Modern Web Identity: Why Your Web Applications Should Be Offering OpenID, OAuth, And Probably Facebook Connect

原文地址:http://hinchcliffe.org/archive/2009/04/15/16745.aspx

Are
you creating a new Web site and developing a user registration system
that requires new visitors to sign-up and create a user ID and password?
Stop now and read this. There are now more effective approaches for
dealing with Web accounts which are more powerful and are better for you
and your users.

The concept of Web identity has recently
undergone significant evolution that all Web developers and architects,
both consumer and enterprise, should be readily familiar with today.
These new identity options, specifically OpenID, OAuth, and Facebook Connect, when individually used can:

  • Make it easier, faster, and safer for users to establish their identity on your site.
  • Enable businesses to have single sign-on to your applications.
  • Turn your site into a platform for 3rd party applications which can access user data safely and securely.
  • Can integrate your site or application into the social experience of the user and their connections.

This
post explores these three new ways to provide user identity that will
make your Web applications work substantially better and make your users
more secure and satisfied. There are also some important caveats and
issues to be aware of and which we'll also discuss.

Backstory

One
of the parts of the classic Web that's unfortunately still with us is
the trusty old user ID and password combination, one per Web site.
That's because the Internet itself has no intrinsic identity system
built-in; anonymous access is the default and anything more
sophisticated has to be cobbled together one-off for each site. This
means most Web sites today implement user identity uniquely with
different sign-up processes, user ID requirements (sometimes you get to
pick, sometimes you have to use your e-mail address, and very often your
favorite ID is already chosen, etc.) Then there are varying password
length requirements if you are lucky, variable recovery processes if the
password is lost, and so on. This is the challenge of an open,
decentralized system (the Web) that has very little top-down design: How
to provide users control and consistency in an online world where there
are very few widely accepted user-centric open standards.

Interestingly,
this is the one of the rare instances where enterprises got it right
long before the Web and is now a relatively well-solved problem -- at
least inside the firewall -- with something known as single sign-on. Often referred to as SSO and embodied by technologies such as Kerberos, smart cards like RSA's SecurID, and Windows Integrated Authentication,
single-sign on ensures that users have just one single, consistent
identity and sign-in credentials. Single sign-on works then seamlessly
to enable them access to the various applications that they use on the
network. There is only one user ID and password to remember and it can
be reset, administered, or even shutdown centrally whenever required.

However,
these enterprise approaches -- as good as they have become -- are
generally unsuitable for the Web identity for several reasons; they are
either involve proprietary approaches (which is anathema to gaining the
support from the Web community which thrives on open standards), require
special hardware, or are too hard to implement consistently across the
hundreds of different languages, frameworks, and platforms that make up
Internet the today. In fact, anything that isn't aligned closely to the
way the Web works, recognizes the browser as the first-order Web client,
and offers a lightweight, open approach that's easy to implement from
most toolkits just won't succeed.

Note I say "easy to implement"
is a requirement for Web identity systems and I should note that making
user identity truly secure is one of the harder problems in software.
This can mean that OpenID and OAuth require a fair amount of work to
implement successfully. The good news: All three new identity approaches
presented here are now fairly easy to use right out of the box since
much of the hard work has been done to create libraries for the most
common programming languages and environments. I will observe that it's
still up to you, the designer of the Web application, to ensure these
libraries are doing the right thing by your users. This is yet another
reason why Web identity is still so often reimplemented over and over
again; lack of trust of 3rd party code and not-invented here
are still two powerful forces in software development. However, the
value proposition has grown to the extent that these do-it-all-yourself
positions are growing increasingly untenable.

That's not to say
considerable care shouldn't be used. In general, the more important the
user data your application handles, the more auditing and regular code
reviews you should conduct of your security and Web identity libraries.

The identity options: OpenID, OAuth, and Facebook Connect

Each
of the identity options presented here does something slightly
different in terms of providing users with either their choice of login
and Web identity or safe access to their data from elsewhere on the Web.
As such, you will likely be faced not with choosing one of these three identity options but actually all three of them to give your users the options they what and will increasingly expect. I've highlighted in the past the number of core competencies
that modern Web developers and architects have to master these days,
and it's a tall order. These options add to that burden but as you'll
see, provide considerable value in return.

OpenID

The best and most authoritative explanation of OpenID can be found here at OpenID Explained.
It's quite simple: Let your users use the identity provider of their
choice to login to your application instead of filling out an online
form and capturing the information in a private, local account that
users are not likely to trust nor long remember. Chances are nearly 100%
that a user already has a valid OpenID from the many popular services that already allow their IDs to be used this way today. OpenID use is also growing: Recent reports
show that sites offering OpenID logins are currently reporting that
10-15% of users will login this way and the average is climbing. Venture
Beat also had a decidedly bullish outlook on OpenID today.

Many
site have their business model and valuations wrapped around the number
of registered users that they maintain. OpenID does NOT make this model
go away, it merely provides an easier way to begin a relationship with
new users. It even makes it easier for the user to interact with a new
site. The full set of benefits for offering support for OpenID is:

  • Faster and easier sign-up.
    Users get the choice of ID they prefer to use and can also choose how
    much information you get to see about them. You can still ask any
    necessary registration questions after they sign-up with their OpenID.
    Note also that field experiments have shown that the simplest possible registration process is 3 times
    more effective at eliciting sign-ups. OpenID naturally takes advantage
    of this fact and is the perfect complement to the highly effective lazy registration pattern.
    And don't forget that you still get to add the user to your local
    account database with all the information you care about, just in the
    context of their OpenID, meaning that you don't get to know their
    password or any other information they don't want to give you.
  • Better sign-in process and lifecycle.
    Users only need to remember one user ID and password and so will always
    have an easier time logging in. It also places the burden of password
    maintenance and account support (at least some of it) on the 3rd party
    OpenID provider. And since the OpenID standard makes sure that passwords
    are used in a secure way and never passed along directly to sites that
    offer OpenID logins, users feel safer continuing to use new sites. As
    I've explored in the past, OpenID also potentially allows enterprises to extend their single sign-on experience out across the Web to SaaS applications that support OpenID.
  • Consistent Web identity. There have been many discussions recently about namespaces as the new lock-in, particularly today's post from Chris Messina,
    and OpenID allows users take advantage of this to establish their own
    namespace consistently across multiple Web sites and indeed, the entire
    Web. When someone sees a given OpenID on a site, they'll know it's the
    exact same user they see on another site. Giving users the ability to
    unambiguously identify themselves authoritatively on your site will be
    seen as an increasingly important requirement of today's social Web.

To actually support OpenID, you'll need to implement the current specification or use one of the many available OpenID libraries that already does it for you. Support exists for all the common languages: C#, Java, Perl, PHP, Ruby, Python, and even Haskell. The bottom line, you'll be learning about digital signatures such as HMAC-SHA1 and extensible resource identifiers, or XRIs.

It
should also be noted that the getting the user experience of OpenID
right is essential for being successfully with it. Because most visitors
will still be unfamiliar with it, a lot has been learned about how to
offer the sign-up and sign-in experience in a way that is accessible and
understandable. Early OpenID adopters often made the process too
complicated or inexplicable to the user. A lot has been learned about
how to do this correctly to enable the double digit usage rates we're
seeing today on sites that are successful with OpenID. Probably the best
presentation about effective OpenID user experiences is Brian Ellin's deck from this year's OpenID UX Summit, I encourage you to study it.

OAuth

Using
a site through its user experience is now only one way in which the Web
will interact with your service. If you're only offering a visual user
experience and don't currently have an application programming
interface, or API, you're behind the times. Open APIs
are one of the most powerful new models for delivering services on the
Web and they enable 3rd parties to integrate with and build on top of
your product, creating all new services and mashups. This leverages something I refer to as Jakob's Law,
which says that most of your traffic will ultimately be driven by
external activities on other sites. Thus, more usage will often come in
through an API than through the user interface. For example, Twitter
famously has 10 times more usage through its API than through its Web
experience, which I recently reconfirmed is still the case with Twitter's Alex Payne at Web 2.0 Expo earlier this month. It's also no accident that Twitter recently added support for OAuth.

However,
the challenge with APIs is the same as with user experiences: How to
let users access their data remotely in a safe way without having to
give the 3rd party application their user ID and password for your site?
Users might even feel comfortable giving their credentials for a
Twitter application like Twitterific,
but they certainly aren't going to do that for critical applications
like e-mail, banking, or e-commerce. Enter OAuth, a method for allowing
3rd party applications to gain access to user data with their
permission, but without having to give the credentials to that
application. In other words, users can "authorize" 3rd party
applications to access their data in your site, without giving that 3rd
party application the user ID and credentials.

The benefits of securing your API with OAuth include:

  • Safe, secure 3rd party data access.
    Users will be able to give permission for specific apps to access their
    data on your site without having to share their user ID and password
    with the 3rd party.
  • Declarative control over 3rd party access.
    Users can also block the access of 3rd parties they previously
    authorized without having to have access to the 3rd party application.
    This gives them declarative control over who accesses their data and
    makes them more likely to use such applications.
  • Greater use of 3rd party applications drives local use.
    For many applications, handing out user IDs and password to 3rd parties
    is unacceptable to users. They will only use the sites they trust.
    Since the APIs often become the dominant channel through which usage
    occurs, meaning that 3rd party sites can often represent the bulk of
    interaction if appropriate security controls are in place and users feel
    safe, OAuth can drive increases in usage and traffic.

You can find the OAuth specification here but most will opt to use one of the many pre-built libraries
that is already available and which greatly simplify implementation.
The language options are much the same as with OpenID which is good
since OAuth is seeing broader and broader adoption as its benefits
become clear and it gains critical mass.

Reconciling OpenID and OAuth

Now,
those paying close attention to this discussion might notice that
OpenID and OAuth seem in direct opposition. OpenID allows users to
employ remote 3rd party logins and OAuth tries hard to make the local ID
safely usable externally, at least when it comes to access through the
API. In reality, OpenID and OAuth are an excellent combined strategy and
plenty of work is underway to make it possible to use OAuth with
OpenID. Sites that support this combination will use the user's
preferred login for both the user experience (UX) of the site as well as
for the API, creating a seamless, consistent experience. The Step 2 project
has begun to "combine the OpenID authentication and the OAuth
authorization protocols" and has involvement with many of the major
players in the space including Joe Smarr of Plaxo and David Recordon of
Six Apart.

OpenID and OAuth represent major, scalable Web
identity authentication and authorization systems that work with both a
user experience as increasingly popular API access methods. They are
both open standards and have the backing of many major players,
particularly OpenID which has the backing (though only partial
implementation) from Yahoo!, Microsoft, IBM, Google, Facebook, and other
influential organizations.

Facebook Connect

Open Web advocates are probably wondering why I've included the proprietary Facebook Connect
in this discussion of Web identity. That's because there is as of yet
no major social identity system that is open and has broad support.
Consequently, I will warn you that using Facebook identity is something
that should be done carefully with eyes wide open for the lock-in issues
and dependencies that can result. However, the value proposition is
considerable. For example, Facebook claims that for many sites "2 out of 3 new registrations come via Facebook Connect, and those users have about 50% more engagement on sites". This alone will be worth it for a great many services, and certainly thousands of services have agreed.

By social identity I'm referring to not just a user's individual identity but also their social graph,
or list of connections they've established online, as well as the
communication that takes place between those contacts, typically an
activity stream.

Social identity is fast becoming essential
context for for online applications; it's not just enough to have you as
a registered user since today's Web applications also need to know who
your connections are in order to provide the services they offer for
communication, collaboration, etc. Social identity systems allow you to
login and then be able to refer to and access your social connections
and communicate with them. This is far preferable to the old-school
equivalent: Importing your contact lists and then inviting all of them
to the new application you're using. The days when that was acceptable
are over, if they ever were. Now you can just use your social identity
and they can see what you're doing in their activity stream and decide
whether or not to respond or participate.

For example, I use the video sharing site Vimeo
quite often but many of my friends don't and don't even have an account
there. But they can see what I'm doing on Vimeo with my Facebook
Connect link that shows my videos in their Facebook activity streams
when I post them. They can then decide if they want to view the video or
otherwise interact with Vimeo.

Facebook Connect itself is a
simple set of JavaScript libraries and XML markup that allows you to
enable users to connect to their Facebook accounts from within your Web
application. The capabilities and advantages of Facebook Connect are:

  • Single-click login. Users can log in with their Facebook identity and allow your site to access their Facebook profile.
  • More engagement. Use a user's personal interests to provide more relevant information and offer customized content from friends.
  • New distribution models.
    Users can share content and actions taken on your site with contacts
    back on Facebook through the activity stream and other social
    communication channels on Facebook.
  • Direct access to Facebook. Use the APIs that have allowed more than 700,000 developers to build tens of thousands of applications.

Getting started with Facebook Connect is relatively easy and the startup guide is straightforward.
The integration is very platform-agnostic and requires little
implementation for basic capabilities though it does use proprietary
JavaScript libraries and XML markup. To get the most out of Facebook
Connect will require deeper integration however, and this will create
more dependencies on how Facebook manages social data and activity
information. Fortunately, most good architects will be able to create a
straightforward separation of concerns and one that will allow other
social identity systems to be plugged in as they emerge, especially on
the open side, such as Plaxo's Open Social Graph.

While
many organizations remain uncomfortable delegating any aspect of user
identity to external services, the reality is that online services are
invariable stronger, more robust, and more attractive to users when they
do. The effort is higher however, and there are more dependencies to
manage but Web identity has definitively entered a near era. Proactive
companies that take advantage of what is possible today will be poised
to enjoy additional growth, higher user retention, and better customer
relationships.

作者:蒋金楠
微信公众账号:大内老A
微博:www.weibo.com/artech
如果你想及时得到个人撰写文章以及著作的消息推送,或者想看看个人推荐的技术资料,可以扫描左边二维码(或者长按识别二维码)关注个人公众号(原来公众帐号蒋金楠的自媒体将会停用)。
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。

原文链接

时间: 2024-12-24 20:48:55

Modern Web Identity: Why Your Web Applications Should Be Offering OpenID, OAuth, And Probably Facebook Connect的相关文章

Web Services: Building Reusable Web Components wit

Web Services: Building Reusable Web Components with SOAP and ASP.NET David S. Platt This article assumes you're familiar with XML and Visual Basic Level of Difficulty 1 2 3 Download the code for this article: WebComp.exe(93KB) Browse the code for thi

web标准下的web开发流程思考

web|web标准 web开发需要考虑三面人的人员:设计师,程序员,客户,项目经理. A.设计师负责平面效果设计 B.程序员负责系统开发 C.客户提出需求验收系统 D.项目经理负责统筹全局 这里就不谈需求分析细节,和与客户谈判的细节了,假定需求已经确定. web标准是结构和表现相分离的,所以设计师和程序员在项目经理需求确定之后,可以并行开发,打破了以往的,平面效果确定系统才能开发的低效率开发流程.什么样的系统都可以拥有MVC式系统的开发效率. 下面是一个流程图 需求确定,系统规划完成之后: 程序

用AJAX调用SOAP Web服务:构建Web服务客户机

ajax|web|web服务|客户机 [导读]本文介绍如何使用异步 JavaScript 和 XML (Asynchronous JavaScript and XML, AJAX) 设计模式来实现基于 Web 浏览器的 SOAP Web 服务客户机. AJAX 已普遍用于许多知名的 Web 应用程序服务,例如 GMail.Google Maps.Flickr 和 Odeo.com.通过使用异步 XML 消息传递,AJAX 为 Web 开发人员提供了一种扩展其 Web 应用程序价值和功能的途径.这

用AJAX调用SOAP Web服务:构建Web服务客户机(1)

ajax|web|web服务|客户机 本文介绍如何使用异步 JavaScript 和 XML (Asynchronous JavaScript and XML, AJAX) 设计模式来实现基于 Web 浏览器的 SOAP Web 服务客户机. AJAX 已普遍用于许多知名的 Web 应用程序服务,例如 GMail.Google Maps.Flickr 和 Odeo.com.通过使用异步 XML 消息传递,AJAX 为 Web 开发人员提供了一种扩展其 Web 应用程序价值和功能的途径.这里介绍的

用AJAX调用SOAP Web服务:构建Web服务客户机(3)

ajax|web|web服务|客户机 一个简单示例 我已经提供了一个示例项目来阐释 Web Services JavaScript Library 的基本功能.该演示所使用的 Web 服务(如清单 10 所示)已经在 WebSphere Application Server 中进行了实现,并提供了简单的 Hello World 功能. 清单 10. 一个简单的基于 Java 的"Hello World"Web 服务 package example; public class Hello

Web app设计细节:web app互动设计技巧

文章描述:Web app设计浅谈 . HTML5技术的强势发展,为互联网带来的最大改变就是: web从"已死"的预言中回过头来给Native app一记沉重的回马枪,web app成为举世瞩目的明星开始走在各大公司研发的时刻表中.Google .微软.苹果三大巨头紧锣密鼓地在web app的研发产品领域圈地设岗,并试图建立以自己为中心的"云"服务平台,企图在web app时代到来的时候充当霸主.本文将围绕web app的设计,与大家讨论几点设计技巧. 什么是web

架构Web Service:什么是Web服务?

web|web服务|架构 本文是架构Web服务的系列文章的第二篇,从Web服务的技术定义开始,来探讨什么是Web服务.首先,作者从技术角度详细分析了Web服务作为Internet环境下的软件组件的基本角色,从这个基本角色开始,详细介绍了这个组件对象的包装规范Web Service "stack",并对Web服务的应用做了分类,最后借助Garnter Group的材料考察了Web服务的当前发展状况.在本系列的上一篇文章中,我就为什么需要Web服务,从商业利益需求的角度进行了分析.本文将结

ASP.NET Web Forms中用System.Web.Optimization取代SquishIt

将一个ASP.NET Web Forms项目从.NET Framework 4.0升级至.NET Framework 4.5之后,发现SquishIt竟然引发了HTTP Error 500.0 - Internal Server Error. SquishIt是一个开源的支持ASP.NET的js/css打包工具,项目地址:https://github.com/jetheredge/SquishIt,出生早于Microsoft ASP.NET Web Optimization Framework(

渐进增强的 Web 体验(Progressive Web AMP)

本文讲的是渐进增强的 Web 体验(Progressive Web AMP), 如果你最近几个月一直关注着 Web 开发社区,可能你对渐进增强的 Web 应用(Progressive Web App 简称 PWA)已有所了解.它是应用体验能与原生应用媲美的 Web 应用的统称:不依赖网络连接,易安装,支持视网膜屏幕,支持无边距图像,支持登录和个性化,快速且流畅的应用体验,支持推送通并且有一个好看的界面. 一些 Google 的渐进式 Web 应用示例. 虽然新的 Service Worker A