April 03, 2007

Pick one: OpenID or Yahoo BBauth

OpenId is an impressive alternative for web-startups who really care about their users' convenience. For those who've never heard of OpenId, it is an open decentralized framework for user digital identity. You can create an OpenId once, and use the same credentials to log-in to multiple websites that support it.

Lately, I was trying to explore it for my upcoming web-application. After sufficient reading, I was able to appreciate its architecture and the API, and how simple it is for the user, as well as the developer. But before I dove in and got my hands dirty, I considered the HTTP authentication frameworks provided by Yahoo & Google.

Almost every web user has an account with Yahoo, and this means "effortless login" to my webapp. Yahoo BBAuth is indeed an excellent service but with one drawback. The drawback is that Yahoo does not reveal the UserID of the logged in user. Instead, it returns a Hash value that corresponds to the username. Hmm... But, I am not willing to use this hash value as the only key to associate the persisted user data and the users. Did you just ask me WHY? Well... becoz my webapp becomes unstable when Yahoo changes its hash algorithm later in course of time.

So, OpenId became my ultimate choice of implementation. There are plenty of OpenID Service providers available on the web. Check them out here... To make it easy for developers, there are several frameworks available for each implementation language. I was interested in Java libraries, and my options include IdPrism, NetMesh InfoGrid, OpenID4Java. Out of the lot, I found IdPrism to be very straightforward and easy to integrate with my application.

In my search for a good OpenId service provider, I came across an interesting approach taken by Simon Willison to integrate OpenId specs with Yahoo BBAuth API. You can check this out at IdProxy.net.

2 Comments:

Unknown said...

Hi,

Great post. The idea behind the userhash is to keep it consistent and not change it going forward because this would break web applications and we (Yahoo) don't want that. The reason not to give out the users id is privacy.

--dantheurer / theurer.cc/blog

Simon Willison said...

You don't have to pick one or the other: you can support both. Maintain your own table of user accounts, then allow your users to associate a Yahoo! account or OpenID (or even multiple Yahoo! accounts and OpenIDs) with their account in your system. Then when someone logs in with a Yahoo! ID or OpenID you can look up their account and sign them in as that user.