Simon Willison’s Weblog


Six cool things you can build with OpenID

25th February 2007

I’ve posted the slides from my Future of Web Apps talk on OpenID, minus the demo videos. I’m planning to put together a video that combines the slides, demos and audio once the official podcasts have been published.

Apart from explaining what OpenID is and how it works, the key point I was trying to get across in the talk was that OpenID is a simple piece of infrastructure on which smart applications can be built—applications that may not have been possible prior to the adoption of OpenID. This is due to two important characteristics of OpenID. The first is that OpenID significantly lowers the effort needed in creating an account, to the point that people might sign up for accounts with services that they otherwise would not have used. The second is that OpenID provides a globally unique identifier that can be used to correlate information across multiple services.

Light-weight accounts

Vanilla OpenID gives almost no useful information about a user and provides no defence against spammers; for many applications it makes sense to couple OpenID logins to a one-time account creation process, requesting additional details and using e-mail verification and CAPTCHAs to deter automated scripts.

There are plenty of services for which this is not an issue. One neat use-case for OpenID is as a simple tool for extending the lifetime of session cookies, or sharing those sessions between different machines. If your site offers simple customisation features that are only of interest to the user (and hence have no value to spammers) you can use OpenID to persist their preferences. All you need is a way for a user to prove that they’re still the same person they were yesterday.

Pre-approved accounts

OpenID lets you create accounts for people without e-mailing them a password, or even talking to them before you sign them up. There are lots of useful things you can do with this ability:

  • Let your trusted friends delete spam comments from your blog, or fix your typos.
  • Invite a selected group of people to contribute to your new collaborative weblog, without having to create new accounts for it or deal with yet another password.
  • Invite friends to view a private document or photo gallery, pre-approving their public OpenIDs as able to authenticate with your site.

Restricted SSO

Once more of the popular open-source applications start supporting OpenID, I can see it really taking off as a simple SSO standard behind the corporate firewall. Create an OpenID for everyone in your organisation of the form, then configure your internal applications (MediaWiki, phpBB, WordPress etc) to only accept OpenIDs that match that format.

Site-specific hacks

Lots of sites are setting themselves up as OpenID providers, leading to many users having multiple OpenIDs; I have OpenIDs from Vox, LiveJournal and AOL, all of which were created as a side-effect of me using those services.

I don’t see this as being a problem. As a user, I can pick which is my “primary” OpenID (and use delegation so I can switch providers if I change my mind). Those other OpenIDs can still be useful though, because they let us build functionality that takes the providing site in to account. Here are a few examples:

  • “Log in with your LiveJournal OpenID and we’ll import your LJ contacts using your FOAF file” ( does something along these lines).
  • “Log in with your AOL OpenID and we’ll send you status updates over AIM.”
  • “Log in with your OpenID and we’ll add events from bands you like to your calendar.”

Sites that offer APIs should start thinking about how they can use OpenID as a simple vector for pushing data out to third party applications.

Social whitelists

I’ve talked about these previously; Tom Coates has further thoughts. By sharing whitelists we can use OpenID to build a simple trust network.

A similar concept is that of publishing groups. Jyte offers a simple API to export the members of a Jyte group. Not only does this make groups portable to other services, it also lets you build an authentication mechanism for a site that only allows members of a specific published group to log in to a service.

Decentralised social networks

The problem with social networks is that you end up with profiles scattered across multiple different sites, and friend relationships that are duplicated in multiple places. The globally unique identifier offered by OpenID offers the basis for a decentralised social network, with profiles tied together across multiple sites and relationships easily portable between services.

Hopefully the above ideas explain why I am personally excited about OpenID, and why I’m dedicating so much time to encouraging its adoption. The more people there are that understand and use OpenID, the more interesting applications we can build with it.