Justin du Coeur (jducoeur) wrote,
Justin du Coeur

Fun with Identity

[Technical article ahead, although more about architecture and concepts than details.]

Today's project was starting to figure out the login process for Querki. It's been educational.

One of the early decisions was that Querki isn't going to have its own logins, at least not by preference. (The option *might* exist, but I'm still not sure.) Frankly, managing passwords and the like is a hassle, at least to do it properly: you have to be utterly scrupulous about the details, and there are a lot of ways to screw up. And really, there's no good reason to do so any more -- the Internet is chock-full of "identity providers" that *want* to be in that business, and there are well-established protocols for Querki to, eg, ask Facebook "Is this the person he claims to be?". So it's pretty straightforward for me to just delegate that problem elsewhere.

In theory.

There are two things I'm cranky about at the moment. The simpler is that it looks like supporting LiveJournal (and DreamWidth) identities may be more trouble than it's worth.

The thing is, LiveJournal pretty much invented the modern concept of distributed identity, way back when, with a standard called OpenID. Basically, I can just go to a site that uses OpenID, give my identity as "jducoeur.livejournal.com", and there's this dance between that site and LJ to establish that I am who I say. It was kind of a clever hack, but it basically worked, and has been through a couple of versions now.

The problem is, OpenID is very limited. It establishes *who* you are, but nothing else. Modern social networks generally want more power than that -- they want the "relying" site to be able to ask for permission to see your email address, or post to your wall, or see your friend list. So a fancier protocol was invented, called OAuth. That's also evolved a bit, and OAuth 2.0 is becoming one of those central standards. It's supported by a lot of the important players -- Facebook, Google, Twitter, and so on. But so far, I can't find any evidence that it's supported by LiveJournal. (I would be happy to be proven incorrect here. I've found suggestions that folks were working on OAuth for LJ, but no indication that that's actually become live.) (Edit: It looks like DreamWidth is at least working on it. No serious sign that LJ is.)

Of course, I don't want to write all the code for this stuff myself. And the heart of the problem is that about half of the libraries to do this sort of distributed login *only* support OAuth nowadays. That's not crazy -- in many ways, it's the more sensible approach -- but I have to decide how much I care. I would really *like* to support LJ and DW as identity providers, since it is where many of my friends focus. But the sad truth is that the vast majority of likely users care much more about Facebook and Google support. So I may have to make some choices there; if the best libraries don't support OpenID, I may have to give up LJ as an identity provider.

The deeper thing that's making me twitchy is the change in attitude about identity. Most everybody agrees that distributed identity is a good thing, but there are two very different attitudes, which I think of as the "whitelist" and "blacklist" approaches. These can be distinguished by a simple question: are users allowed to simply say, "This is my identity", or are they limited to a few pre-defined options?

Far as I can tell, the latter viewpoint is *heavily* winning now. Most of the tools and libraries I'm looking at now fundamentally assume that the relying site (that is, me) predefines which identity providers it is willing to talk to. The deck is *heavily* stacked in favor of the big providers like Facebook and Google: you can add other sites (so long as they implement OAuth), but it requires additional configuration, and sometimes additional code, to do so.

This saddens me. Frankly, I think it's a betrayal of the spirit of the Internet, and pretty dangerous from a societal viewpoint. It's another step towards allowing a few big companies to "own" our identities, which seems like a pretty bad idea on its face.

(The OpenID vs. OAuth thing comes into play here a bit. OpenID, by design, allows for any number of arbitrary identity providers. I suspect it's not accidental that Facebook and Google are quietly working to squash it. Today's big irony was the discovery that AccountChooser -- the big push by the OpenID Foundation for a standard -- doesn't support OpenID.)

There are certainly arguments in favor of the whitelist model (only allowing a few identity providers to be considered valid). In particular, it avoids having to deal with potentially fraudulent identity providers that then need to be blacklisted. And I suspect I'll be pushed in that direction, simply because I don't have time to fight this particular crusade. But I am reminded of why the nymwars fired my blood so much...
Tags: querki
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded