I’m a fan of OpenID, OAuth, and the other protocols that make up what Chris Messina calls DiSo (Distributed Social). There is a lot of exciting stuff that can be done using these open protocols, but I haven’t had a compelling reason to integrate them into anything I was working on. But, the Amazon EC2 server I was working on was on the fritz, and I was waiting for the load to go down. This opportunity gave me about 30 minutes to look into how hard (easy?) it is to implement OpenID login.

I had all the key components: an OpenID login (via my friends at chi.mp; Chris also works for an OpenID provider, Vidoop, and there are many others, covering some people who certainly don’t even know what OpenID is), PHP 5, PEAR, and all the trimmings. I also had experience implementing other authentication mechanisms, such as Facebook Auth. And I had the all-important walk-through at OpenID Enabled. In about 30 minutes and about 50 lines of code (including a login form where I could enter the name of the page I was trying to reach and all the redirect code), I successfully logged into the site I was working on.

Here’s the thing. Implementing the OpenID protocol is, in the immortal words of G.I. Joe, only “half the battle.” The biggest issue facing adoption of OpenID is simply the fact that we have 50 years of legacy where people design authentication into their system when they build it. We even did it at Ringside Networks when building our open source social platform, and we knew about OpenID, OAuth, and the like (something I hope will be addressed, given some community effort and time). If you operate a site that already has authentication built in, you end up having to do significant refactoring of the authentication and user profile system to accommodate OpenID. The net result of an OpenID login is a claimed identity… and not probably not an identity your site knows anything about. I’m sure there are folks smarter than me that, 5 years ago when they were building their Web 2.0 site before there was a Web 2.0 label, separated the concepts of authentication and user profiles. But I’m willing to bet there are plenty who didn’t.

Oh, and your OpenID implementation isn’t free (at least not from me) if it can’t be done in a half an hour, just in case you were wondering!

Advertisements