Developer Preview: Identity In The Browser (IDIB)
Over the past few years we’ve seen the adoption of OpenID continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.
It was almost two years ago when the Firefox 3.0 roadmap was announced and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.
In light of that missed opportunity, Vidoop Labs has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.
So today we’re excited to offer a preliminary look at the Developer Preview release of our identity in the browser Firefox extension called IDIB. We’re releasing this as open source and looking forward to beginning an ongoing dialogue to determine what this functionality should look like and how it should behave. And above all, how it can begin to make OpenID more user-friendly and account-driven activities on the web more secure.
The extension does two things today:
- we help to reduce or eliminate browser-based redirects typically involved in authenticating against identity providers
- we add security to reduce the potential for phishing/man-in-the-middle attacks
We’re hoping this two-pronged approach will help mitigate at least a few of the issues around usability and security that we’ve seen act as barriers to OpenID adoption.
Now, the extension doesn’t do everything we want it to. As a matter of fact, it’s merely a starting point. Because of the way it works, it requires relying parties to adjust their support for OpenID and as such, as of today, it currently works on the Vidoop Blog (the changes required are documented here; depending on adoption and interest, these changes may or may not end up as official extensions to the OpenID protocol itself). As such we strongly discourage using this extension for regular web browsing. It is intended as a developer prototype for testing purposes only — and to get a productive conversation started with real code!
We’ve got more about our thoughts on identity in the browser means here and a mailing list and code project to carry the conversation forward.