What
 · Technology
 · · Identity

Retina Screen Tab Sweep · When you’re run­ning your 15" Reti­na Mac in high-rez mode and you still don’t have room for all your tab­s, you prob­a­bly have a lifestyle prob­lem. One so­lu­tion is to pub­lish the links, so if your don’t-kill-this-tab in­stinct turned out to be right, you have In­ter­net Me­mory on your side ...
[1 comment]  
OpenID Connect is Here · Signed, sealed, and de­liv­ered as of Fe­bru­ary 26th. Bet­ter than that: In high-volume pro­duc­tion at Google and Deutsche Telekom for a while now. Based on OAuth 2, which has been frozen since 2012. Not per­fec­t, but I’d call it one of the safer tech­nol­o­gy de­ploy­ment bets you can make right now ...
[7 comments]  
Nifty Refresh-token Trick · What hap­pened was, HR want­ed to set up a part­ner to of­fer ben­e­fits for ac­tive Googlers on­ly, and thus we dis­cov­ered an OAuth 2-based trick that I bet will work in lots of oth­er sit­u­a­tions too ...
[1 comment]  
FC9: Social Sign-in · This term gets bandied about quite a bit in the Fed­er­a­tion Con­ver­sa­tion. When it comes up, de­vel­op­ers tend to strong emo­tion­al re­ac­tion­s: On the one hand “We re­al­ly need so­cial sign-in to make our ser­vice work” and on the oth­er “Ewww, no way; I don’t want our users wor­ried about what’s be­ing shared.” I’ve been dig­ging around the sub­jec­t; some­times I think there’s no there there ...
 
Tab Sweep · The tab­s! They mul­ti­ply like mag­nif­i­cent­ly mis­cel­la­neous mag­got­s! ...
 
FC8: On Trust · All these tech­nol­o­gy and information-flow and mon­ey is­sues in the Fed­er­a­tion Con­ver­sa­tion are re­al, they mat­ter. But none of them mat­ter as much as trust. For fla­vor, here’s com­menter De­wald Rey­neck­e: “I don't trust Face­book/Google as far as I can throw them  —  I sim­ply do not want to out­source my iden­ti­ty to an ad­ver­tis­ing company.” ...
[18 comments]  
FC7: Users vs Apps · When a per­son signs in­to an ap­p, that’s a trans­ac­tion, and val­ue is ex­changed. Who comes out ahead on the deal? ...
[4 comments]  
The Fingerprint Hack · To­day, Germany’s Chaos Com­put­er Club claims to have hacked the iPhone 5s Touch ID. Since I now get paid to think about Iden­ti­ty stuff all the time, I’ll think out loud about the ques­tion: “Is Touch ID a good idea?” ...
[9 comments]  
FC6: Who Are You? · This is part of the Fed­er­a­tion Con­ver­sa­tion, where com­menter Jashan wor­ried, rea­son­ably enough: “Users tend to for­get which of the gazil­lion avail­able ser­vices they have reg­is­tered at your site with. And then they're too lazy to try all the pos­si­bil­i­ties. And then they're gone.” Ouch! ...
[2 comments]  
FC5: Manage Those Passwords! · In­vent­ing good pass­words is hard and so is re­mem­ber­ing them, that’s part of the prob­lem. So, how about we get com­put­ers to do the te­dious stuff for us? Turns out you can, us­ing some­thing called a “Password manager”. Are these things go­ing to end the Fed­er­a­tion Con­ver­sa­tion? [This piece is part of that con­ver­sa­tion.] ...
[12 comments]  
FC4: Persona Questions · A cou­ple of episodes back, com­menter “tom jones” wrote, urg­ing me to study Mozil­la Per­sona: “it seems all the ques­tions you are dis­cussing have al­ready been solved by them.” Wel­l, then ...
[10 comments]  
FC3: Who’s Watching You? · Wor­ried about be­ing watched? Me too. So who’s do­ing it, and why, and what can they see, and what can you do about it? ...
[4 comments]  
FC2: Single Point of Failure? · If you re­ly on an Iden­ti­ty Provider (“IDP”) to sign in­to lots of app­s, here are two things to wor­ry about: If the IDP gets hacked, do the bad guys get in­to all your app­s? And if you lose your IDP ac­coun­t, are you locked out of all of them? ...
[14 comments]  
FC 1: Who Learns What · When you click on the dark-blue but­ton to sign in with Face­book (or bright red for Google) what does Face­book (or Google) learn about you? What does the app you’re sign­ing in­to learn about you? Uncer­tain­ty makes peo­ple ner­vous about fed­er­at­ed login ...
[13 comments]  
Federation Conversation · I pub­lished Why Fed­er­ate? last week, ar­gu­ing that apps should get out of the pass­word busi­ness. Ouch! I got fe­ro­cious push­back in my com­ments, on Twit­ter, and on the ac­com­pa­ny­ing G+ post. Take a minute and read a few. Clear­ly we need to have a con­ver­sa­tion ...
[26 comments]  
Why Federate? · Part of my job these days is con­vinc­ing peo­ple to get out of the pass­word busi­ness and start “Federating”; that is to say, out­source the lo­gin me­chan­ics to an “Identity Provider” (IDP) like Face­book or Google or Mi­crosoft or Twit­ter (and there are lots more). I’ve giv­en the sales pitch quite a few times now; here it is ...
[39 comments]  
Two Factor, Twice · One of my jobs is brow­beat­ing peo­ple to turn on 2-Step Ver­i­fi­ca­tion, and it’s work­ing; more and more peo­ple are. To­day I learned that we’ve got some open-source tech­nol­o­gy you can use to add 2-factor to your own ap­p ...
[17 comments]  
Project findIDP · What hap­pened was, I got an in­vite to Poet­i­ca, the new start­up by Good In­ter­net Peo­ple Blaine and Mau­reen. (Poet­i­ca has a strong cen­tral idea and is aes­thet­i­cal­ly a treat.) The lo­gin ex­pe­ri­ence was un­like any­thing I’d seen ...
[7 comments]  
Hotel Token · An OAuth 2 ac­cess to­ken is like a hotel-room key card ...
[4 comments]  
On ID Tokens · Th­ese are a prod­uct of the OpenID Con­nect work, and I think they’re go­ing be super-useful; in fact I keep get­ting ideas for nifty things you could do with them. So here’s a walk-through on what they are and how they work; maybe you’ll have some ideas too ...
[6 comments]  
The Tragedy of the Re-Auth · We’re push­ing the no­tion that sites should do “Federated Identity”; that those “Sign in with Facebook/Google/Twitter/whoever” badges you see ev­ery­where are A Good Thing. And in­deed they are. But it’s ex­pos­ing a sub­tle prob­lem ...
[11 comments]  
How to Think About OAuth · I’m not a deep OAuth 2.0 ex­pert yet; at this point that la­bel is re­served for the (sub­stan­tial num­ber of) peo­ple who wrote the spec­s. But I’ve worked with a few im­ple­men­ta­tions and talked it over with smart peo­ple, and I have opin­ion­s. Sum­ma­ry: It’s a frame­work not a pro­to­col, it has ir­ri­tat­ing prob­lem­s, and it’s re­al­ly very use­ful ...
[8 comments]  
Geek Beers · I’m in Lon­don next week for the OIDF Work­shop. I plan to spend the evening of Tues­day Jan­uary 22nd with my bum on a seat in The Phoenix and a beer in front of me. Any­one who has an opin­ion about Iden­ti­ty or An­droid or Google or pho­tog­ra­phy or Ja­panese Me­tal band­s, drop by and say hel­lo.
[2 comments]  
Client + Server - Passwords · This has been live on our servers for a while, but is now an­nounced and open for gen­er­al use. Here’s the short ver­sion: If you have an An­droid app and a web-server back-end, you can au­then­ti­cate the per­son us­ing the app to your back-end se­cure­ly, ef­fi­cient­ly, and with no prompts or pass­word­s ...
[11 comments]  
AccountChooser · This isn’t ex­act­ly a Google thing, but we’ve been putting a lot of work in­to it, and now it’s about ready to use. I think lots of sites should. Be­cause it’s easy, pri­vate, se­cure, and re­duces lo­gin pain ...
[15 comments]  
Can’t We All Just Get Along? · Here’s the weird thing about this iden­ti­ty gig: There’s no en­e­my. So who can we blame for our fail­ures? ...
[18 comments]  
Twitter OAuth, Easy · Back in 2009 I wrote this lit­tle Ru­by script I run Mon­days to grab the last week’s tweets and pub­lish them in­to the Short-form Frag­ments stream here on the blog, be­cause who knows when Twit­ter might make my his­to­ry van­ish? It broke to­day and I fixed it and had an­oth­er in­struc­tive OAuth ex­pe­ri­ence ...
[1 comment]  
Help Plan My 2013 · The Iden­ti­ty group where I’m work­ing now is go­ing to be launch­ing some stuff soon, and I want to go out and talk to the world about it. I’m look­ing for in­put on good developer-focused meet­ings and con­fer­ences that I should be at to talk and, more im­por­tan­t, lis­ten ...
[9 comments]  
Android OAuth via Google Play services · It start­ed launch­ing this morn­ing, to ev­ery com­pat­i­ble An­droid de­vice in the world run­ning Froyo or high­er. That’s a lot of de­vices, and even at Google scale it’ll take some time to roll out. This is a sub­tle but sig­nif­i­cant change in the ecosys­tem ...
[4 comments]  
Less Pain, More Money · Log­ging in is an­noy­ing and slows you down. My job these days is most­ly about re­duc­ing that pain, ide­al­ly to ze­ro by elim­i­nat­ing it. Google re­al­ly wants this to hap­pen; here are two rea­sons why, one gen­er­al and one speci­fic ...
[22 comments]  
On the Deadness of OAuth 2 · Wow, did Eran Ham­mer ev­er go off. His noisy slam­ming of the OAuth 2 door be­hind him has be­come a news sto­ry. I have opin­ions too ...
[8 comments]  
Now on Identity · As of Ju­ly 1, I’m mov­ing from Google’s An­droid team to our Iden­ti­ty group, to work on OAuth, OpenID, and that sort of stuff. Back to be­ing a full-time Web guy, for a while any­how ...
[24 comments]  
Android App Engine Client · Re­cent­ly I wrote a scary App-Engine back end for an An­droid app. I want­ed it to be se­cure, which should be easy be­cause An­droids have Google ac­counts and App Engine knows about those. I got it to work, but the pro­cess ir­ri­tat­ed me enough that I de­cid­ed to pack­age it up as a pub­lic ser­vice. So now there’s a lit­tle open-source li­brary called App Engine REST Client. It of­fers GET and POST meth­od­s, in­cludes an Authen­ti­ca­tor class, and tries to be as sim­ple as pos­si­ble to use ...
[4 comments]  
OpenSSO and Enterprisey Open Source · [This is one of four pieces of Sun news from last week; I ac­tu­al­ly got to make the an­nounce­ments at OSCON but was too busy to blog]. A cou­ple of years ago, Sun’s soft­ware group launched the OpenSSO pro­jec­t, the open-source ver­sion of our big com­pre­hen­sive suite of identity-management tool­s. Now, that project is a sup­port­ed Sun pro­duc­t: OpenSSO Ex­press. I don’t un­der­stand the soft­ware deeply enough to say any­thing au­thor­i­ta­tive about it, but the pricing-and-support mod­el is in­ter­est­ing ...
[1 comment]  
Sharecropper Alert · One of the most in­ter­est­ing pieces of the new Google App Engine is the iden­ti­ty piece ...
[17 comments]  
Tab Sweep — Tech · Tonight, a small­er, bi-focused sweep: Iden­ti­ty and HTTP ...
[2 comments]  
Tab Sweep — Tech · To­day we have Ja­va yield­ing, thread rant­ing, REST lec­tur­ing, and iden­ti­ty in­sight ...
[6 comments]  
OpenID at Work · On both the In­ter­net and be­hind the fire­wal­l, the iden­ti­ty prob­lem gets ugli­er ev­ery year. How many pass­words do you have? If you’re in IT, how much pain do you go through get­ting your all your apps to share a no­tion of who some­one is? There are a lot of smart peo­ple work­ing on these prob­lem­s, but progress has been crush­ing­ly slow. We’re do­ing a lit­tle some­thing with OpenID this week that won’t turn the world in­side out but I think shows that progress is pos­si­ble ...
[11 comments]  
OpenID · The buzz around OpenID is be­com­ing im­pos­si­ble to ig­nore. If you don’t know why, check out How To Use OpenID, a screen­cast by Si­mon Wil­lison. As it’s used now (un­less I’m miss­ing some­thing) OpenID seems pret­ty use­less, but with on­ly a lit­tle work (un­less I’m miss­ing some­thing) it could be very use­ful in­deed ...
[31 comments]  
Tab Sweep · This is go­ing to be big and have month-old news in it; a con­se­quence of the long southern-hemisphere post­ing in­ter­rup­tion. I’ll even group ’em in­to para­graph­s ...
 
SAML On The March · I tell peo­ple I’m a soft­ware gen­er­al­ist, but there are lots of holes in my knowl­edge. One of them is iden­ti­ty and I re­al­ly must fix that, be­cause it’s a hot pain point both for busi­ness­es and in­di­vid­u­al peo­ple. (How many pass­words do you have?) Any­how, our own Eve Maler is one of the peo­ple you want to watch in this space, and she’s point­ing us at a bunch of ac­tion over in SAML-land, here, here, and here. For my mon­ey, the hot sto­ry is the Dan­ish re­quire­ment that if you want to do fed­er­a­tion, you should bloody well use SAML. The Danes have had pos­i­tive ex­pe­ri­ences with shared stan­dard­ized XML vo­cab­u­lar­ies, hav­ing scored a big win with UBL. I can’t imag­ine any­thing in the short term that would be of greater ben­e­fit for ev­ery­one than ubiq­ui­tous share­able iden­ti­ty ser­vices.
 
Raining on the Parade · I guess it’s good that Steve and Scott made nice, and there’s no doubt that when the cus­tomers tell you to in­ter­op­er­ate, then you bloody well in­ter­op­er­ate, so it was a good piece of work (see Pat Patterson’s take in a com­ment on his own blog). But this glue for link­ing to Microsoft’s WS-Federation is a second-rate so­lu­tion at best. Among oth­er rea­son­s, WS-Federation is yet an­oth­er WS-backroom spec that might change (or go away) any time the peo­ple in the back­room want it to; not some­thing I’d ad­vise bet­ting on. If you have prod­ucts from any two ven­dors that im­ple­ment Lib­er­ty Al­liance specs prop­er­ly, well, they in­ter­op­er­ate. Sin­gle sign-on? Yawn. Pret­ty well ev­ery­body is a mem­ber, oh ex­cept Mi­crosoft. If the cus­tomers want sin­gle sign-on (and they do want sin­gle sign-on), Mi­crosoft should bloody well join Lib­er­ty and im­ple­ment the spec­s, then they’ll have in­ter­op­er­a­tion with ev­ery­one, not just Sun.
 
author · Dad · software · colophon · rights
Random image, linked to its containing fragment

By .

I am an employee
of Amazon.com, but
the opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.