Facebook Adopts Open Standard for User Logins

Oauth logo

SAN FRANCISCO — As we predicted, Facebook is switching to an open standard to handle user authentication across its entire platform of connected websites and applications.

Facebook is ditching its proprietary Facebook Connect system, which lets people use their Facebook username and password to log in to other sites around the web. In its place, the company will implement OAuth 2.0, an open source (and soon to be IETF standard) protocol for user authentication.

Viewed along side the barrage of other major announcements unleashed by Facebook at its F8 developer conference here on Wednesday, the move may only seem like a minor data point. But it is one with the potential to make a broad and deeply significant impact on the social web.

Right now, users expect three choices for logging in to a site with an existing ID: Facebook Connect, Twitter or OpenID. That forces publishers to implement three separate systems — one for OpenID, one for Twitter, which uses OAuth, and one for Facebook, which uses Facebook Connect. But once OAuth 2.0 is up to speed and more sites move over to it, things get simpler for site owners.

Where there used to be three options — Facebook Connect, OAuth and OpenID — there will now only be two. And the two that are left are both open source.

There are still details involving token management, auto-registration and other bits of complex backend plumbing to be sorted out, that Wednesday’s events don’t change.

But the move towards OAuth is a step towards interoperability the social web sorely needs. Most importantly, it will be easier to build pathways connecting OAuth and OpenID, since both are fully transparent, open standards and the proprietary Facebook Connect system has been removed from the equation. The switch paves the way for further integrations between existing technologies.

During a panel discussion about OAuth on Wednesday afternoon, Facebook engineer Luke Shepard said that by adopting OAuth, he hopes Facebook will “help drive it to become such a core part of the web, all the tools will end up supporting it.”

Twitter also recently began supporting OAuth 2.0 with last week’s launch of @anywhere, its suite of social-interaction tools.

But what about OpenID? It was one of the key technologies responsible for pushing the idea of single sign-on forward, so why isn’t Facebook supporting it yet?

“Developers aren’t asking for OpenID,” Shepard said when the question was posed to the panel. “They’re explicitly asking for us to make logins simpler and easier, not for us to implement OpenID. So now we’re doing that by implementing OAuth 2.0, because it’s simple and easy. Adding OpenID on top of it would just add a layer of complexity nobody is asking for.”

OpenID is indeed very complex, and because of that, it suffers from usability problems that have kept it from being widely adopted.

“It’s very easy to do user authentication over OAuth 2.0,” Shepard said.

Panel moderator David Recordon, who develops open technologies at Facebook, asked the audience of about 60 or 70 people: “How many of you here want Facebook and Twitter to adopt OpenID?”

Five people raised their hands (I was one of them).

Another panelist, Raffi Krikorian from Twitter, quipped, “That answers your question right there.”

Krikorian did offer a ray of hope for OpenID, though, noting that browser makers may provide the missing links that solve OpenID’s complexity problem.

“Since the browser exists in between the web service and the user, it makes perfect sense for the browser to handle those identity-management tasks,” he said. “I think that would be a huge step forward for the web.”

Another panelist, Yahoo’s Allen Tom, another long-time OpenID advocate, agreed that browser makers could definitely help fix OpenID’s UI problems.

“If browsers can eliminate the confusion in the whole authorization flow around OpenID, that would be ideal.”

See Also:

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.