't drive OpenID usage.
For whatever reason, using my Yahoo login via a "untrusted" site *feels* less secure than just creating a new account. Even though as a technologist, I'm aware of the security steps in place for the BBAuth API, my unconscious self would be more worried about this being an elaborate phishing trip for Yahoo IDs.
(Of course, there's a 95% chance that any user's going to use the same username & password to sign up for MyOpenID that they already use for their Yahoo account.)
Well done! I agree somewhat with Rod's comments; maybe this will serve as a wake up call for the Yahoos and Googles of the world.
Yahoo? What if one doesn't have a Yahoo account... *wishes for Google Account support, if possible*
Stephen Paul Weber - 27th January 2007 17:46 - #
I'm still interested in doing this for other single-sign-on systems - mostly Google's AuthSub, but also OSIS (ie CardSpace) and Higgins, as well as the the ones you mentioned.
Any chance you'd consider releasing the idproxy.net source? I probably wouldn't find any better workaround(s) to the issues you raised with those systems, but I'd love to take a crack at it.
Nice indeed! Thanks for the wrapper!
Or, whether IRIs are valid OpenIDs. Point being, the error message could be made more explicit.
Paul: that's deliberate; since the OpenIDs created are of the format something.idproxy.net (and I really didn't want to get in to IRIs or similar) I've deliberately restricted them to an ascii string. I'll update the error message to reflect that.
Rod: this is meant more as a demonstration that if you build an Auth API but don't support OpenID a middle-man will just spring up that supports it for you. That said, if people use it and find it useful then all the better.
"500 Error Server error."
Hope you wake up and fix this before really does get Dugg :)
Dave Beckett - 28th January 2007 01:41 - #
I've tweaked things a bit to hopefully avoid further server errors. I'll see how things held up when I wake up in the morning...
Ryan: the source code isn't particularly releaseable as-is, but I'm going to be packaging up the important bits (the OpenID server logic, and probably the BBAuth authentication) as open-source Django applications in the near future.
Brilliant.
Very, very nice. Here's hoping it'll convince many a Yahoo! user to play around with OpenID. :)
Well done Simon. I do think it's valuable to have these services to act as a bridge between the "old way" and the "new way". Hopefully Yahoo! (and others) will see a demand for this sort of service and do OpenID themselves at some point.
Kick ass. Nicely done, Simon. :-)
Hey Simon, I was actually working on the same thing (I talked about it previously (http://eran.sandler.co.il/2007/01/16/proxy-openid- services/ )
You actually beat me to it in a couple of days after I had some problems releasing it last week ;-)
Perhaps we should talk about some of the ideas I have about such a service.
You can see some of the stuff I was thinking about here: http://eran.sandler.co.il/2007/01/28/idproxynet-an d-openidbridgecom-or-im-late-again/
Great stuff. How about bringing the Google support back?
Something bad has happened.
'www' can not be registered. Allowed characters are a-z and 0-9.
Great. Thanks for the post.
Dmitry: I've got a blacklist of a whole bunch of subdomains I don't want people registering, like 'www' and 'blog' and 'secure'. Google support is tricky as you need to tie in to a specific Google service in order to get an identifier from them - my previous version required a Google Calendar account in order to work.
Eran: let's talk!
Nice one Simon, I will give it a try tomorrow evening. Surprised that our friends in Sunnyvale hadn't embraced this sooner as it would make product distribution deals much easier.
Ged Carroll - 28th January 2007 23:49 - #
Simon, that was really easy to use. I like the monsters idea as well really elegant. Will post about this tomorrow evening. Nice one Ged
Simon, excellent stuff!
Possible enhancement - suggest the OpenID to be created using my Yahoo username (you do get access to that, don't you?)
William: I'd like to do that, but the Yahoo! auth API doesn't give you access to that user's Yahoo! ID (to help protect people's privacy). It gives you an anonymised user hash instead, which can be used to work out if the person logging in via the API is someone that you have seen before.
I was surprised at how easy it was to create an Openid using my yahoo id, setup my sites to use Openid, and login to post comments using my websites. Pretty cool! Great job!
Great work Simon!, i'm posting this comment using my idproxy
Good stuff. I had heard of openid before but never bothered looking that closely at it before. Now you've made it nice and easy to use I might take a closer look.
Nicely done!
Would it be possible to create an open/idproxy for Active Directory accounts?
Matt Kennedy - 29th January 2007 19:51 - #
Simon, this is ingenious. I've been wanting to build a tool for BBAuth for logging into Wikitravel (http://wikitravel.org/) for a while, but now I can just recommend to users who want to login with their Yahoo! accounts to use our OpenID login (http://wikitravel.org/en/Special:OpenIDLogin) and idproxy.net. Wonderful job, and thanks so much for this service.
Simon, I've posted an dummy's guide here with screenshots to hold people's hand through the process: http://renaissancechambara.com/blog/2007/01/30/ope n-id-as-easy-as-123/
I know it's early and more features may be forthcoming, but it would be nice if you could edit the name you give to the idproxy.net service.
Brilliant, though.
"Wake-up call to Yahoo"
Let's hope so.
Thanks for working hard to continue the uptake of OpenID.
Great idea. would be nice to have one log in for more than one account instead of 40-50 login names, etc.
Rogers Place - 3rd February 2007 00:44 - #
decent idea, but please work with anyone except Yahoo. I don't hate them, I just can't make myself complete sign-up process which asks for all kinds of intrusive personal information. I understand that the google support is tricky, but it's worth it in the long run, and the number of google account holders who don't user any google services has gotta be kinda small, right?
Mr. Gunn - 5th February 2007 20:29 - #
About phishing, what do you think about https://www.pwdhash.com/ ?
The firefox extension is really user friendly (in a password field, put @@ before your password), and it will hash your password with the website base url. So you'll have a different password accordingly to the site you log in, so basically you'll enter a different password on myopenid.com and myopenid.com.ca.
This is great! Well, for people who don't have OpenIDs yet...
@Simon Willison:
I've got a question to your service at idproxy.net:
Other sites like myopenid.com let me choose which information should be transmitted to the sites i log on.
But idproxy.net doesn't tell me which of my information it is sharing!
So this is the only thing that makes me insecure ... I definately want to know which site knows my real name and/or my E-Mail adress!!
It would be great if you could include a dialog that asks which information should be transmitted - or even lets me create different personnas (like at myopenid.com)
Thank you for your attention
Marc
Marc: the feature you're talking about is called simple registration. At the moment idproxy.net doesn't support it at all, so no information is being shared (apart from your OpenID). I want to add attribute exchange soon, and when I do the interface will be similar to myopenid.com - it will ask for your permission before sharing any information. I plan to include personas as well.
Thanks for your quick answer!
It's very good to hear that no informations is being shared.
I also can live without that attribute exchange, so it's not that urgent to include (at least for me).
I think I forgot to write, but I also thank you a lot for your work!
.
btw: the monsters are a very nice idea *g*. Perhaps it is also possible to use the Yahoo! avatars?
Marc: unfortunately the Yahoo! APIs don't give me access to the avatar - they don't even let me know the user's Yahoo! ID.
Simon,
Are you going to do the same thing for Gmail account?
I am interested in making it work , let me know if you need a hand.
Ti
Tison - 25th March 2007 20:44 - #
Using idproxy.net, after successfully authenticating at Yahoo's and after successfully creating an identity at idproxy.net, creating a second identity fails with the following error message:
Someone should do something like this for Facebook...
It would be nice if google enhance this feature in gmail,, maybe they heard that...
The issue with BBauth is that one can give any name that one wants. If I happen to take out Simon Willison before you or I am a different Simon, how do I ban the naughty Simon at my blog or CMS?
Mark Wonsil - 18th September 2007 22:22 - #