Subscribe: walkah - openid
Added By: Feedage Forager Feedage Grade B rated
Language: English
attribute exchange  code  community  drupal org  drupal  facebook  great  identity  open  openid  project  support  time  web 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: walkah - openid


Updated: 2015-10-09T10:05:14-04:00


Open, Social for the rest of the web


This past weekend, I had the privilege of being one of the chosen attendees for Social Web FooCamp. Needless to say, I was flattered and had an amazing time (thanks again, @daveman692 and @davemorin ) . One thing, however, became very apparent: the conversation, currently, is being dominated by the 'big players' (Google, Yahoo, Facebook and Myspace predominantly). In several discussions I found myself increasingly dropping the phrase:

... on the rest of the web

the big guys

First off, this is not a critique of the Google's and Facebook's of the internet. They are incredibly valuable to the growth of the openweb. The fact that Google, Yahoo and Myspace all three have various OpenID and OAuth initiatives in the wild and are actively pursuing additional ways to open their data is awesome (and Facebook wants to get there). It helps raise awareness and bring (slash confirm) "legitimacy".

The big guys also have resources. They can attend the conferences (and camps!) and have dedicated resources to write the standards, participate in the discussions and help shape the future.

However, they are only part of the discussion.


The issues the major providers face are different from the rest. They have a few sites with large numbers of users (hundreds of millions). Out here on the rest of the web, we have millions of websites, each with a "small" number of users (hundreds or thousands). We all understand the necessity for open data, identity, standards and protocols, but our reasoning tends to be slightly different.

The big guys recognize the benefit of exposing their data and most are providing OpenID and various levels of OAuth. How many are consuming it?

Sure, the big players want to be the primary authority for your identity and your information. In some cases, it is their business. But, rather than ranting against 'the man', I ask: have we - the rest of the web - given them a compelling reason to yet?

open source platforms for the open web

It's one thing for a major site (with hundreds of millions of users) to act like a silo, but on the rest of the web it amounts to isolation.

Those of us working on open source web platforms have an enormous potential for influence here. Implementing the various open standards "from scratch", while possible, is not realistic or even necessary. Increasingly, individuals have Wordpress blogs or perhaps their company, organization or club has a Drupal site. Web developers are increasingly turning to these platforms, or development frameworks such as Rails and Django. These platforms all have a real opportunity to bake in implementations of these open standards. The DiSo project offers a central place for co-ordination around these efforts.

We have data - gobs of it. We also, collectively, have the users and, in most cases, have more authoritative information about them (we know ourselves, our employees and our members).

We - the rest of the web - need to join the conversation: attend the events, participate in the mailing lists, and build the code to power the open, social web.

DrupalCon is Coming with lots of OpenID


In just a few days, most of the drupal community will be headed to Washington, DC for DrupalCon. As the conference draws closer, I always get excited to see friends I don't get to see and share exciting ideas, but this time there is a lot of growing interest and activity around OpenID.

As has become a bit of a tradition, I'll be giving my 4th OpenID talk. This year, I'm hoping to focus a bit on the exciting new developments from the OpenID community and looking at some of the things being built on top of OpenID (like the OpenID/OAuth hybrid model and the DiSo project).

Also, Chris Messina will be one of the keynote presenters - also talking about online identity. We had Chris on the lullabot podcast this week - be sure to check it out!

Finally, for those of you coming to DC - I'm going to round up interested parties on Saturday for an OpenID code sprint. Hope to see you there!

DiSo for Drupal


I had an interesting e-mail exchange yesterday with Chris Messina and a handful of folks from the DiSo project about "DiSo for Drupal". For those of you who haven't heard of it DiSo is:

DiSo (dee • zoh) is an umbrella project for a group of open source implementations of these distributed social networking concepts. or as Chris puts it: “to build a social network with its skin inside out”.

See, Chris recently started a new job working on DiSo full-time at Vidoop. With the announcements of Facebook connect and Google's Friend Connect, there is a battle raging for control of your identity and your relationships. DiSo, in many respects, is the free open answer for the rest of the internet. It combines several free, open standards that already exist in the wild like OpenID, OAuth, and Microformats for exchanging identity and "friend" information.

So, Chris reached out a handful of us Drupal folks about getting on board. The good news is: we, the Drupal community, are already well on our way:

  • OpenID (in Drupal 6.x core)
  • OpenID Provider :
  • OpenID Attribute Exchange : (in progress via Google SoC)
  • OAuth :
  • Atom : syndication only - - might be nice to have a basic envelop generator/parser implementation
  • XMPP : , and (the latest of which is maybe the most promising)
  • vCard / hCard :

The big holes at the moment (from a DiSo perspective) are XRDS-Simple support and better support for microformats - specifically XFN.

From the list of Drupal modules above, you may notice that this is an area of interest of mine :-P I look forward to working with the rest of the DiSo project and the Drupal community on this stuff!

Google SoC: Drupal, OpenID and Attribute Exchange


Summer is coming - which means it's time for Google's Summer of Code. This is the fourth year of the project (and the fourth year that Drupal has been involved). We continue to be one of Google's favourite open source projects this year grabbing 21 spots - which means a $105,000 investment in Drupal development this summer!

I'm excited as this will be my third year as a mentor and my project this year will be OpenID Attribute Exchange support for Drupal. Attribute Exchange is one of the next important pieces in digital identity and one that I'm pretty excited about. My student, Anshu Prateek, has shown a lot of enthusiasm. I think it's gonna be a good summer!

DrupalCon: OpenID slides and recap


With almost a week gone by since I left Boston, it's high time to do a quick recap of DrupalCon Boston 2008. Despite spending most of the week battling a nasty stomach flu, making two trips to the Apple Store in Cambridge, and being without my laptop (which suffered a failed keyboard and trackpad), I had a great time and want to offer my congrats to the organizing team for a solid event!

Although I took part in 6 sessions, I only presented one of them on my own: OpenID and Identity in Drupal. I was pleased with how the session went - packed room with lots of great feedback and discussion. For those interested, check out the slides on slideshare.

Otherwise, it was really great to see all the old faces and meet some new ones. For anyone who missed it, the Acquia party was a blast (Orbit rocks!). Looking forward to the next!

OpenID at DrupalCon Boston 2008


(image) Here we go again! One week from today, DrupalCon Boston 2008 will get underway. For the 3rd straight conference, I'll be doing a session on OpenID in Drupal:

OpenID and Identity in Drupal: the future of user.module

Those of you who have attended my OpenID talks at previous DrupalCons should definitely come out to this one, as I would like to dive a bit deeper into roadmapping future changes, additions and directions for the code as well as touching on rolling out OpenID support across the infrastructure itself. I'd also like to discuss additions and changes to user.module that will better accommodate alternate authentication mechanisms.

Can't wait to see you there! Oh, and yes, I'll bring my socks ;-)

Harvard Joomla site hacked: things to learn?


There have been reports that Harvard recently had a Joomla! based website compromised, and the database contents have been made available via BitTorrent. Of interest - the compromise was apparently via the usage of an insecure password. From the Torrent Freak article:

A file included with the release labeled password.txt carries a message: Thomas gatton….stupid people, you don’t use a secure password

While it's not entirely clear whether it was an insecure system password or an insecure Joomla! password used - it does highlight an important aspect of security.

Ensuring that you write secure code is only (a small) part of the security problem. With our recent Drupal 6.0 release, we have tried to incorporate several changes to help our users be more secure:

  • Password strength checker: when selecting a password now in Drupal, users are advised when their passwords are "weak". Encouraging tougher to crack/guess passwords particularly for admin and privileged users.
  • OpenID support: Even a strong (hard to guess / crack) password can be compromised by a clever attacker if you consistently log in without SSL (i.e. when you're at that internet cafe). Also, remembering several (hundreds!) of complicated, strong passwords can be daunting and frequently leads to poor password choices. By including OpenID authentication support, Drupal users and administrators no longer have to remember passwords to every site they administer. They can use their OpenID - which in turn can implement stronger authentication methods to limit potential vulnerabilities. Development Seed has a great article on how they use OpenID to avoid sharing passwords for admin accounts.
  • Update module: One of the biggest security challenges is keeping you site up to date. Drupal sites tend to be a combination of Drupal core and several (10 - 50) contributed modules - keeping them all up to date is a complicated task. It's also a crucial security precaution.

The point being: writing secure code is one thing, but there is a much trickier, critical task in educating users and administrators. It's something we're working towards within the Drupal Security Team and within the community in general. We're not done yet, and welcome your feedback and suggestions!

Dear Drupal 6, Be My Valentine?


Happy Valentine's Day everyone! I case you hadn't heard, Drupal 6.0 has finally been released! It's been just over a year since our last major release and, while it feels sort of like an eternity, there is a ton of great stuff in this new release.

I'm really proud to have helped contribute OpenID support (relying party) to this release - the first step in a larger plan to put (keep?) Drupal at the front of the digital identity curve. Those interested in hearing more, check out my OpenID session at DrupalCon.

There's a ton of other great new stuff in 6: Update module (if you haven't used update status in Drupal 5 - you should), revamped i18n support, and Drag 'n' Drop everywhere (Nate, you're a rockstar)!

Drupal, be mine. :-*

Yahoo! unveils OpenID support!


It's official!. ReadWriteWeb picked up on it early last week, when OpenID link tags appeared on flickr profile pages. Rampant speculation ensued, but the wraps are off. "Yahoo! Support Triples Number of OpenID Accounts to 368 million". Full details at .

OpenID 2.0 and Attribute Exchange 1.0


At last! Good news last night from the Internet Identity Workshop in California: OpenID 2.0 is finally final! I agree with Simon that the most interesting new thing in 2.0 is likely directed identity. And, yes, Drupal 6 already supports it.

However, one of the more interesting things (I think) is the final release of Attribute Exchange 1.0. I think attribute exchange (think profile data sharing and updating - and digitally signed assertions) represents the killer next step in online identity. Kudos to everyone involved! Time to get crackin' on some code :)

DrupalCon Barcelona wrap-up



430+ attendees. 5 sessions. 4 days. One hell of a time.

I have to say, I might be addicted. The post-drupal conference mixture of utter exhaustion (plus jetlag) and renewed energy and excitement is a feeling that I've really grown to look forward to twice a year. This is one great community full of great people. i love you all!

My personal highlights:

  • Having my son, Andrew, along- definitely mitigated some of the usual homesickness and was hopefully an experience he'll cherish as long as I do.
  • My socks! I love 'em - and they made chx jealous :)
  • Seeing Dries, Gabor, Bert, Adrian, and all the other non-north american drupal folks that I feel like I never get to see enough of
  • Hanging out with the amazing team from Lullabot: you're rockstars, each and every one.
  • A great venue and superb planning - hats off to Robert Garrigos and crew!
  • All the amazing energy behind image/file handling, OOP and other awesome stuff to come in Drupal 7

As promised, I gave 3 presentations... all of which went well (I thought):

In addition to those three, I also took part in a couple of panels: the live podcast was a lot of fun - go check it out!

I was also on the Drupal Association panel. This was interesting - it was clear that as a young organization - we still have a lot to learn and a lot to do. I was sympathetic to the concerns raised, but there has been a lot of discussion amongst association members since the panel and hopefully we'll see some positive changes forthcoming.

phew ok, that's enough for now... although I've left out a bunch. Jetlag calls... g'night planet drupal!

Off to Barcelona


(image) I haven't quite made it to "my bags are packed and I'm ready to go", but I'm only a load of laundry away. Tonight I'm flying off to Spain (for the first time ever!) to take part in the biggest Drupal Conference yet! Boy we've sure come a long way since a handful of us met in a basement in Antwerp just 2.5 years ago...

As usual, I'll be pretty busy. The following sessions should be interesting ;) :

  • OpenID: it's in core... now what? This is going to be sort of a continuation to the talk I gave at the Yahoo OSCMS. I hope to cover a few main things : first, there's still a lot of confusion about what OpenID really is (or more so what it isn't). Hopefully, I can answer some of that. I'll also be outlining where I'd like to take the code moving forward, as well as new technologies in the OpenID community that we - the Drupal community - should keep our eyes on.
  • Image handling in core... for real this time. It wouldn't be a Drupal conference if I didn't, right? I have not spent as much time as I'd like lately with image/media stuff in Drupal - but a lot of really great people have. I'm hoping to gather as many of said people as possible, survey the landscape of "image*" modules and devise (or at least share my thoughts on) a plan for making Drupal better with images out of the box.
  • Drupal and SimpleXML. This will be a brand new talk, but one I'm excited about. The move to php5 brings lots of advantages for developers, but the one I'm most excited about is the option to ditch all of our old expat-based parsing code in Drupal. As someone who enjoys writing a lot of 'web-services' type code, consuming and producing XML documents in a simple and efficient fashion is exciting.

I'll also be sitting on the Drupal Association panel and hope to rock out on the Live podcast (those are always fun). It should be a busy week! :)

I'm super excited to see all the awesome people in the community - especially some of the new fathers. But, I'm *really* excited to be bringing my son Andrew with me. I love getting to travel as part of the Drupal community and am so excited to get to share a new adventure with my favourite guy on the planet.

Back to packing...

Drupal awarded OpenID Bounty!


OK, so I knew it was coming, but I'm super excited to announce that Drupal was amongst the first 3 projects to be awarded the $5000 USD bounty. The award comes for the work I was involved in bringing OpenID support to Drupal 6. Interestingly, Drupal was the only PHP-based application awarded in this initial round, the other two being Plone (written in Python) and DotNetNuke (written in VB.NET).

Before you start asking me for a beer, the money is being sent directly to the Drupal Association. :)

Thank you to the OpenID Foundation, specifically Scott Kveton, for putting together the bounty. And thanks to everyone in the Drupal community for continuing to be on the front-end of new technologies.

Plaxo 3: in sync and OpenID enabled!


As I've lamented here before, I have had a hard time finding a successful, efficient way to keep all of my personal data (largely calendar and contact data) in sync across my systems and devices. Well, I had registered for a service known as Plaxo a while back to check it out. I can't exactly remember why it didn't stick at the time, but when I first saw Scoble talking about a "Big 3.0 release", I thought I'd give it another shot. Here's the good news...

Plaxo is currently successfully keeping my Mac OS X address book (for subsequent syncing to my phone), iCal, Thunderbird and Google Calendar in sync! I have to say, the Thunderbird support is pretty huge... Thunderbird LDAP support has never been what I would like, so this is a great intermediary.

However, the news that pushed me to blog about my Plaxo usage is this: (as of it looks like yesterday) Plaxo is OpenID enabled!! Awesome! Nice addition to Basecamp and Blinksale in services that I actually use heavily that are OpenID enabled.

Thumbs up for Plaxo. Now... if I could just figure out how to get it to sync my address book pictures...

Drupal 6 and OpenID


Well, it's been a couple days and the news has been on the front page of, but I am very excited by the fact that the Drupal 6 will officially support OpenID. It's taken a lot of work, so it feels really really nice to have it done. I wanted to post to (hopefully) answer some common questions that I've received and seen about the module:

From an OpenID perspective: the module implements OpenID Auth 2.0 Implementer's Draft 11 (i.e. latest spec at the time of this writing) - which means it should work against *any* OpenID provider currently "in the wild" - including those that only implement version 1.x of the spec. Only relying party support (for now) is in Drupal core.

The implementation is all Drupal native code - no third party libraries were used. This point has been discussed several times and I'm not about to rehash that here. However, the final code footprint for openid.module (including css/js/etc) is ~1100 lines of code - compared to the JanRain PHP library which is over 10 times that size.

There is work towards OpenID provider code for Drupal as well ... I will be posting more here as that code shapes up for Drupal 5. There are also some code on it's way to implement some of the OpenID extensions (i.e. Simple Registration and Attribute Exchange).

I'd like to say thanks to Dries, all my colleagues at Bryght and everyone in the community for their support, encouragement and code reviews. I really believe OpenID - and digital identity - is an important part of moving the web forward and it's great to have the support of so much of the Drupal community in that. To quote Dries:

Let this be the day where we help revolutionize the online society, and the way websites and web services interoperate. Or something.


Facebook apps and the importance of Identity 2.0


Those who have seen me speak about OpenID lately have noticed that I have become very fond of using "inspiration" from Dick Hardt's *awesome* Identity 2.0 presentation. One of the key points Dick makes in his talk is to point to Web 2.0 to drive Identity 2.0 forward. With the blogosphere a buzz (all a-twitter?) this week over the launch of the facebook platform (or "f8"), I think this reality is about to blow up in the spotlight.

This may date Dick's presentation (OSCON 2005), but in it he points to the issue of then social networking golden child Friendster and their feature for adding your amazon wishlist to your profile. The key point being: you gave Friendster your username and password to amazon - thus implicitly releasing full access to your amazon account to Friendster. So, in keeping things current, I have been using Facebook as my example social network - specifically their feature to import contacts from Gmail/Hotmail/etc:


We can all see the problem here, right?

So, enter the Facebook platform and a whole slew of developers and service providers anxious to take advantage of that amazing Facebook user base. So now we get things like this:


To enable twitter support (as Facebook tells me 12 of my friends have already done), I have to give facebook my twitter account details?!

Now, the point of this post isn't to harp on Facebook. It's a great service and I use it and enjoy it. And really, they don't have a choice (do they?)- they want to offer great features and there needs to be some way to link user accounts across these multiple services. This is exactly (one of) the problems that Identity 2.0 aims to solve.

The problem here is that we, the users, don't own our identity on the internet. There are walled gardens and data silos of information about us. Twitter and Facebook both have directory entries - a username and a password - that they use to identify me but there is no correlation that the directory entries match. I can't verify that they do without giving one system full access to the other to verify that the username on each system actually correspond to the same person. This is where we need user-centric identity. This is "why OpenID".

I'm an evangelist?


I had a great time with my OpenID demo last night at DemoCampToronto13. Thanks to all who attended and for the good feedback I've received so far!

As I was recalling some of the conversations I found myself in last night, though, I realized - at some point I became a tech evangelist. The one conversation that stuck out in my mind where I was asked "So, is this sort of evangelism what you do for a living?" To which I responded, "Ha! No!" I mean, I'm a developer, right? I write code.. or, at least, isn't that what I'm supposed to be doing?

It certainly hasn't been conscious (although, perhaps I should pretend that it has), but if I look at some of the Drupal presentations I've given, things like DrupalCampToronto and the Toronto user group, plus some of the OpenID talks I've done lately... it might just be true. Heck, I even like doing it!

walkah, tech evangelist : coming to a conference/camp/etc near you.

OpenID at DemoCampToronto13


Tomorrow night I've volunteered to subject myself to the scorn and ridicule of the local TorCamp community by sticking out my neck and doing a demo at DemoCampToronto13. Actually, it was this post by David Crow that inspired me, specifically:

And if I have to sit through a demonstration of a tag cloud or web login form, so help me.

So, naturally, I'll be doing a presentation exclusively about login forms... and I'll probably throw in a tag cloud for laughs. As for the 6 questions, here's what to expect:

  1. Have you attended a previous DemoCamp? Yes. I've blogged about my attendance in at least 7, 11 and 12... I'm pretty sure I was at others as well...
  2. Who are you? Previous experience, what makes you qualified for us to listen to, etc. I'm James. My qualifications: I'm currently the guy working on bringing OpenID support to Drupal core. I've also been involved with "Identity2.0" implementations dating back to SXIP's 1.0 protocol back in 2004 or so. Most recently, I presented OpenID to the attendees of the OSCMS summit in Sunnyvale.
  3. What does your product do? Er, well my "product" is the better way to login (tm).
  4. What hard problem, interesting insight, or cool feature will you be demonstrating? Well, we're gonna look at eliminating the registration form from the internet and solving Identity2.0.
  5. What are you hoping to get out of presenting? Well, aside from the guaranteed love, respect and admiration of my peers - I'd like to raise OpenID awareness amongst local developers and inspire them to OpenID-enable their applications. I'd also like to gauge interest in doing something like an OpenID Mashpit locally.
  6. What does the community gain by hearing you present? Hopefully a better idea (or initial awareness) of what OpenID is all about - what problems it solves (and what it doesn't) - and the inspiration to start using it for themselves and in their applications. That's right, all in 5 minutes.

There you have it. If you haven't yet, sign up and I'll see you there.

myOpenID relaunch


I noticed via Scott Kveton's blog this morning that myOpenID got a bit of a refresh this morning. Along with a (very pleasant) new visual re-design, they've officially launched a feature which, imo, is worth noting. Specifically, myOpenID now supports certificate-based authentication:

Phishing is always on the minds of members of the OpenID community and we’re excited to announce the release of our client-side certificate functionality. Client-side certificates leverage the tried-and-true technology known as transport layer security (also known as TLS). This essentially the same technology you probably know of as SSL that is used to secure millions of transactions on the web every single day. With the click of a mouse you can configure your own unique certificate right in your web browser (yep, Firefox, IE, Safari and even Opera). This then gives you the ability to authenticate quickly and very securely from your machine without the use of a password.

As I mentioned in my presentation last month, this is an important aspect of OpenID - namely the choice, and option for stronger, more secure methods of authentication and making that choice user-centric.

Kudos to JanRain - keep up the great work!

OSCMS 2007 OpenID Presentation slides


Almost a week ago now (really?), I had a chance to present OpenID to the attendees of the OSCMS Summit 2007. I think it went fairly well based on the feedback I received (at least what folks were willing to say to my face). Those of you who have seen Dick Hardt present will recognize the presentation style - and the inspiration - for which I am grateful. Hopefully, it offered a good introduction to digital identity for the folks who have huge potential to influence adoption of OpenID - namely the authors of open source content management systems.

Slides are attached. Thanks to everyone who attended!