Google, Plaxo Blend OpenID, OAuth For Secure Federated ID
Remember back in October when Google waved the flag for OpenID, the federated log-in standard that lets users log into Web sites with the same user name and password? More importantly, the company was accused of perverting OpenID by creating its own flavor of it.
Yesterday Google and Plaxo detailed the next step in their federated identity plans with "Hybrid Protocol," combining OpenID federated log-in with OAuth access authorization and the Google Contacts API for secure import of the user's address book.
Simply, Web sites can now ask Google to sign in a user using their Google Account, while simultaneously requesting access to information available via OAuth-enabled APIs.
Privacy geeks in Google's and Plaxo's camps see the OpenID/OAuth blend as a Reese's peanut butter cup of Web site access, and an alternative to Facebook Connect, the leading social network's proprietary federated Web site service.
Plaxo is making the first use of this with Two-Click Signup, as Yariv Adan of Google's security team sums up:
In the past, sign-in required multiple redirects between Plaxo and Google, and more importantly, multiple user approval pages, one for OpenID during sign-in and another for the OAuth access authorization request. No more! The Hybrid Protocol allows Plaxo to encapsulate their OAuth authorization request inside the OpenID authentication request, letting Google know that the user wants to use both APIs. Google can now display a single approval page for both requests.
Plaxo's John McCrea notes this is better for the user by being more convenient and more secure; better for the identity provider by not asking the user for their password and then scraping their data; and better for the site by delivering a higher conversion rate on sign-up flows and getting more useful data from the user.
Two-Click Signup starts with the invitation from a Plaxo member to a non-member via Gmail, who will see this Google-optimized landing page and a Sign Up With My Google Account Button.
Then comes the two clicks to become a registered user of Plaxo. The first click takes them back to a Google consent page.
The second lets the person agree to use their Google account for signing in to Plaxo and tell Google they grant Plaxo permission to access their e-mail address and Gmail contacts. The user is redirected back to Plaxo, where he or she is already signed in and her Google contacts are available.
Google and Plaxo are working with the rest of OpenID community to standardize the new protocol as a formal OpenID extension.
A lot of work went into this. While Google and Plaxo are only two Web sites, their larger user bases make them a great testing ground for OpenID/Oauth hybrids. Again, this is just a test, but it's a promising start and a solid step on the path to federated Web access. Google and Plaxo hope others follow their lead.
Of course, we're still in that uncomfortable spot of diverging efforts, with Google and Plaxo seemingly pitted against Facebook, which is fiercely protective of its walled garden of 150 million-plus users.
In a sense, it's not unlike those spiteful Web services standards wars. Hopefully, these new programmers have learned a thing or two from them and will move the Web forward post haste.