{"id":607,"date":"2006-10-09T21:12:19","date_gmt":"2006-10-10T05:12:19","guid":{"rendered":"\/?p=607"},"modified":"2006-10-09T21:22:48","modified_gmt":"2006-10-10T05:22:48","slug":"bbauth-and-openid","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=607","title":{"rendered":"BBAuth and OpenID"},"content":{"rendered":"<p class=\"body\">From <a href=\"http:\/\/commented.org\/blog\/\" class=\"broken_link\">commented.org<\/a>, here&#39;s a <a href=\"http:\/\/commented.org\/blog\/2006\/9\/30\/bbauth-vs-openid.html\" class=\"broken_link\">thoughtful piece<\/a> by Verisign&#39;s Hans Granqvist on Yahoo&#39;s BBAuth:<\/p>\n<blockquote class=\"body\"><p>Yahoo! released its <a href=\"http:\/\/developer.yahoo.com\/auth\/\">Browser-based authentication<\/a> (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!\u00e2\u20ac\u2122s services, for example, photo sharing, email sharing.<\/p>\n<p>Big deal, huh?<\/p>\n<p>The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing users\u00e2\u20ac\u2122 passwords mean much less liability, much less programming, much less problem.<\/p>\n<p>Now Yahoo! gives you a REST-based API to do just that.<\/p>\n<p>It will be interesting to see how this plays out against <a href=\"http:\/\/openid.net\/\">OpenID<\/a>.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.<\/p>\n<p>However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:<\/p>\n<ul>\n<li>have someone deal with your users\u00e2\u20ac\u2122 passwords,<\/li>\n<li>retrieve name and email address for a user<\/li>\n<\/ul>\n<p>And now Yahoo! does the first, and the second is available. At the same time they\u00e2\u20ac\u2122re making your app reachable to 257 million+ users. <a href=\"http:\/\/theurer.cc\/code\/sso\/\">Here\u00e2\u20ac\u2122s an example<\/a>.<\/p>\n<p>Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.<\/p><\/blockquote>\n<p>And yet someone has added a sobering comment&nbsp;to Hans&#8217; blog:<\/p>\n<blockquote><p>It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They&#39;ll be nice and ripe for password harvesting via fake yahoo login forms then. \ud83d\ude42<\/p><\/blockquote>\n<p>Sadly, if I had written this comment I would not have included the happy face. Until the security concerns are addressed, despite&nbsp;Yahoo&#39;s very laudible openness, this is not a happy face moment.<\/p>\n<p>But through Yahoo-issued InfoCards BBauth would avoid the loss of context that will otherwise lead to password harvesting.&nbsp; It&#39;s a good concrete example of how the various things we&#39;re all working on are synergistic if we combine them.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to Hans, most 3rd party web app developers would love to have someone deal with the username and password issues.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,10,7,9,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/607"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=607"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/607\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}