Right now Google is pimping this weird spec from Meebo called XAuth. This should not be confused with Twitter's xAuth, which is a different beast entirely. Google is currently spinning this as a "Facebook vs. the rest of the web" issue, but I'm not going to get caught up in all of the marketing bullshit. The technology should speak for itself.
It seems that the main goal being publicized for XAuth is to allow one site to declare that the user wants to possibly "share" content on that site so that another content-publishing site can use this information to show only the share buttons that the user wants to see. This is a sensible goal: the proliferation of "Share this!" buttons is becoming pretty annoying.
However, the approach that they've taken is flawed in a number of ways. Here are my top three:
- It's designed around a single point of failure. It relies on xauth.org continuing to host the chunks of JavaScript that the specification requires and it continuing to behave in a trustworthy manner. At this point I don't think I really need to go into any more detail about why a single point of failure is a showstopper for any Internet-wide protocol.
- It requires strong coupling between sites. Given the stated goals, I expected to be able to use this protocol to answer the question "What sites does this user use for sharing?". Instead, it requires the caller (or "retriever", to use their terms) to explicitly name the domains it wishes to test, making the question more like "Does the user use Digg, StumbleApon or Facebook?". If you're going to have a strong coupling like this then you might as well just go ask the sites you're interested in directly; there is no need for the single point of failure that is fundamental to this protocol.
- It allows sites to self-declare that they are used by the current user. Assuming that this approach ever gained any traction — which I honestly hope it does not — there's nothing to stop any site from saving "user uses this site!" state immediately when the user loads any page from its domain, without any user intervention. For this to be useful at all to an end-user, the end-user must be in control.
So in summary, this protocol is architecturally flawed, doesn't effectively solve the problem it claims to address, and is not resilient to abuse by bad players. I agree that this is a good problem to solve, but this is not the right solution.
I'm optimistic that XAuth will get folks thinking about this problem space and get us closer to the right answer, but we're not there yet.
Well-said -- not sure how the blogosphere seems to have overlooked all of these issues today in the flurry of coverage. FWIW, I still think that using webfinger is a practically achievable way to let a user indicate which services they think would be the best options for sharing tools/actions, without a new middleman, which can be augmented with delegated auth, and is simple to implement.
Posted by: Will | 04/19/2010 at 11:04 AM
I'm also very disappointed to see no option to completely opt-out of being discoverable by services as part of the spec. No site has a right to know whether I use another site. Period.
Posted by: OAuth Lover Fat | 04/19/2010 at 01:30 PM
So you can't use XAuth for non-browser based services? If it's not a show-stopper, it's certainly an anchor/parachute.
Posted by: Pid | 04/19/2010 at 01:35 PM
OAuth lover: You can easily disable xauth at http://xauth.org/
Posted by: Marcus Westin | 04/19/2010 at 03:14 PM
i too saw this an immediately wondered why this couldn't be done with a more explicit expression of identity plus webfinger. who will provide oversight to this organization? it seems creepy that i should have to go somewhere to opt-out of being tracked like a social flash-cookie. also, having a single point of failure seems like a step backwards in terms of efforts to build an open and distributed social web.
Posted by: max engel | 04/19/2010 at 05:32 PM
Martin: you nailed my issues with XAuth exactly. See http://evan.status.net/notice/19474 for my micro-take. I'm happy to see
But I see the limited value to this system -- reducing the number of "login with..." stickers is a laudable UI improvement. If the name of the protocol was AreYouLoggedInto, it'd make a lot more sense.
Incremental integrative steps are a good idea. Important not to overstate their value and burn people out too soon.
Posted by: evanp | 04/19/2010 at 08:02 PM
1. Spof is not a key feature of the protocol, just an artifact of current implementation. Walk then fly.
2. Query by reltype is the next obvious addition and is being worked on.
3. Got any suggestions? Bad actors are readily identifiable...
Posted by: John Panzer | 04/24/2010 at 10:14 PM