implementing the social web

Implementing the

Social Webwith OpenID, OAuth, and All That Jazz!

David Recordon, Chris Messina, & Joseph Smarr Web 2.0 Expo

March 31, 2009San Francisco

Wednesday, April 1, 2009

- CHRIS

About Us

chrismessina daveman692 jsmarr


All of you?


- developers? designers? product peoples? <shout it out> - What questions/problems do you have?

What’s going on?


- DAVID


- the social web is pretty repetitive today, the irony is that the web is a decentralized thing but so many social pieces are only centralized - Pain is being felt by early adopters and even mainstream users. - video by the group Data Portability last year which is one of the best summaries of this

http://dataportability.org/


http://flickr.com/photos/pagedooley/1856663523/



- you fill out this long form time and time again - Digg has since simplified it, but really...12 fields all with an asterisk next to them!

http://flickr.com/photos/factoryjoe/2545757754/


- you’re then asked to “find your friends” by forking over your email password - hell, we’re guilty of this as well! The good news is that email providers are starting to add OAuth enabled APIs so that we don’t have to do this anymore. - but it isn’t just about asking for passwords (we do .CSV upload too), but that your email address book isn’t really the friends you want on every website


- then you create content yet it’s not shared outside of the site that you created it on

http://www.flickr.com/photos/jagelado/16631508/


- So, how’d we get here? - A few years ago this was the status quo, but even Microsoft has come a long way! - Open Source is everywhere (Wikia refuses to run software in their data center that isn’t Open Source)



http://www.illustratorworld.com/artwork/2238/


Browser Wars once people started really seeing the business value of getting stuff online - More interested in the "second browser war" - WHATWG (HTML 5, Google Gears) - Turned from open source to the data behind it



“Open Data is increasinglyimportant as servicesmove online.”

—Tim O'Reilly (OSCON '07)


- Hosted services change the "open" game. If I’m using Gmail I care less about running my own copy of Gmail and more about having access to all of my email offline or if I want to switch providers. - It used to be about source code, now it's about open data as applications are moving to the cloud

http://flickr.com/photos/sathishcj/1868113345/

“It’s like flying on an iPhone!”

data inside!


- and you need this data everywhere!




- A bunch of data formats were developed the past few years to try to shepherd all this stuff! - RSS and Atom for feeds, RDF for semantic data, Microformats for social data already in pages, OPML for lists of things, KML for geo data, etc

My 20+ Social Networks


- but, social networks are only more recently running into these problems. - wasn’t really until 2007 when Brad Fitzpatrick and I wrote a piece on the social graph that people really had a concerted effort around decentralizing social networks and their data

My 20+ Social Networks


- but how did we get here?


- Might have the FriendSter castle, or maybe the MySpace castle, or the Facebook one. All with big moats around them keeping them separate from one another.


- Then we got sites like Ning focused on making it easy to create your own castle. - With Ning in the middle connecting them.


Social Network Risk! (from Nov 2008) - Hi5 gains Cyprus from Facebook - MySpace gains Puerto Rico from Facebook - Facebook gains Libya from MySpace - Facebook regains Cyrpus from Hi5 - and it goes on...

Social Applications

• Each with a few great features(UNIX philosophy)

• Creating combined value

• Building blocks for new value

• No social graph of their own!

http://www.slideshare.net/stoweboyd/building-social-applicationsWednesday, April 1, 2009

- Around the same time... - Combined value as they don't compete to do everything, rather compete within their area of expertise - Exhaserbated the problem of finding friends - Let me restate that point, these guys *do not* want to have their own social graph...but to use ones that already exist

http://www.slideshare.net/stoweboyd/building-social-applications

http://www.slideshare.net/stoweboyd/building-social-applications


- Facebook Platform came about, meaning your source could run within their site and your data could interact with their social data - but then went down the path of world domination...


- look like anything you recognize? - people not happy with this. facebook was trying to dominate the world

Portable Contacts

AboutThe vision for Portable Contacts has been around for a long time. Sites large and

small share the goal of providing users a secure way to access their address books

and friends lists without having to take their credentials or scrape their data. But

only in recent weeks has it begun to feel that now is the right time to rally thecommunity and the industry to work together to make this vision real by

developing an open spec for exchange of contact info that everyone can embrace.

Why now?The momentum began building for 'data portability' last year, and we are now at a

point where there is strong support for the principle that users should be incontrol of their data and have the freedom to access it from across the web. And

the major players have all recognized that they and their users are better off with

secure contacts APIs (rather than having third-party services ask for users'

credentials in order to scrape their data). As a result, we're seeing major Internet

companies making contacts APIs available, such as Google's GData Contacts API,

Yahoo's Address Book API, and Microsoft's Live Contacts API (with more to come).

Not surprisingly though, each of these APIs is unique and proprietary. We believe

this creates the ideal conditions for developing a common, open spec that

everyone can benefit from. Just as OAuth has provided a standard to unify the

various proprietary schemes for delegated authorization, we believe we can do the

same thing for securely sharing address book and friends list data.

GoalsThe goal of Portable Contacts is to make it easier for developers to give their users

a secure way to access the address books and friends lists they have built up all

over the web. Specifically, we seek to create:

A common access pattern and contact schema that any site can provide

Well-specified authentication and access rules

Standard libraries that can work with any site

and absolutely minimal complexity, with the lightest possible toolchain

requirements for developers.

A measure of our success will be the elimination of the "password anti-pattern," by

making it far easier to implement Portable Contacts than to engage in scraping, as

well as a dramatic increase in the number of sites that both provide and consume

who-you-know data.

Our ApproachOur design is focused around ease of adoption, which means a few things. First,

our emphasis is on simplicity of design and targeted use cases. For example,

version 1 is simply about access, and defers for now on the more complex issues

around update and sync. Second, we're taking a modern approach to who-you-

know data by unifying traditional contact info and social network data, in order to

properly represent the current diversity of the social web ecosystem. Third, we're

using existing standards wherever possible, including vCard, OpenSocial, XRDS-

Simple, OAuth, etc. And lastly, we're designing something that should be easy for

current service providers to adopt. We started by reviewing all the major existing

contacts APIs and targeting the capabilities that they all share and provide. We

believe this pragmatic balance is the best and quickest way to achieve our shared

goal of widespread adoption.

Here is the current draft spec, the wiki, and the mailing list.

This project is being undertaken by Joseph Smarr, Chris Messina, and others.

a c tivity stre a .m s

D isc uss.

A n in itia tive fro m th e D iS o P ro je c t.

F irst d ra ft spe c s: A c tivitie s in A to m ; A c tivity S c h e m a .


- Lots of technologies coming out of this evolution to try and solve these pain points - all developed by communities - all building on existing technologies


- but more than just tech, starting to build with these individual blocks. - Action Streams for Movable Type was really the first self hosted consumer friendly version of things like Facebook Newsfeed

DiSo ProjectDiSo ProjectOpen, distributed, social.

About

Blog

Links

Chat

Silo free living.

Social networks are becoming more open, more interconnected, and more distributed. Many of us

in the web creation world are embracing and promoting web standards - both client-side and

server-side. Microformats, standard APIs, and open-source software are key building blocks of

these technologies. This model can be described as having three sides: Information, Identity, and

Interaction.

DiSoDiSo (dee • soh) is an initiative to facilitate the creation of open, non-proprietary and

interoperable building blocks for the decentralized social web.

Our first target is WordPress, bootstrapping on existing work and building out from there.

So what does that mean?

We’re building Wordpress plugins that implement or build on:

microformats like XFN, hCard, XOXO — wp-contactlist, wp-profiles

OpenID — wp-contactlist, wp-openid-server

OAuth

…and others

BlogrollChris Messina

Stephen Paul Weber

Steve Ivy

Will Norris

DiSo - DistributedDiso Code

DiSo on Flickr

DiSo on Ma.gnolia

DiSo on Twitter

DiSo Wiki

DiSo ProjectDiSo ProjectVisit this group

ArchivesJune 2008

May 2008

December 2007

MetaRegister

Log in

WordPress | Sandbox

Find


- getting to the point where you’re able to easily start hosting your own - DiSo starting with building social stuff on top of WordPress, we’ve been building similar things with Movable Type and working with the DiSo project in doing so - DiSo today is under taking more specification work than code work as they’re finding gaps with the wider community


- In the past year, not just underlying tech has emerged, but also developer toolkits - A few years ago developer tools talked about supporting AJAX or the latest version of CSS, now they’re talking about all these social technologies

“Connect”


- JOSEPH

- whether it be Facebook Connect, TypePad Connect, MySpace MyID, Google Friend Connect they’re all about connecting cloud service with distributed sites

Viewing

Sharing

Virtuous Cycle of Sharing


- facebook knows this very well and is probably doing it the best

New building blocks

Who I am

Who I know

What’s going on


New building blocks help to establish WHO I AM, WHO I KNOW and WHAT’S GOING ON in a reusable way.

• Profile (identity, accounts, profiles)

• Relationships (followers, friends, contacts)

• Content (posts, photos, videos, links)

• Activity (poked, bought, shared, blogged)

• Goal: Discovery of people and content

Anatomy of “Connect”


- If done right, OpenID, OAuth, Portable Contacts, Activity Streams are all pieces of connect applications


- but, where did this leave the social networks - this was how I ended in september, but we’re starting to move ahead

Mashups OpenSocial

Attributes OpenID/AX Contacts Portable Contacts

Authentication OpenID/Auth Access Control OAuth

Metadata Discovery YADIS, XRDS-Simple, XRD

Unique Identifiers URLs, email addresses

. . .

Evolving the Open Stack

As proposed by Johannes Ernst


lots of industry examples here making use of The Open Stack.

OpenSocial --> OpenID, OAuth, microformats... Facebook --> apps, moving offsite with connect... open sourcing components/platformFriend Connect --> answer to Facebook, implements opensocialMySpace DA --> way to get data in/out of MySpace; heavy on the TOSY!OS --> new Y! strategy to open up, including social APIs + lots of OAuth + OpenIDMT OS --> OpenID, OAuth, plugins make use of XRDS-SimpleDiSo --> facilitating plugins for WordPress, Drupal, MT... etc

also: android for mobile dev/capable browsers & rendering engines (webkit++)

Portable Contacts

AboutThe vision for Portable Contacts has been around for a long time. Sites large and

small share the goal of providing users a secure way to access their address books

and friends lists without having to take their credentials or scrape their data. But

only in recent weeks has it begun to feel that now is the right time to rally thecommunity and the industry to work together to make this vision real by

developing an open spec for exchange of contact info that everyone can embrace.

Why now?The momentum began building for 'data portability' last year, and we are now at a

point where there is strong support for the principle that users should be incontrol of their data and have the freedom to access it from across the web. And

the major players have all recognized that they and their users are better off with

secure contacts APIs (rather than having third-party services ask for users'

credentials in order to scrape their data). As a result, we're seeing major Internet

companies making contacts APIs available, such as Google's GData Contacts API,

Yahoo's Address Book API, and Microsoft's Live Contacts API (with more to come).

Not surprisingly though, each of these APIs is unique and proprietary. We believe

this creates the ideal conditions for developing a common, open spec that

everyone can benefit from. Just as OAuth has provided a standard to unify the

various proprietary schemes for delegated authorization, we believe we can do the

same thing for securely sharing address book and friends list data.

GoalsThe goal of Portable Contacts is to make it easier for developers to give their users

a secure way to access the address books and friends lists they have built up all

over the web. Specifically, we seek to create:

A common access pattern and contact schema that any site can provide

Well-specified authentication and access rules

Standard libraries that can work with any site

and absolutely minimal complexity, with the lightest possible toolchain

requirements for developers.

A measure of our success will be the elimination of the "password anti-pattern," by

making it far easier to implement Portable Contacts than to engage in scraping, as

well as a dramatic increase in the number of sites that both provide and consume

who-you-know data.

Our ApproachOur design is focused around ease of adoption, which means a few things. First,

our emphasis is on simplicity of design and targeted use cases. For example,

version 1 is simply about access, and defers for now on the more complex issues

around update and sync. Second, we're taking a modern approach to who-you-

know data by unifying traditional contact info and social network data, in order to

properly represent the current diversity of the social web ecosystem. Third, we're

using existing standards wherever possible, including vCard, OpenSocial, XRDS-

Simple, OAuth, etc. And lastly, we're designing something that should be easy for

current service providers to adopt. We started by reviewing all the major existing

contacts APIs and targeting the capabilities that they all share and provide. We

believe this pragmatic balance is the best and quickest way to achieve our shared

goal of widespread adoption.

Here is the current draft spec, the wiki, and the mailing list.

This project is being undertaken by Joseph Smarr, Chris Messina, and others.

a c tivity stre a .m s

D isc uss.

A n in itia tive fro m th e D iS o P ro je c t.

F irst d ra ft spe c s: A c tivitie s in A to m ; A c tivity S c h e m a .


- these technologies are actually taking root! - call it competitive pressure, call it facebook being on top and others being jealous, I don’t care what you call it - it is happening!

Why do people have to...

• create a new account on every service?

• re-create their profile?

• give away their passwords to every site that asks?

• re-discover their friends?

• re-friend their friends!

• learn new ways to share and communicate?


summary of problems... SNS routines

Why do developers have to...

• deal with [forgotten!] passwords?

• create yet another profile form?

• support every new service API that comes out?

• force members to invite everyone they know?

• implement an unsafe method for importing contacts?

• create widgets for incompatible social networks?

• manually interpret feeds for activity streams?


So...How will our customers benefit?

How will developers?


- CHRIS

Industry Trends

User control of data

User-centric web services, real identity becoming the norm

Location-enhanced services

Real-time content delivery, ubiquitous connectivity

Interoperable application platforms

Content aggregation and syndication

Increasing quantities of data to work with

Democratization of digital media creation tools


let’s look at some industry trends...

Eventbox Preferences


take a look at this screenshot from eventbox’s preferences.

Why is this even an option?


why is this even an option? we’re in a transitional period moving from computer-based identifiers to human-friendly ones.


moving towards interfaces that support real names, and real identity

Source: http://blog.wired.com/business/2008/12/as-facebook-con.html


- DAVID

- MySpace is building the same stuff as Facebook using open standards; OpenID, OAuth and OpenSocial

http://blog.wired.com/business/2008/12/as-facebook-con.html

http://blog.wired.com/business/2008/12/as-facebook-con.html

Source: http://blog.wired.com/business/2008/12/as-facebook-con.html

...It's the same paradigm promised by OpenID and its companion open-source technologies being developed by Google, MySpace, Yahoo, Plaxo and other key players on the social web. But where Facebook Connect is heading towards mass adoption on mainstream sites like Digg, OpenID is currently bogged down by several issues, the largest of which is poor usability.


- MySpace is building the same stuff as Facebook using open standards; OpenID, OAuth and OpenSocial

http://www.webmonkey.com/blog/OpenID_Is_HereDOT_Too_Bad_Users_Can_t_Figure_Out_How_It_Works

http://www.webmonkey.com/blog/OpenID_Is_HereDOT_Too_Bad_Users_Can_t_Figure_Out_How_It_Works


demo of 8bitmusic flow from http://8bitmusic.jdavid.net/

[email protected]

••••••••



mailto:[email protected]




« PayPal joins OpenID Foundation Board as we enter 2009

Facebook joins OpenID Foundation Board with a commitment to betteruser experiencePosted February 5th, 2009 at 11:30 pm GMT by David Recordon and Chris Messina

Today we’re excited to join Facebook’s Mike Schroepfer in announcing

that they have joined the OpenID Foundation’s board as a sustaining

corporate member.

Luke Shepard, a key member of Facebook’s Platform and Connect

teams and a huge internal advocate for OpenID, has been selected as their representative and joins

the current board of seven community elected board members and six sustaining corporate members:

Google, IBM, Microsoft, PayPal (joined last week), VeriSign and Yahoo!. Additionally, to maintain the

ratio of community and corporate board members, Joseph Smarr will be joining the board as our

eighth community member.

As the OpenID community entered 2009 two key topics have become the focal points on the road to

mainstream adoption: user experience and security.

Given the popularity and positive user experience of Facebook Connect, we look forward to Facebook

working within the community to improve OpenID’s usability and reach. As a first step, Facebook will

be hosting a design summit next week at their campus in Palo Alto which follows a similar summit on

user experience hosted at Yahoo! last year. The summit will convene some of the top designers from

Facebook, the DiSo Project, Google, JanRain, MySpace, Six Apart and Yahoo!, focusing on how existing

OpenID implementations could support an experience similar to Facebook Connect.

Facebook’s financial contribution along with its membership on the board signals the company’s

enthusiasm to work more closely with the OpenID community, building up momentum towards their

adoption of OpenID as a standard. Facebook furthering its commitment to openness couldn’t have

come at a better time to make 2009 an amazing year for OpenID and the wider social web.

For press contacts, please call OpenID Foundation board members David Recordon at 503.341.3009

or Chris Messina at 412.225.1051.

For Developers | Discuss | Demand | OpenID Foundation | Worldwide

Whatis OpenID?

Wherecan I use it?

Howdo I get one?


- CHRIS

And then two months ago this space changed with Facebook starting to embrace open standards and APIs by them now fitting into their strategy.

Documentation Community Resources Tools News

Developer Blog Press Platform Updates

Archived Posts

2009

February (3)

January (8)

2008

December (12)

November (8)

October (3)

September (6)

August (7)

July (15)

June (8)

May (11)

April (7)

March (7)

February (9)

January (11)

2007

December (5)

November (5)

October (10)

September (4)

August (5)

July (2)

June (1)

May (2)

April (1)

March (3)

February (3)

January (3)

2006

Opening Up Facebook Status, Notes, Links,

and Video to Facebook Platform

Share

4:54PM, Friday Feb 6th

Published by Chris Putnam

We're launching several new APIs for Facebook Platform today. These new

interfaces open up access to the content and methods for sharing through

several Facebook Applications -- including Facebook Status, Notes, Links (what

we used to call Posted Items), and Video -- to go along with the APIs already

available for uploading and viewing through Facebook Photos. We've seen

increasing engagement with over 15 million users updating their status each

day and sharing over 24 million links per month. We wanted to make sure this

content and the ability to share this content was available through our

standard APIs.

Specifically, your applications can now directly access all of a user's status,

links, and notes via new methods and FQL calls. Your application will have

access to any status, notes, or links from the active user or their friends that

are currently visible to the active user. In addition, we're opening new APIs for

you to post links, create notes, or upload videos for the current user, and

we've made setting a user's status easier.

We're pretty excited to see what kinds of ideas you can come up with to help

users create and share more content. For example, a travel application could

make it really easy for users to create and share notes and upload photos and

videos from a recent trip. Users could then display that content within a

profile tab for that app. Or a news website could use Facebook Connect to

allow users to easily post links from the site and feature all of the most recent

links that a user's friends have shared from that website.

Every user is subject to limits on the length and size of the video files they

can upload, just like they are when uploading through Facebook. Use

video.getUploadLimits to determine a specific user's limits. To increase video

Recent News

Opening Up Facebook Status, Notes,

Links, and Video to Facebook Platform

February 6, 2009

Next Steps in Openness

February 5, 2009

Postcards from January Garages

February 2, 2009

January Platform News

January 31, 2009

Try Out the New FBJS

January 30, 2009

Facebook Connect and Apple’s iPhoto

’09

January 29, 2009

Shalom from Facebook Developer

Garage Israel!

January 16, 2009

Changes in Facebook Platform

Leadership

January 16, 2009

Extending FBML with Custom Tags

January 13, 2009

Subscribe

News


And then they opened up APIs for status, notes, links and video. - Moving from just pulling data in, to being able to get data out as well

xkcd.com/256


but there are some problems with letting the data flow...

in the map of online social networks, things get tricky really fast when data moves from one “nation” to another.



“... You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content....”

— Facebook Terms of Service


Here’s what happened.

Sometime last month, Facebook made a change to their TOS, striking the passage here. Language was also clarified about ownership of user data... giving Facebook a “perpetual right to license and sublicense your content”... basically you give it to Facebook and they can do what they want with it.

At least that’s how people read it.

“... People want full ownership and control of their

information so they can turn off access to it at any time. At

the same time, people also want to be able to bring the information others have shared with them ... to other services and grant those services access to those

people's information. These two positions are at odds with each other. ”

— Mark Zuckerberg, Facebook


In response, they reverted the changes and Mark Zuckerberg said on the FB blog:

“Still, the interesting thing about this change in our terms is that it highlights the importance of these issues and their complexity. People want full ownership and control of their information so they can turn off access to it at any time. At the same time, people also want to be able to bring the information others have shared with them—like email addresses, phone numbers, photos and so on—to other services and grant those services access to those people's information. These two positions are at odds with each other. There is no system today that enables me to share my email address with you and then simultaneously lets me control who you share it with and also lets you control what services you share it with.”

In other words, people want their cake and to eat it too.


so facebook is attempting to reinvent democracy on its site.

this is an ongoing discussion and something that should be watched closely.

BreakWednesday, April 1, 2009

Through the Tech


Identity & Profiles


Client: OpenID Foundation Prepared by: Randy Reddig ShaderlabOpenID Logo - Revision 3 2007-11-26


Demo!


go over concepts: identity provider, relying partyLog in to Mapquest using DavidRecordon.com.

(aka places you can login with OpenID)

OpenID - As viewed by JanRain’s MyOpenID.com

Relying Parties


- 2007 was a huge year for OpenID!


not just blogs, but also big open source projectsnot just..., but also consumer servicesnot just..., but also large service providers and corporations - No where near a complete list!

OpenID-enabling your own URL...


factoryjoe.com


start w/ url

<html><head>

<link rel="openid2.provider" href="http://factoryjoe.com/blog/openid/server" /><link rel="openid2.local_id" href="http://factoryjoe.com /blog/author/admin/" /><link rel="openid.server" href="http://factoryjoe.com/blog/openid/server" /><link rel="openid.delegate" href="http://factoryjoe.com /blog/author/admin/" />

</head></html>

As simple as...


Implementing OpenID


discuss

OpenID User Interface


- probably the currently most discussed part of implementing OpenID


“Identifier driven sign-in”

WTF do I type in the box??

1. Heard of OpenID 2. Understand OpenID 3. Have an OpenID 4. Know what URL to type

factoryjoe


usernames

[email protected]


emails



friendster


names of social networks

Hotmail


email providers?

elderly


???

I HATE YOU!!!!!!!!!!!!!!!!!!!!!!!!LADY GAAAGGG


?????


or, they type nothing at all...


maybe it’s because people have been trained to just “type anything in the box”

Previous attempts



provide a pattern that the user can imitate (which one??).


mapquest


- click button approach which is new in OpenID 2.0


...leading to, well, quite a few buttons.


...but promising nonetheless.

problem: we have no idea who you are (vs fb connect)

Pop-up flow


Courtesy Balsamiq

http://boogle.com


so i visit my favorite search engine and decide that i want to sign in

Courtesy Balsamiq

http://boogle.com


i click sign in

Courtesy Balsamiq

http://boogle.com

http://boogle.com/signin


and a popup is launched where I pick my provider...

Courtesy Balsamiq

http://boogle.com


now i’m redirected to my openid provider where i can sign in...

Courtesy Balsamiq

http://boogle.com/#finish

Welcome back, Chris Sign out


upon successfully authenticating, i’ve signed in, without the original page refreshing

show existing providers

how many of your customers already have one of these accounts?

easier than going into inbox/spam

show janrain charts showing popular IDPs

UserVoice Identity ProvidersSource: Janrain - Why Websites Should Accept Multiple Third Party Identity Account Logins


NASCAR

http://blog.janrain.com/2009/01/why-websites-should-accept-multiple.html


Interscope Identity ProvidersSource: Janrain - Why Websites Should Accept Multiple Third Party Identity Account Logins




sulit.com.ph Identity ProvidersSource: Janrain - Why Websites Should Accept Multiple Third Party Identity Account Logins




benefits


Microformats


“Webpage as API”


vCard


universal standard for representing address book data...

BEGIN:VCARDSOURCE:http://factoryjoe.comNAME:FactoryCity (Chris Messina)VERSION:3.0N;LANGUAGE=en;CHARSET=UTF-8:Messina;Chris;;;ORG;CHARSET=UTF-8:VidoopFN;LANGUAGE=en;CHARSET=UTF-8:Chris MessinaADR;LANGUAGE=en;CHARSET=UTF-8:;;;San Francisco;;;PHOTO;VALUE=uri:http://factorycity.net/images/avatar.jpgURL:http://factoryjoe.comURL:http://factoryjoe.com/blogURL:http://twitter.com/chrismessinaURL:http://flickr.com/photos/factoryjoeURL:http://friendfeed.com/factoryjoeURL:http://brightkite.com/people/factoryjoe/URL:http://mento.info/factoryjoeURL:http://ma.gnolia.com/people/factoryjoeURL:http://factoryjoe.tumblr.comURL:http://facebook.com/chrismessinaEND:VCARD


http://factoryjoe.com

http://factoryjoe.com

http://factoryjoe.com/blog

http://factoryjoe.com/blog

http://twitter.com/chrismessina

http://twitter.com/chrismessina

http://flickr.com/photos/factoryjoe

http://flickr.com/photos/factoryjoe

http://friendfeed.com/factoryjoe

http://friendfeed.com/factoryjoe

http://brightkite.com/people/factoryjoe/

http://brightkite.com/people/factoryjoe/

http://mento.info/factoryjoe

http://mento.info/factoryjoe

http://ma.gnolia.com/people/factoryjoe

http://ma.gnolia.com/people/factoryjoe

http://factoryjoe.tumblr.com

http://factoryjoe.tumblr.com

http://facebook.com/chrismessina

http://facebook.com/chrismessina

hCard


“vCard in HTML”


.VCARD

.FN

.ADR

.URL + REL-ME[


Marshall Kirkpatrick - Add One Line To Your Blog or Twitter Could Become Your Primary Identity


Why is this cool?first: web page as APIsecond: support in opera, firefox, now IE8 (web slices) SEO

http://marshallk.com/add-one-line-to-your-blog-or-twitter-could-become-your-primary-identity

http://marshallk.com/add-one-line-to-your-blog-or-twitter-could-become-your-primary-identity

Discovery


c:\

icons by Seedling Design and Fast Icon


so you need a way to refer to these cloud-based applications like you used to...

c:\

icons by Seedling Design, Fast Icon and original authors


meanwhile we have hybrid apps like these that are also being thrown into the mix with infinite storage but a native experience. and these all require identity of some sort.

icon by Seedling Design


XRDS-Simple(light-weight service discovery for the web)


<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD></xrds:XRDS>

OpenID in XRDS


http://specs.openid.net/auth/2.0/signon


http://openid.net/sreg/1.0


http://openid.net/extensions/sreg/1.1


http://schemas.openid.net/pape/policies/2007/06/phishing-resistant


http://schemas.openid.net/pape/policies/2007/06/multi-factor

http://schemas.openid.net/pape/policies/2007/06/multi-factor

http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

https://pip.verisignlabs.com/server

https://pip.verisignlabs.com/server

https://recordond.pip.verisignlabs.com

https://recordond.pip.verisignlabs.com

<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD></xrds:XRDS>

Portable Contacts in XRDS


http://portablecontacts.net/spec/1.0

http://portablecontacts.net/spec/1.0

http://pulse.plaxo.com/pulse/pdata/contacts

http://pulse.plaxo.com/pulse/pdata/contacts









http://openid.net/srv/ax/1.0

http://openid.net/srv/ax/1.0

http://www.myopenid.com/server

http://www.myopenid.com/server

http://brian.myopenid.com


How it works

factoryjoe$ curl -H 'accept:application/xrds+xml' http://brian.myopenid.com/


Start simple: - curl -H 'accept:application/xrds+xml' http://brian.myopenid.com/



How it works


Here’s what the response looks like (using Todd Ditchendorf’s HTTP Client) for Brian Ellin (AN INDIVIDUAL)

- curl -H 'accept:application/xrds+xml' http://brian.myopenid.com/


What about services? oauth discovery --> auto-service discovery (basically this is how you advertise your APIs to be autodiscovered)this is from partuza.nl -- an implementation of OpenSocial

LRDDLink-based Resource Descriptor Discovery

http://tools.ietf.org/html/draft-hammer-discovery-03

Emerging Work!


emerging work



Authorization


“your valet key for the web”


- Standardized existing duplicate protocols from Google, Yahoo!, AOL, and Microsoft - Remove the need to ask for email provider passwords - Seeing good adoption, so pay attention to this!


- Super secret URL - Until you share it...oops

http://adactio.com/journal/1357Wednesday, April 1, 2009

- Another option is passwords - But it is a *horrible* idea - How many people use the same passwords?

http://adactio.com/journal/1357

http://adactio.com/journal/1357


twitter apps provide a very common example of this problem.


boxee is also a problem. all these sites are going social and want to add value or reuse your data... but there’s been no good alternative.

each big site came up with its own BFS of an API which lead to a developer tax to reimplement code everytime, so they just went back to scraping.

redo these slides


switch to dave

San Francisco, CA


- You have *no* excuse to create APIs that only take passwords anymore - Google, Netflix, Yahoo!, MySpace, Twitter, etc and is being standardized in the IETF - Tell story of how OAuth was created

Mobile?


what about OAuth for mobile apps?


Start out with an iPhone app call FlightTrackPro.


now this app syncs with your TripIt account. So here we are in the app, and we need to login to connect to our TripIt account. We click login...

[email protected]

••••••••


and we’re taken into Safari, where we sign in through the web browser.






We see an access request... and scrolling down


we see that we can Grant Access here. Note that all the permissions are spelled out simply here.


If we grant access, Safari fades out, bringing the app back into focus.


and voila, with OAuth, FlightTrackPro now has access to our trips.

A protocol for developing password-less APIs.



5 minute oauth python to twitter demo -- jsmarr demos oauth test client


- Few interesting things - Means easier to create a directory of Twitter apps - Access type of read-only

redo this


http://www.slideshare.net/kellan/advanced-oauth-wrangling

Advanced OAuth

Wrangling

Kellan Elliott-McCreaXTech 2008: The Web on the Move




Library Support

• C

• C#

• ColdFusion

• Java

• Javascript

• Jifty

• Maven

• .Net

• Objective-C

• OCaml

• Perl

• PHP

• Python

• Ruby

See http://oauth.net/code


http://oauth.net/code

http://oauth.net/code

Mobile retail software

designed for in-store retail tasks. E.g. stock

counting, receiving etc.www.handpoint.com

Dell Business Computers

Business Computer Powered By Intel®

Core™ 2 Duo On Sale Online, At Dellwww.nz.dell.com

New Zealand Site

Features 130,000 Members. Discover Why

It's So Popular!www.smilecity.co.nz

RECENT JOBS

POWERED BY JOBTHREAD

Mobile retail softwaredesigned for in-store

retail tasks. E.g. stock

counting, receiving etc.www.handpoint.com

Dell BusinessComputersBusiness Computer

Powered By Intel®

Core™ 2 Duo On Sale

Online, At Dellwww.nz.dell.com

New Zealand SiteFeatures 130,000

Members. Discover Why

It's So Popular!www.smilecity.co.nz

Original Thinking in ITIT Director Dennis

Stevenson takes on a

new blog series. Read it

here!Blogs.ITtoolbox.com

Rss 2.0RSS Readers for

Individuals & Businesses.

Get A Free RSS Reader.NewsGator.com/RSS_Readers

TEXT LINK ADS

InteractionDesignerSave people's livesand doctors' time.Design software thatimproves healthcare.careers.epicsystems.com

IBM Virtual Event,March 3–4IBM DynamicInfrastructure VirtualForum. Reduce costsand manage risk.ibm.com/virtualforum

RWW SPONSORS

Grab this swicki from eurekster.com

RWW READERS

Written by Marshall Kirkpatrick / February 10, 2009 2:33 PM / 22 Comments « Prior Post Next Post »

« Prior Post Next Post »

Dell Business Computers

Business Computer Powered By Intel® Core™ 2 Duo On

Sale Online, At Dellwww.nz.dell.com

How To Speed Up Your PC

Get A Free Download That Speeds Up Windows XP

Instantly. Your PC Will…www.PcErrorCleaner.com

New Zealand Site

Features 130,000 Members. Discover Why It's So Popular!www.smilecity.co.nz

Original Thinking in IT

IT Director Dennis Stevenson takes on a new blog series.

Read it here!Blogs.ITtoolbox.com

Comcast Property Sees 92% Success Rate With New

OpenID Method

The most-watched geek event of the day has to be the OpenID UX

(User Experience) Summit, hosted at the Facebook headquaters. The

most discussed moment of the day will surely be the presentation by

Comcast's Plaxo team.

Plaxo and Google have collaborated on an OpenID method that may

represent the solution to OpenID's biggest problems: it's too unknown,

it's too complicated and it's too arduous. Today at the User Experience

Summit, Plaxo announced that early tests of its new OpenID login

system had a 92% success rate - unheard of in the industry. OpenID's usability problems appear

closer than ever to being solved for good.

This experimental method refers to big, known brands where users were already logged in, it

requires zero typing - just two clicks - and it takes advantage of the OpenID authentication

opportunity to get quick permission to leverage the well established OAuth data swap to facilitate

immediate personalization - at the same time, with nothing but 2 clicks required of users.

Plaxo, primarily known for the noxious flood of spam emails it delivered in its early days, is now an

online user activity data stream aggregator owned by telecom giant Comcast. The Plaxo team has

been at the forefront of the new Open Web paradigm best known for the OpenID protocol.

The Flow

The method Plaxo has been testing is called an OpenID/OAuth combo, in collaboration with

Google. What does that mean, in regular terms? It means that Plaxo told users they could log in

with their Gmail accounts as OpenID by clicking a link to open a Gmail window, then Google

asked for permission to hand over user contact data using the OAuth standard protocol. Once

login was confirmed, whether contact data access was granted to Plaxo or not, the Gmail window

closed and users were returned to Plaxo all logged in. No new accounts, no disclosure of Gmail

passwords to Plaxo, no risky account scraping and no need to import or find friends on the new

service before immediate personalization could be offered.

This is a very different flow than most OpenID "relying parties" have followed before - but it won't

be for long.

The Success Rate

Plaxo reported today that it has seen a staggering 92% of users who clicked on the "log-in with

Gmail" button come back to Plaxo with permission to authenticate their identities via Gmail

granted. Of those who returned, another 92% also granted permission for Plaxo to access their

contacts list. Only 8% of the people who clicked to log in with a standards based 3rd party

authentication ended up deciding to bail instead. That's the kind of ease-of-use that people

presumed only Facebook Connect could provide.

When Plaxo engineers moved to turn off the short-term experiment, the business team said no

way.

We expect to see this basic flow get iterated on even further. We hope it will ensure that every

OpenID provider has some exposure and not just the big email providers, and we expect the pop-

up action to be made increasingly unobtrusive.

This could be the day when OpenID became a far more realistic prospect than it has seemed

before.

What an "RP" Wants

View more presentations from johnmccrea. (tags: josephsmarr #openidux)

Posted in Features, Identity, NYT, News and tagged with oauth, openID, usability

Comment Subscribe Print Digg Share

Leave a comment

Sign in to comment on this entry. (Optional)

Related Entries

What Are You Looking At? Google Details Results

of Eye Tracking Study

Google and Plaxo Combine OpenID and OAuth

for Improved Usability

Why Twitter's New Security Solution Could Pave

the Way to a Future Web of Mashups

Mozilla's Test Pilot: A Global Usability Lab for

Firefox

0 TrackBacks

TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/10211

Comments

Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts

1. I don't really see the utility of OpenID. Lately everything with the "Open" prefix sounds cool,

even if there's no use for it =)

Managers Magazine

Posted by: Alberto López | February 10, 2009 3:40 PM

2. Very exciting demonstration of compelling benefits for end users, website operators, and

OpenID providers. Well done to Google and Plaxo.

Posted by: bkkissel.myopenid.com | February 10, 2009 3:52 PM

3. Maybe I don't entirely understand the innovation here, but isn't most of the simplicity in the

user interface being achieved by concentrating on a single OpenID provider? In other words,

isn't this just swapping Facebook for Google, rather than Facebook for OpenID?

Posted by: jeremiah | February 10, 2009 5:02 PM

4. jeremiah, if that's the case then the big news is just the oauth integration. I don't think this

has to be a case of "simple because choice is removed" - I think that multiple known brands

could be offered as choices with room for any provider. The innovation is in the simple

clicks to authorize information, the use of known entities, etc.

Posted by: Marshall Kirkpatrick | February 10, 2009 5:07 PM

5. This presentation -- and some of the comments left above -- feels much more like marketing

than research. Who cares what the protocols under the covers are? The demonstration

could've been done with LDAP.

There's nothing new here. Of course it's possible to improve the user experience by

requiring(or at least, making it exceptionally difficult not to use) a few major providers. That's

been done a thousand times over.

We're no closer to solving truly distributed federated identity than we were, and this if

anything pushes us actively further away. I want to see interface work can serve the world,

not the one or two big players in one sphere.

Posted by: ndk | February 10, 2009 5:20 PM

6. ndk - thanks for putting that out there. I'd like to see what some of the folks involved have to

say about your comment.

Posted by: Marshall Kirkpatrick | February 10, 2009 5:30 PM

7. @jeremiah, while this experiment was done specifically between Plaxo and Google, I agree

with Marshall that multiple known brands could be involved and that the real innovation was

simplifying and combining the steps of logging in and granting access to your data.

This experiment combines 1) creating a new account on Plaxo and entering profile data, 2)

verifying your email address and 3) granting Plaxo access to your address book. Before the

combination of OpenID and OAuth, you would be sent to Google two or three times: first to

login with your Google Account, second (if you didn't use OpenID) to Gmail to verify your

email address and third to grant Plaxo access to your Gmail address book.

Rather, this experiment with a hybrid of OpenID and OAuth combines these steps so that

the creation of a new account always includes the verification of your email address and

you're telling Google that you wish to provide Plaxo with access to your address book.

Posted by: David Recordon | February 10, 2009 5:40 PM

8. @ndk, I'd love to see an example of this being done with LDAP, including the granting

ongoing access to an API resource (the address book). I obviously strongly disagree with

your view that, "we're no closer to solving truly distributed federated identity than we were,"

but doubt that comments are going to be the best way to understand each other's

viewpoints.

Posted by: David Recordon | February 10, 2009 5:45 PM

9. I agree with ndk. Sure this could be done for other well-known brands... but note that caveat

carefully. Now tell me how having a few known brands be the ones that make OpenID easy

to use is a good thing.

OpenID is still a solution in search of a problem for most individuals. We use our browsers'

ability to remember credentials combined with cookies and a limited set of passwords to

address this. If I only have 1 or 2 username/password combinations to remember anyway...

what's the advantage of OpenID again?

Posted by: rick | February 10, 2009 5:49 PM

10. I think this is a really big deal. (But I'm biased, as I'm involved in it.)

This is the first time we're seeing OpenID that is driving our core business metrics. It's good

for users, good for Plaxo, good for Google, and implemented in a way that can be replicated

by any other sites of the web.

Posted by: John McCrea | February 10, 2009 5:51 PM

11. I obviously strongly disagree with your view that, "we're no closer to solving truly distributed

federated identity than we were," but doubt that comments are going to be the best way to

understand each other's viewpoints.

You're probably right, David, but I'll restate my point more fully for posterity here. Because:

1) It's extremely difficult to craft a good UX for N providers, making the button path -- used

by social bookmarks and the demonstration above alike -- very appealing;

2) The data necessary to build a value proposition, like a contact book, is not available

consistently from all providers;

3) There is no trust framework to support a diversity of providers.

Whatever the protocol under the seams, if the three above points are not comprehensively

addressed, I see an inexorable drift towards the "Top 4" that Joseph describes. Discovery is

the toughest and most important.

I'd love to see an example of this being done with LDAP, including the granting ongoing

access to an API resource (the address book).

This is tangential; I'm just pointing out that I'm not emotionally attached to protocols. They

grow, evolve, and die, but in the end aren't always that different from each other.

If you wanted to get imaginative with LDAP, perhaps one would provision a service DN for

each application, do LDAP auth of the user at the login page, change the user's contact list

ACL to permit reading by the service DN, transmit the username + timestamp to the service

in a query string encrypted using the service's public key, and then perform a simple LDAP

query(an API for retrieving data about a username, after all).

Obviously a dirty hack inferior to application of OAuth + OpenID, vulnerable to a few more

attacks by the service, and LDAP isn't viable for inter-realm use, but it'd work.


12. the username + timestamp

Brainfarted the slightly important "signed" word, sorry. :D But I'd rather not let that distract

from the core issue that rick articulated better than I: the UX being demonstrated here

naturally constricts the OP's to a select few, so I really don't think of it as progress.


13. Jeremiah and ndk what you're missing is that the bridge from identity to authorization to use

the contacts was done through a set of open protocols, Being able to go from an email

address to a known OpenID endpoint was a small part of the steps saved here.

If users can pick an identity provider from a list of obvious suspects or a known highly

correlated one for that site, as well as having a type-in box, this flow means that they will be

able to connect to a rich source of profile and contact information in one go, ratehr then the

multiple stage back and forth currently needed.

Posted by: Kevin Marks | February 10, 2009 11:34 PM

14. Oh sure, the meeting at Facebook as massive implications, our identities will finally be in our

control, the companies that attented will make billions more with that hybrid oauth/openid

thingy, yadda, yadda, yadda...

But without a doubt, the best thing to come from the meeting was this pic:

http://www.flickr.com/photos/wnorris/3270176733

Posted by: Todd | February 11, 2009 3:30 AM

15. ...oh yeah, and on the serious tip:

ndk said:

"...If you wanted to get imaginative with LDAP, perhaps one would provision a service DN

for each application, do LDAP auth of the user at the login page, change the user's contact

list ACL to permit reading by the service DN, transmit the username + timestamp to the

service in a query string encrypted using the service's public key, and then perform a simple

LDAP query(an API for retrieving data about a username, after all)."

Exactly! That's what I want to write an Oil Can script to do, for all Android phone's ( address

books in Android phones automatically sync'ed to Gmail BTW ). Decentralized and spread

out out, no single point of failure.

"...A distributed architecture for social networking? Existing social networks usually employ a

"hub and spoke" model, where the website is the hub of all activity within the network, and

where there is a "client" and a "server". Since all traffic must pass through the hub, that site

may become a bottleneck. Furthermore, each transaction must pass up one spoke to the

hub, and then down another spoke, when the people interacting may be much closer to

each other (in network terms) than either is to the hub site...

There is the opportunity to create an architecture that distributes the load to the devices

sitting in our coats and pockets, rather than solely on massively scalable Web sites. Such an

architecture would require better interoperability between social networking sites and mobile

devices than we have today, and should remove any dependence on an "always-on"

network connection."

http://www.w3.org/2008/09/msnws/papers/nokia-mobile-social-networking.html

Posted by: Todd | February 11, 2009 3:49 AM

16. thanks.

Posted by: söve | February 11, 2009 8:55 AM

17. For some reason I seem to get nervous when something is so wonderful that everyone buys

into it. Nothing is perfect. The real question is what are they not telling you about this new

system. We need enough information to decide if we want something or not. If all we get is

the good side, the other side could be worse than we can handle. This is the same mistake

that too many people made when investing with Madoff! Stop trying to hussle us and tell us

the real deal.

Posted by: Phil "Watching How This Goes" | February 11, 2009 8:57 AM

18. Prior to the work I'm currently doing with OpenID, OAuth, et al, I was deeply involved with

LDAP, SAML, and worked with ndk (commenter above) directly for a number of years. He

makes an excellent point based on this article. Unfortunately, this article covers only a small

facet of what was discussed at the UX Summit yesterday.

I think the thing to take away from the Plaxo numbers that Joseph presented is this: if we

can make the user experience as simple as two button clicks (that's really all it is), the ROI

for relying parties is incredible. The beauty of the Plaxo/Google demonstration was made

possible by open protocols (that really could have been anything, including LDAP), but more

importantly intelligent OP discovery. It demonstrated ONE way of doing intelligent discovery

-- that is, assuming that if the user used Google for their email, then there's a decent

chance that they would want to use Google as an authentication provider. As their numbers

show, this was a pretty accurate (although not 100% true) assumption.

The point is, if we can do intelligent discovery, the payback is huge. The true challenge, and

this is what was left out of the article, but was discussed during the rest of the UX Summit,

is how to do this discovery. No one is suggesting that the Plaxo/Google approach, or even

the "big four buttons" approach is the end-all, be-all solution to discovery. No one is saying

that. Plaxo's demonstration only underscores the importance of discovery, and it's problem

we have yet to solve.

Posted by: willnorris.com | February 11, 2009 2:03 PM

19. @willnorris said "if we can make the user experience as simple as two button clicks (that's

really all it is), the ROI for relying parties is incredible"

I think that's the key. Until yesterday, there had been little public discussion about

streamlining the OpenID login process for those not knowledgeable of what "OpenID" is. At

the end of the day, most users won't know that they're interacting with something that is

using the OpenID protocol, which is the way it should be.

Facebook Connect has proven that engagement rises and that there is a higher rate of new

registrations. The Plaxo example confirms this even more. This is great to see and I think

we are on the verge of a breakthrough which will make all registrations as simple as two-

clicks. This is awesome. OpenID ftw

Posted by: Nick O'Neill | February 11, 2009 2:23 PM

20. No one is suggesting that the Plaxo/Google approach, or even the "big four buttons"

approach is the end-all, be-all solution to discovery. No one is saying that. Plaxo's

demonstration only underscores the importance of discovery, and it's problem we have yet

to solve.

Thanks, Will. Your entire message is very much the right one to carry forward here, and

since I wasn't present, I'm glad to hear that more was present at the summit than just the

"Top 4" buttons.

It'd be great to get more earnest communication on innovative techniques being proposed to

prevent OpenID from falling further into the social bookmarking solution. No such details

have leaked out of the inner circles, and when all we see is presentations like this, the

discomfort of commentators not directly invested in the future of this technology is probably

understandable.


21.

Some really interesting comments.

I have long predicted that the next wave of social networking will be ALL sites offering social

elements so "friending" and commenting and the like is available everywhere.

This, to some degree, is already happening (I spend two hours every morning reading and

commenting all over the web) but it typically requires a separate identity on each site. And if

I wish to make my contacts aware of the article I need to drag their butts over to that

specific site first. This is all a pain.

So socialising the web will become a lot easier if a SINGLE existing identity can be used by

me across the whole web. OpenID offers this. What it doesn't do today, and what Facebook

Connect DOES do, is enable me to easily share what I am doing across the whole web with

my friends and contacts. Well, I say FBC does do it, no one is using it yet...

And a key reason is everyone would like to see something more "Open" allowing that so

they aren't tied into Facebook, which doesn't have a great reputation for protecting

investments for its third party developer partners.

What Plaxo and Google are showing is exciting, but is playing functional catch up with FBC

and will only geat REALLY exciting once they issue some code which you and I can

integrate into our sites to offer the same functionality.

By the way, I agree with the view that is arguably leading us down the wrong road

ultimately, as I would prefer to see a trusted, independent, non-profit body holding identity

and social graph information, which we then "lease" to sites we visit with a few clicks.

Although W3C is putting together a team to investigate this, encouragingly, it is still some

way off.

Ian Hendry

CEO, WeCanDo.BIZ

http://www.wecando.biz

Posted by: Ian Hendry | February 12, 2009 1:51 AM

22. Intereting article and exciting developments between Google and Plaxo. But ... I found the

comments more informative.

I agree with Ian Hendry, we need "a trusted, independent, non-profit body holding identity

and social graph information, which we then "lease" to sites we visit with a few clicks."

"The Plaxo/Google approach, or even the "big four buttons" approach" will become the "the

end-all, be-all solution to discovery." and I'll no longer be able to use my blog as a self-

provisioned OpenID.

Sicne the the user experience weill be "as simple as two button clicks (that's really all it is),

the ROI for relying parties is incredible." - @williamnorris

Posted by: Khürt | February 15, 2009 4:54 AM

Jr. Software Application

Analyst /...

Plano, TX

ASAP Staffing LLC

Applications

Programmer

Austin, TX

Team Int

Network Support

Engineer (706 - 38607)

Smyrna, GA

ASAP Staffing LLC

IT Administrator

McLean, VA

ROCS - Responsible

Outgoing College...

HP-UX System

Administrator (844 -

2131)

Chicago, IL

ASAP Staffing LLC

Travel Channel -

Supervising Producer,...

MD, MD

Cox Communications

Senior Front-

End/UI/AJAX Developer

New York, NY

Large Online Marketing

Firm

MORE JOBS >

POST A JOB >

Want to buy textlinks onReadWriteWeb?

Recent Visitors

You! Join Now.

發霉兔子

Inetgate

Adebuche

tempofeng

matthew s

See all 9,725 members...

Grab This! MyBlogLog

ReadWriteTalk Enterprise Jobwire About Subscribe Contact Advertise

RSS RWW Daily by Email

RSS RWW Weekly Wrap-up

Home Products Trends Best of RWW Archives

ReadWriteWeb

Yahoo! Buzz

advertise.php asp.net 2.0 web config best 10 mobile

contact.php Emerging Technologies Web 2.0 etherpad

fring g1 gender how image search Mediaset

Sues Google notebook Professional Widget Developers

semantic semantic google swicki vertical

search wordpress zoho

POPULAR TAGS

google facebook twitter iphone

microsoft search mobile yahoo

social media music video social

networking apple semantic web

myspace trends advertising rss

youtube friendfeed mobile web

amazon blogging enterprise firefox

data portability social networks

politics android digg lifestreaming

apps marketing adobe enterprise 2.0

security privacy app email startups

obama web apps api browsers cloud

computing news chrome open source

photos web office

Your email address

Your email address

Search ReadWriteWeb

Name

Email Address (required)

URL

Cc. this comment to FriendFeed

Remember personal info?

Comments (You may use HTML tags for style)

Preview Submit

Home | Products | Trends | Company Index | Best of RWW | Archives

ReadWriteWeb | ReadWriteTalk | Enterprise | Jobwire

About | Subscribe | Contact | Advertise

© 2003-2008 ReadWriteWeb


- that said, there are some positive signs here.- 92% of the people that they sent to login with OpenID came back successfully!

Demo: OpenID & OAuth Hybrid


Joseph’s Demo?

Relationships & Contacts


http://flickr.com/photos/factoryjoe/2545757754/


- you’re then asked to “find your friends” by forking over your email password - hell, we’re guilty of this as well! The good news is that email providers are starting to add OAuth enabled APIs so that we don’t have to do this anymore. - but it isn’t just about asking for passwords (we do .CSV upload too), but that your email address book isn’t really the friends you want on every website


this can be useful for importing your friends


Wow! That was useful!

Portable Contacts API



- JSON based RESTful API to query address books, update them, etc. Two-way sync. - Built into OpenSocial’s REST API and lots of vendors looking at supporting it. - Think about vCard if it were modernized.

Since September

• Integrated with the OpenSocial REST People protocol

• Google, MySpace, hi5 and Plaxo are PoCo Providers

• Microsoft’s LiveFX Framework (sort of) supports PoCo

• Handful of PoCo consumers (including an Android app)

• Engaging the IETF around vCardDav compatibility


- Handful of

Portable Contacts Demo


The Microformat XFNif users want to link accounts, allow it... they may even link to your

service from another profile


- but what can we build atop OpenID?

Adding XFN



- Note the action stream on the left, powered by MT, aggregating what I want it to (blogs are evolving too)

About Me


- Could also do this to link to friend's profiles

About My Friends


- "contact" instead of "me"

Google’s Social Graph API


so how does this play out? let’s take a look at google’s social graph API

http://code.google.com/apis/socialgraph





- anyone can play with this... - Demo http://www.davidrecordon.com/ - Missing friends.js - Explore with attributes twitter.com/daveman692

http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html?q=http://www.davidrecordon.com/

http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html?q=http://www.davidrecordon.com/


http://socialgraph-resources.googlecode.com/svn/trunk/samples/missing-friends.html

http://socialgraph-resources.googlecode.com/svn/trunk/samples/missing-friends.html

Periodically checking for new people.


Dopplr - before with scraping people were paranoid about saving users’ passwords... so they trashed them after using them... with oauth, you can get ongoing access and then introduce people to their friends once they sign up

Friend Connect


open stack in a box... small site not wanting to do much programming...

Activity StreamsEmerging Work!


“Lifestreaming”


Today

• Last.fm

• Jaiku

• Facebook newsfeed

• FriendFeed

• etc.


The challenge

• Develop a format for expressing activities

• Compelling experiences from activity feeds

• The zero-knowledge test

• etc.


FriendFeed Services


The Benefits

• Staying in touch across the web

• An open, emergent ecosystem of activities

• Filtering, search, automation & stats

• Optimal, compelling, custom experiences

• Coalescing, merging, de-duping

• etc.


Examples


social discovery


last.fm (as seen in Plaxo Pulse)


Facebook


FriendFeed


messaging


Twitter


Yammer


Eventbox


desktop app

personal publishing



the original activity stream from jeremy keith

Movable Type Motion


brand/personal monitoring


GetSatisfaction Overheard


Twitter Search


Anatomy of an activity


Actor verb object [context]


factoryjoe tweeted Niches Bitches! [via SMS]


Actor verb object {indirect object} [context]


Chris bought Planet Earth {for Brynn} [at Amazon.com]


Activities on the Social Web


I visit davidrecordon.com


I decide I want to follow his activities

Sign in to follow Dave!


I sign in with my OpenID


Before I’m sent back, I’m asked whether I want to follow Dave


Dave RecordonWorst username evar.San Francisco, CAdavidrecordon.com

Contact detailsStatus updatesPhotosBookmarksBlogs

daveman692Six Apart

LocationMusicMoviesSlide presentationsEventsTravelLocal reviewsBooks

Add subscriptions

Your message (optional)Hi there! We met that conference last week. I’ve subscribed to your updates on my site.

-Chris

Access requires permission from Dave

Add contact

Inspired by Jyri Engeström

I say yes, and am asked which activity types Iʼm interested in...


Should any of the selected types be protected,I will be asked whether I want to request access

OKNo thanks

Dave’s contact details, photos and location are protected.

Would you like to request access to these items?

Please note that Dave may deny your request.


If I say OK, an OAuth request will be sent which Dave will later be able to approve, deny or ignore


...And Dave’s public activities will show up in my activities dashboard.


...And if Dave later approves my request, his protected activities will show up too


Activities on the Open Web


I visit stammer.com


I decide I want to join this community

Sign in to start posting!


I sign in with my OpenID


Before I’m sent back, I’m asked whether I want to authorize Stammer to postback my activities

OKDecide later

Stammer can post the activities you take on their site to your profile.

Would you like to allow this?

If you’re not sure, you can decide later. These activities will not be made public unless you want them to be. You can always revoke this permission later.


If I say yes, I am returned to Stammer, authenticated. As I use the site, my actions are

posted to my activity stream


If I defer, I am returned to Stammer, authenticated. As I use the site, my actions are posted to my

activity dashboard, where I can choose to share my activities later


Sound familiar?



kind of like facebook beacon...

Current work: ATOM Extension


<entry> <id>tag:photopanic.example.com,2008:activity01</id> <title>Geraldine posted a Photo on PhotoPanic</title> <published>2008-11-02T15:29:00Z</published> <link rel="alternate" type="text/html" href="/geraldine/activities/1" /> <activity:verb> http://activitystrea.ms/schema/1.0/post </activity:verb> <activity:object> <id>tag:photopanic.example.com,2008:photo01</id> <title>My Cat</title> <published>2008-11-02T15:29:00Z</published> <link rel="alternate" type="text/html" href="/geraldine/photos/1" /> <activity:object-type> tag:atomactivity.example.com,2008:photo </activity:object-type> <source> <title>Geraldine's Photos</title> <link rel="self" type="application/atom+xml" href="/geraldine/photofeed.xml" /> <link rel="alternate" type="text/html" href="/geraldine/" /> </source> </activity:object> <content type="html"> <p>Geraldine posted a Photo on PhotoPanic</p> <img src="/geraldine/photo1.jpg"> </content></entry>


<entry> <id>tag:photopanic.example.com,2008:activity01</id> <title>Geraldine posted a Photo on PhotoPanic</title> <published>2008-11-02T15:29:00Z</published> <link rel="alternate" type="text/html" href="/geraldine/activities/1" /> <activity:verb> http://activitystrea.ms/schema/1.0/post </activity:verb> <activity:object> <id>tag:photopanic.example.com,2008:photo01</id> <title>My Cat</title> <published>2008-11-02T15:29:00Z</published> <link rel="alternate" type="text/html" href="/geraldine/photos/1" /> <activity:object-type> tag:atomactivity.example.com,2008:photo </activity:object-type> <source> <title>Geraldine's Photos</title> <link rel="self" type="application/atom+xml" href="/geraldine/photofeed.xml" /> <link rel="alternate" type="text/html" href="/geraldine/" /> </source> </activity:object> <content type="html"> <p>Geraldine posted a Photo on PhotoPanic</p> <img src="/geraldine/photo1.jpg"> </content></entry>

updated?


What can we observe?


MySpace already supports this


...we’d like to get this into OpenSocial


http://activitystrea.ms




Gadgets


jsmarr update


Builds on the Open Stack


- Incorporates existing standards to do things like portable contacts

Three Main APIs

• Activities (what people are doing on a site)

• People and Profile information

• Persistent data storage (joined across friends)

• Containers are free to add their own APIs such as photos

Combination of JavaScript, REST, templates, and proxied HTML


- Containers do the heavy database lifting for you - Core people is name, uid, photo and profile url


- A write once, run anywhere social application platform- boasting over 350 million potential active user reach last year, up to over 500 million this year with Facebook crossing 150 million monthly active users

Containers


- lots of social networks all over the world - most people only see the ones that they belong to

Run like open source


- Future roadmap isn’t run by [Google|MySpace], but by the community on the mailing list and what consensus there is

Container Code


- Production worthy reference implementation in Java - Java and PHP open source libs - Complaint with OpenSocial v0.8.1

REST LibrariesNext Blog» Create Blog | Sign InSEARCH BLOG FLAG BLOG

Copyright © 2008 Google Inc. All rights reserved.Privacy Policy | Terms of Service

Newer Post Older Post

OpenSocial now friends with PHP, Java, Ruby, and PythonWednesday, December 17, 2008 at 11:49:00 AM

With more and more containers introducing server-to-server APIs based on the OpenSocial REST andRPC protocols (think MySpace, LinkedIn, Plaxo, orkut, and iGoogle just for starters), it has never been abetter time to jump into OpenSocial development. These new protocols allow you to write engaging socialapplications for these containers using the language of your choice -- JavaScript is no longer the onlyoption.

To help you get started using the OpenSocial REST and RPC protocols, we have assembled a set ofclient libraries for PHP, Java, Ruby and Python. Each library enables developers to retrieve profileinformation and persistent data from supporting containers without having to concern themselves withmanaging network connections, signing requests, or other lower-level details. To check out the code,point your browsers to the Source tab linked from each project's home page:

OpenSocial PHP Client LibraryOpenSocial Java Client LibraryOpenSocial Ruby Client LibraryOpenSocial Python Client Library

These libraries are completely open sourced under the Apache 2.0 license, and contributions are not onlywelcomed but encouraged. In addition to a wiki page explaining the patch submission process, eachproject hosts an issue tracker which have already been populated with known issues and requestedenhancements. These trackers are the best places to start if you're interested in contributing to aparticular project. Please report any new bugs or incompatibilities you find along with any feature requestsusing these trackers and be sure to star those reported by other developers which are significant to yourown development also so they can be prioritized effectively.

To help get you started, we have assembled a set of sample applications, linked from the project wikipages, which you can run directly from the command line or your favorite IDE. As an added bonus, theRuby and Python libraries have accompanying full-featured sample applications which you can run insidecontainers supporting the OpenSocial REST protocol. These larger samples are checked in to theSubversion repository under "Samples" and include a bootstrap mechanism for securely retrieving the IDof the current viewer before the core application loads, which you can use as a template for your owncontainer-based applications.

For general questions and commentary, we have set up a discussion group to help build the developercommunity around the libraries. The original engineers of each library are already members of the group,so feel free to ask the tough questions. :) We will also be hosting a special session of IRC office hoursnext Monday, December 22 from 1:00 to 3:00 (PST) so you can share your feedback with us directly.The official OpenSocial IRC channel is located at irc://irc.freenode.net/#opensocial.

We're really excited to see the next generation of social applications that the OpenSocial server-to-serverAPIs enable, and we hope the client libraries ease you along your development journey. Please give thelibraries a spin, file any issues you see, and stop by the IRC channel next week to get your questionsanswered. See you there!

Posted by Jason Cooper, Developer Programs

Permalink

2 comments:

Uday Bhaskar said...

Great!

00:41

Wen Qi said...

Sounds Good!

00:36

Post a Comment

Links to this post

Best of this Week Summary 29 December - 11 January 2009

速攻で作る OpenSocialアプリ Daily Digest for 2008-12-29

OpenSocial en Java, PHP, Python y Ruby

OpenSocial Java, PHP, Python, and Ruby Libraries Released

REST and RPC protocols available on the sandbox

Google Gadgets’ URL content type: handy thing

OpenSocial now friends with PHP, Java, Ruby, and Python

Google released OpenSocial client libraries - REST and RPC support ...

REST and RPC support in the developer sandbox

Create a Link

Home

Search

powered by

Site Feed

Subscribe via email

Enter your email

address:

Subscribe

Delivered by

FeedBurner

Archives

Archives

More Blogs fromGoogle

Visit our directory for

more information about

Google blogs.

Labels

adobe (1)

app. pixverse (1)

appengine (1)

argentina (1)

brazil (1)

buenos aires (1)

china (1)

container (1)

developer (2)

events (5)

globant (1)

GSPEast08 (1)

hackathons (3)

hi5 (3)

interview (3)

joyent (1)

meetup (1)

mentez (2)

myspace (1)

opensocial (9)

orkut (4)

sao paulo (1)

sonico (1)

tutorials (1)

video (2)

vostu (1)

We Love Feedback

Do you want to respond

to a post or give us

feedback? The

discussion group awaits.

OpenSocialOverview

OpenSocial Home

Who's Using It?

Building Social Apps

Hosting OpenSocial

Apps

OpenSocial API

OpenSocial API Docs

JavaScript Developer's

Guide

JavaScript API Reference

Other Resources

Google Code

Build Apps for Orkut

Gadget API Docs

More Google DevBlog Posts

更新的中文版本的AdWords API!明文件最近"行了Google Developer Blog - China

谷歌中国开"者网站博客

OpenSocial App

Developer Mentez

Expanding into China

OpenSocial API Blog

Android Market update:

priced applications for

US users

Android Developers Blog

OpenStreetMap's New

API Database Server

Google Open Source Blog

¿Cómo contactar con

Google?

El Blog para Webmasters

Read more...

OpenSocial API blog is

powered by Blogger.

Start your own weblog.

http://icanhaz.com/opensocialcode


Home News Help

Sign in

About:

This OpenSocial application provides the ability to write and save JavaScriptcode samples to execute against OpenSocial containers. This helps rapidlytest sample OpenSocial code.

Code samples can be saved and loaded. You can give other developers linksto code samples for instructional or debugging purposes.

Available on the following containers (click to use):

Versions:

OpenSocial 0.7This version is compatible with containers supporting version 0.7 of the OpenSocial API. [ View XML ]

OpenSocial 0.8This version is compatible with containers supporting version 0.8 of the OpenSocial API. [ View XML ]

http://osda.appspot.com/Wednesday, April 1, 2009

http://osda.appspot.com

http://osda.appspot.com

navigation

Main Page

Containers

JS API Reference

Articles & Tutorials

Contributing

Recent changes

Random page

Help

toolbox

What links here

Related changes

Upload file

Special pages

Printable version

Permanent link

discussion view source history

Log in / create account

Building an OpenSocial App with Google App Engine

Lane LiaBraaten, Google Developer Programs\ September 2008

While you can write OpenSocial apps that run solely in JavaScript and use the Persistence API to store data on the container, many

OpenSocial apps communicate with a third-party server for data storage or application logic. Integrating with your own third-party server allows

you to add new dimensions to your app, like providing a data API, hosting static content, or allowing configuration through an admin console.

In this article, we'll build an app that is similar to the gift-giving application built in the OpenSocial tutorial . When a user views the app, they

see a drop-down menu of gifts (such as a peanut, or a red pistachio nut) and another drop-down menu containing a list of their friends. The

user can give any of these gifts to a friend and the gift transaction will be displayed. The app will also display any gifts that the user has

received. You can find all the source code used to run this application in the opensocial-gifts project on Google Code Project Hosting. You

can also install this app on the orkut sandbox.

The original gift-giving app is built using 100% client-side OpenSocial code and is therefore subject to a number of limitations imposed by the

container rendering the app, such as the amount of data the container will let you store, and the access controls related to when you can read

and write data. With Google App Engine, you can manage all this data on an external server, freeing your app from any constraints imposed by

the container. Viva la revolución!

Contents [hide]

1 Audience

2 Architecture

2.1 Google App Engine app (app.yaml and gifts.py)

2.2 Database model (db_model.py)

2.3 Admin interface (admin.py)

2.4 JSON data API (api.py)

2.5 OpenSocial application spec (gifts.xml)

3 Setting up a Google App Engine app

4 Using Google App Engine to store data

4.1 Defining the data model

4.2 Populating the datastore

4.3 Accessing the datastore

5 A simple Google App Engine web interface

5.1 Creating a request handler

5.2 Forwarding requests

5.3 Identifying the user

page

search

Go Search

http://bit.ly/osgaeWednesday, April 1, 2009

http://bit.ly/osgae

http://bit.ly/osgae

A Sample Gadget<?xml version="1.0" encoding="UTF-8"?><Module> <ModulePrefs title="Gifts part 1 - Friends"> <Require feature="opensocial-0.8"/> <Require feature="dynamic-height" /> </ModulePrefs> <Content type="html"> <![CDATA[ <script type="text/javascript">function loadFriends() { var req = opensocial.newDataRequest(); req.add(req.newFetchPersonRequest(opensocial.IdSpec.PersonId.VIEWER), 'viewer'); var viewerFriends = opensocial.newIdSpec({ "userId" : "VIEWER", "groupId" : "FRIENDS" }); var opt_params = {}; opt_params[opensocial.DataRequest.PeopleRequestFields.MAX] = 100; req.add(req.newFetchPeopleRequest(viewerFriends, opt_params), 'viewerFriends'); req.send(onLoadFriends);}

function onLoadFriends(data) { var viewer = data.get('viewer').getData(); var viewerFriends = data.get('viewerFriends').getData();

html = new Array(); html.push('<ul>'); viewerFriends.each(function(person) { if (person.getId()) { html.push('<li>', person.getDisplayName(), '</li>'); } }); html.push('</ul>'); document.getElementById('friends').innerHTML = html.join(''); gadgets.window.adjustHeight();}

function init() { loadFriends();}

gadgets.util.registerOnLoadHandler(init); </script> <div id='main'> Your friends: <div id='friends'></div> </div> ]]> </Content></Module>


Stop leaking passwords!2.

Markup existing public data.1.

Support OpenID & OAuth.3.


- three simple things you can do today - and #4 pay attention to this space by watching...


- nothing like pimping your weekly video podcast - we talk about a bunch of this stuff, have great guests explaining what they’re working on and how it fits in

thesocialweb.tv


- nothing like pimping your weekly video podcast - we talk about a bunch of this stuff, have great guests explaining what they’re working on and how it fits in

[email protected]

[email protected]@plaxo.com






mailto:[email protected]?subject=

mailto:[email protected]?subject=

implementing the social web

Technology

ra ft spe

itia tive fro

sd isc uss

query string encrypted

vision real bydeveloping

reusing existing standards

complex issuesaround update

andthe major players