Simon Willison’s Weblog


213 items tagged “openid”


Does Company ‘X’ have an Azure Active Directory Tenant? (via) Neat write-up from Shawn Tabrizi about looking up if a company has Active Directory single-sign-on configured (which is based on OpenID) by checking for an OpenID configuration endpoint. I particularly enjoyed this new-to-me trick: Google’s “I’m Feeling Lucky” search button redirects to the first result, which means it can double as an unofficial API endpoint for returning the URL of the first matching search result.

# 1st October 2022, 8:15 pm / openid, google, microsoft


Implementing IndieAuth for Datasette

Visit Implementing IndieAuth for Datasette

IndieAuth is a spiritual successor to OpenID, developed and maintained by the IndieWeb community and based on OAuth 2. This weekend I attended IndieWebCamp East Coast and was inspired to try my hand at an implementation. datasette-indieauth is the result, a new plugin which enables IndieAuth logins to a Datasette instance.

[... 1,225 words]


37signals Product Blog: We’ll be retiring our support of OpenID on May 1. The support costs far outweighed the benefits to customers, especially now that 37signals have their own single sign in mechanism that works across all of their products.

# 25th January 2011, 4:17 pm / 37-signals, openid, recovered


What are some scalable OAuth and OpenID server implementations?

Any OAuth library should scale horizontally—I can’t see how any one library would be a better choice than another.

[... 36 words]

Vox is closing on September 30, 2010. One month seems like very short notice for closing a service of this size, especially since it functions as an OpenID provider so in addition to migrating their content away users may need to sign in to other services and set up an alternative form of authentication. UPDATE: From the comments, Vox accounts that migrate to TypePad will also have their OpenID migrated, and TypePad will continue to serve OpenID requests for old addresses. Smart solution.

# 3rd September 2010, 8:50 am / closing, openid, sixapart, vox, recovered

RasterWeb: Lanyrd. Pete Prodoehl calls me out on Lanyrd’s integration with the Twitter auth API at the expense of OpenID. I’ve posted a comment with my justification—essentially, tying to Twitter’s ecosystem means I can actually implement the features I’ve been talking about building on top of OpenID for years, with far less engineering effort.

# 31st August 2010, 8:49 pm / identity, oauth, openid, pete-prodoehl, twitter, recovered

App Engine at Google I/O 2010. OpenID and OAuth are now baked in to the AppEngine users API. They’re also demoing two very exciting new features—a mapper API for doing map/reduce style queries against the data store, and a Channel API for building comet applications.

# 20th May 2010, 3:30 pm / appengine, comet, google, mapreduce, oauth, openid, recovered

Stack Overflow Blog: OpenID, One Year Later. Google’s support is a huge deal—61% of Stack Overflow accounts use Google. Google’s implementation of directed identity has caused problems though, since Google provide a different OpenID for each domain making it hard for Stack Overflow, Server Fault and Super User to correlate accounts. Their solution is to require a (verified) e-mail address from Google OpenID users using sreg and use that as a key for the accounts.

# 14th April 2010, 8:46 pm / openid, stackoverflow, google, directedidentity, email, sreg, login, registration

RFC5785: Defining Well-Known Uniform Resource Identifiers (via) Sounds like a very good idea to me: defining a common prefix of /.well-known/ for well-known URLs (common metadata like robots.txt) and establishing a registry for all such files. OAuth, OpenID and other decentralised identity systems can all benefit from this.

# 11th April 2010, 7:32 pm / rfc, urls, wellknownurls, openid, oauth, robots-txt


Yahoo! OpenID: Now with Attribute Exchange! The nice thing about this is that an e-mail address obtained from Yahoo! via attribute exchange has already been verified, so you don’t need to perform the e-mail roundtrip yourself. I expect a lot of OpenID consuming sites will end up with internal whitelists of OpenID providers who they trust to provide verified e-mail addresses, with users of sites not on the whitelist still getting e-mailed a verification link.

# 5th December 2009, 5:25 pm / verification, email, openid, yahoo, attributeexchange

OpenID: Now more powerful and easier to use! The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age.

# 25th September 2009, 9:08 pm / openid, oauth, hybrid, google, myspace, yahoo, identity

Evidence of OpenID at Amazon. It looks like Amazon are using OpenID for SSO between their different properties—I clicked a link to sign in to AWS and the URL had OpenID query string parameters.

# 6th July 2009, 1:25 am / openid, amazon, sso, aws

Facebook Usernames and OpenID

Today’s launch of Facebook Usernames provides an obvious and exciting opportunity for Facebook to become an OpenID provider. Facebook have clearly demonstrated their interest in becoming the key online identity for their users, and the new usernames feature is their acknowledgement that URL-based identities are an important component of that, no doubt driven in part by Twitter making usernames trendy again.

[... 760 words]

Exclusive: The Future of Facebook Usernames. I have to admit I was planning to just let Facebook get on with it, assuming that the OpenID provider part would show up of its own accord—but maybe I should write a thoughtful and persuasive essay about it after all.

# 11th June 2009, 9:46 am / facebook, anil-dash, openid, funny, urls

Sign in with Twitter. Intriguing: Twitter are now an OpenID-style identity provider... using OAuth.

# 20th April 2009, 4:10 am / oauth, twitter, openid

“Recover my account” link on the login page. For the record, collecting and verifying e-mail addresses is a VERY good idea, even (especially?) if you accept OpenID. A verified e-mail address is still absolutely the best way to deal with lost passwords or “my OpenID isn’t working”.

# 16th February 2009, 10:22 pm / email, accounts, identity, openid

Plaxo sees 92% success rate with OpenID/OAuth hybrid method. Really wish I could have been at the OpenID UX Summit hosted by Facebook yesterday—sounds like an awful lot of important problems are being solved.

# 11th February 2009, 5:20 pm / facebook, openid, plaxo, comcast, google

... Facebook will be hosting the second User Experience Summit for OpenID on February 10th. The goal is to convene some of the best designers that leading internet companies can muster, and bring them together to develop a series of guidelines, best practices, iterations, and interfaces for making OpenID not just suck less, but become a great experience

Chris Messina

# 6th February 2009, 12:19 am / facebook, openid, chris-messina, usability

Want Proof OpenID Can Succeed? Just Scroll Down. “It’s easier for blogs, which don’t need a lot of demographic information about a user, to let people jump in and start participating socially without filling out a registration form.” Aargh. Repeat after me: supporting OpenID does not mean you can’t require additional registration details through a signup form.

# 16th January 2009, 12:16 pm / openid, registration, wired

Wetpaint no longer supports OpenID. I missed this, but they turned off their OpenID support in November due to low usage and high maintenance costs.

# 8th January 2009, 2:53 pm / openid, wetpaint

Talking about OpenID. “So a relying party walks in to a bar...”

# 5th January 2009, 10:46 am / openid, jargon, relyingparty, comic


Getting OpenID Into the Browser. David Recordon makes the case for online identity management as a key browser feature (I like the “your browser is currently locked” concept), and argues that Gears is in a great position to deliver it.

# 3rd December 2008, 10 am / gears, david-recordon, identity, browsers, openid

Clearing up inaccuracies about the Google OpenID IDP launch. Google took some undeserved flack when they launched their OpenID provider. For the record, whitelisting providers fits my definition of the “Open” in OpenID perfectly (providers and consumers are free to impose whatever policies they like).

# 8th November 2008, 11:11 pm / whitelisting, openid, google

New OpenID Implementations Abound. I’ve missed linking to a bunch of OpenID news recently—in particular, Google Accounts are becoming OpenID identifiers and LiveJournal has quietly ugraded its consumer support to OpenID 2.0.

# 30th October 2008, 5:11 pm / openid, google, livejournal, openid2, martinatkins

In the final Production release we will be adding the ability to sign in to the Live ID OpenID Provider using any of the credential types that can be used with regular Live ID sign-in's -- including CardSpace, SmartCard, eID, etc.

Jorgen Thelin

# 30th October 2008, 5:09 pm / cardspace, smartcard, eid, windowslive, openid, jorgen-thelin

Windows Live Adds Support For OpenID. I hope they include the option to log in to the provider using CardSpace, to address phishing.

# 27th October 2008, 9:34 pm / phishing, cardspace, openid, microsoft, techcrunch, live

Yahoo! Releases OpenID Research. Extremely valuable research, conducted with a group of typical Yahoo! users. OpenIDs usability remains bad, and if we don’t get it right soon something centralised like Facebook Connect will take over and the Web will stop being open.

# 14th October 2008, 4:59 pm / facebook, facebookconnect, openid, usability, yahoo, research

Google’s Usability Research on Federated Login. Fascinating—suggests an approach to federated auth based on the “Yes, I have a password” login flow. Feels convoluted to me but apparently it tests really well against a mainstream audience. The more research shared around this stuff the better.

# 22nd September 2008, 8:56 pm / google, usability, openid, login, amazon, authentication, federated

New authentication schemes such as OpenID, or Microsoft's CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter.

Tim Anderson (in the Guardian)

# 29th August 2008, 10:01 am / captcha, tim-anderson, guardian, openid, cardspace, security

OSCON in 37 minutes. 45 OSCON talks summarised by their presenters in just 37 minutes, compiled by Gregg Pollack. I get to rant about OpenID for a minute at 27:22.

# 29th July 2008, 11:59 pm / openid, video, oscon, greggpollack