Blog

Entries tagged as ‘OpenID’

Woven Clouds: OpenID

January 31, 2010 · Leave a Comment

When it comes to building services using the cloud, one often comes across the need to weave different cloud-based offerings together. One example is OpenID. I blogged about it last year. In this post, I would like to take it to the next level and offer a programming pattern for using it with specific examples for Google App Engine. JanRain’s RPX API makes it easy to incorporate.

Ingredients

When you sign up with RPX and register your application, you get:

  1. A application ID,
  2. An iFrame widget and
  3. An API token.

When signing up, the domain names need to be provided. These are domain names from which an authentication request may originate. In our case, that includes localhost and www.example.com.

Recipe

Create a login page and place the iFrame widget on it. The iFrame will point to something like

src="https://example.rpxnow.com/openid/embed?token_url=appRpxURL"

where appRpxURL is a URL served by the application. When a user interacts with the login page, RPX calls the application at this URL with a token and the application is expected to turn around and request information about the user. This Google App Engine code fragment illustrates the interaction (to access it, you will need to use an OpenID login). At this point, the application knows the user id. This part is documented in a number of places on the web.

Integration

In a number of the applications we develop at Early Stage IT, the user id is stored in a session variable using GAE Utilities for the remainder of the session. The above-cited code fragment shows this also. The application is still responsible for determining what the user is entitled to do. The first thing to do in handling a user request is to verify that the user has the requisite application capability. This is illustrated in the last part of the sample code.

When the user logs out, clear the cookies by calling theSession.terminate()

If you use it…

…please cite this blog post. Feedback — positive or negative — gratefully accepted.

Categories: Techniques
Tagged: , ,

Barriers to Acceptance: User IDs

May 4, 2009 · 1 Comment

Have you ever been discouraged by a “Sign Up for free” link? Many users are. 15-20% users abandon a site rather than do the register-confirm-accept dance. Consider lowering the barrier that many users feel when asked to provide their email address to register. In this post, I discuss how you can use IDs from major providers instead of coming up with your own.

A word of caution: OpenID idea has enjoyed less than spectacular success. Still, a consensus seems to be evolving and a number of announcements this year suggest that perhaps the industry is arriving at a consensus.

A vision of the login sequence Login Screenusing IDs from other providers, is shown on the right.

The table below shows user counts that the UI vision above would target. They were compiled from Comscore stats for internet properties (MySpace is under Fox Interactive Media) and from a different report which zeroes in on email addresses.

# Site Users(000,000)
1 Gmail 31
2 Yahoo! 93
3 Hotmail 43
4 AOL 45
5 MySpace 89
:: :: ::
8 Amazon 63
:: :: ::
13 Facebook 51

A key question that remains to be asked is what are the stats for your users. Of course, you won’t know the answer to that question until you have gone live, so perhaps it is best to cast a wide net in the beginning.

Here are a few references for implementation:

  1. Some background material: What is OAuth and how does it work?
  2. If you want to do the programming, a recipe for OpenID 1.1 from Plaxo, instructions for using Yahoo! as an identity provider, using Google’s OAuth.
  3. If you want to use a third-party solution, RPX service for OpenID 2.0 from JanRain.

Of course, this only addresses the authentication question. How your users will be given entitlements to do what they need to do, and only what they need to do, remains an implementation decision.

Categories: Requirements
Tagged: , , ,