This post originated from an RSS feed registered with Ruby Buzz
by David Heinemeier Hansson.
Original Post: OpenID makes web identities real and appealing
Feed Title: Loud Thinking
Feed URL: http://feeds.feedburner.com/LoudThinking
Feed Description: All about the full-stack, web-framework Rails for Ruby and on putting it to good effect with Basecamp
I've loved the idea of OpenID ever since I sat down with the boys from Verisign and East Media to hear them talk about PiP and the Rails integration, but I never really got around to playing with it. "How big of a deal is having multiple logins really?", went the thinking. For a lot of people the answer is still "not a lot". But I'm starting to see the light.
Over a few hours today, I read up on and implemented OpenID logins for Highrise. That opened my eyes. Both to how easy it is to get working as an alternate login solution and, more importantly, how decent the flow actually is.
Yes, there's redirection to another site involved, but once you've saved the login for a certain site in your OpenID and you're logged into your provider, you don't even see the redirection. At first that might seem a little scary. Logging into a site without even entering a password? But then again, that's pretty much how I authenticate with my application servers around the world through SSHKeychain and on all sites that gives you Remember me?
There are certainly still concerns to be addressed. Chief among which is probably the phishing issue. But smart men are hard at work and I'm sure we'll be able to come up with something clever. I don't think this or any of the other current uncertainties are reason enough to hold back.
What we need is adoption. Luckily, OpenID seems to have already gotten the attention of plenty of enterprising startups and big behemoths. Most prominent in the latter category is AOL, which with a swing of its wand granted everyone with an AIM account an OpenID. It's as simple as http://openid.aol.com/<screenname>. The simplicity of that solution was part of what got me started today. There's a lot of power in not even having to signup for anything new. At least for getting off the ground.
Making it as easy as not to
So we got millions of people with an OpenID by virtue of their AIM account. Great. Now they just need a place or two to actually use it. That's where the technology comes in. The toolkits. The "making it as easy as not to". While there's already a fair number of generators out there for Rails on the subject, I'm generally not a big fan of generators as anything but learning tools or for setting up conventions. I'd much rather try to find a clever API that's so simple there's no need for boiler plating.
A very first stab at that with Rails that I came up with today is as follows (which I'll wrap up as a plugin shortly):
class SessionController < ApplicationController
include OpenIdAuthentication
def create
if open_id?(params[:name])
open_id_authentication(params[:name])
else
password_authentication(params[:name], params[:password])
end
end
private
def password_authentication(name, password)
if @current_user =
@account.users.find_by_name_and_password(name, password)
successful_authentication
else
failed_authentication "Sorry, that username/password doesn't work"
end
end
def open_id_authentication(identity_url)
authenticate_with_open_id(identity_url) do |status, identity_url|
case status
when :missing
failed_authentication "Sorry, the OpenID server couldn't be found"
when :canceled
failed_authentication "OpenID verification was canceled"
when :failed
failed_authentication "Sorry, the OpenID verification failed"
when :successful
if @current_user =
@account.users.find_by_identity_url(identity_url)
successful_authentication
else
failed_authentication "Sorry, no user by that identity URL exists"
end
end
end
end
end
The only extra pieces you need is to implement successful_authentication, which creates the session and redirects into the application, and failed_authentication, which redirects back to the login screen with an error flash message. params[:name] doubles as both a regular user name and as an OpenID. I distinguish between the two by whether it looks like a URL or not (starts with http). The underlying mechanics are delegated to the ruby-openid library.
It's most certainly still half-baked. It only works for the authentication part, not for the create the initial account and get additional attributes part. But it's a start and I'm excited.
I truly believe that OpenID stands a great shot at becoming real and useful even to people who would start yawning at the mere mention of the word "authentication". It won't happen overnight and it certainly won't happen unless we all dig in and make it happen. What's here today is more than good enough to get started. So less excuses, more implementions.
Previous Topic
