Right now Google is pimping this weird spec from Meebo called XAuth. This should not be confused with Twitter's xAuth, which is a different beast entirely. Google is currently spinning this as a "Facebook vs. the rest of the web" issue, but I'm not going to get caught up in all of the marketing bullshit. The technology should speak for itself.
It seems that the main goal being publicized for XAuth is to allow one site to declare that the user wants to possibly "share" content on that site so that another content-publishing site can use this information to show only the share buttons that the user wants to see. This is a sensible goal: the proliferation of "Share this!" buttons is becoming pretty annoying.
However, the approach that they've taken is flawed in a number of ways. Here are my top three:
- It requires strong coupling between sites. Given the stated goals, I expected to be able to use this protocol to answer the question "What sites does this user use for sharing?". Instead, it requires the caller (or "retriever", to use their terms) to explicitly name the domains it wishes to test, making the question more like "Does the user use Digg, StumbleApon or Facebook?". If you're going to have a strong coupling like this then you might as well just go ask the sites you're interested in directly; there is no need for the single point of failure that is fundamental to this protocol.
- It allows sites to self-declare that they are used by the current user. Assuming that this approach ever gained any traction — which I honestly hope it does not — there's nothing to stop any site from saving "user uses this site!" state immediately when the user loads any page from its domain, without any user intervention. For this to be useful at all to an end-user, the end-user must be in control.
So in summary, this protocol is architecturally flawed, doesn't effectively solve the problem it claims to address, and is not resilient to abuse by bad players. I agree that this is a good problem to solve, but this is not the right solution.
I'm optimistic that XAuth will get folks thinking about this problem space and get us closer to the right answer, but we're not there yet.