Simon Willison’s Weblog

Subscribe

Yahoo!, Flickr, OpenID and Identity Projection

7th January 2008

Via ReadWriteWeb, view source on a Flickr photostream page and search for “openid” and you’ll be rewarded with the following snippet:

<link rel="openid2.provider"
  href="https://open.login.yahooapis.com/openid/op/auth" />

Which means that Flickr pages will very soon be able to act as OpenIDs. The provider isn’t up and running just yet though; try authenticating with your Flickr OpenID on Jyte.com and you’ll get the following message:

Hey there! You have stopped by a bit sooner than we had expected. This feature is still being tested, so please check back in a few days.

The URL of the server is interesting as well: it suggests that Yahoo!’s OpenID support is designed from the start to apply to more than just Flickr. I wouldn’t be at all surprised to see similar links start to crop up on all kinds of other Yahoo! properties—anything that has a page which can be considered to represent a user account. This would make a lot of sense, because OpenID is good for more than just authentication. The OpenID protocol allows a user to assert ownership of a URL. This can be used for SSO-style authentication, but it can also be used to prove ownership of a specific account to some other service, a concept I’ve been calling identity projection.

If users can easily project their Flickr, Upcoming or del.icio.us identities to other sites, developers can start to build all kinds of neat things. Mashups for one get a whole lot more interesting when new users can easily bring their existing profiles from other sites with them. With any luck we’ll see Yahoo! start to adopt OAuth for authenticated API calls (which is itself based in part on the Flickr auth API) in the not too distant future, opening up even more possibilities.

A common misconception about OpenID is that it’s only really useful if users stick to using one identity. I’d be happy to see every one of my online profiles acting as an OpenID, not for SSO authentication (I’ll pick one “primary” OpenID to use for that) but so that I can selectively cross-pollinate some of my profiles to new services.

Back to Yahoo!, another interesting new URL is https://me.yahoo.com/. Again, there’s not much to see at the moment but it looks to me like this will become an endpoint for OpenID 2 directed identity. James Henstridge provides a useful explanation here, but the short version is that you’ll be able to enter “me.yahoo.com” in to an OpenID field on a site and have Yahoo! pick an obfuscated, unique OpenID for your interactions with that site. This protects your privacy by preventing anyone from outside of Yahoo! from correlating your behaviour across multiple OpenID-enabled services, similar to how Yahoo!’s current BBAuth API provides applications with an opaque hash rather than a user’s Yahoo! screen name.

It looks like Yahoo! will only be supporting OpenID 2 and won’t provide a fallback for OpenID 1.x consumers. This means you won’t be able to use your Flickr OpenID on many existing consumer sites (including this blog), at least until they get around to updating their libraries. I expect Yahoo!’s implementation to be a major influence in encouraging OpenID 2 adoption.

It’s three weeks short of a year since I launched idproxy.net, which provides Yahoo! account holders with a third-party OpenID via the BBAuth API. I couldn’t be happier to see Yahoo! taking steps towards cutting out the middle man.