RelMeAuth

From Microformats Wiki
Revision as of 15:43, 27 August 2010 by Tantek (talk | contribs) (→‎open source implementations: add live demo site of PHP RelMeAuth)
Jump to navigation Jump to search

RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site.

support RelMeAuth

users

Want to use your own site to login to other sites? Here's all you have to do:

Just use rel="me" on your personal site, and enter your personal site as your URL on other sites.

That's it! No odd new hidden meta tags or invisible XML side-files.

Slightly longer explanation:

1. Add rel="me" links to your other profiles.

Add rel="me" to links from your home page to your various profiles on other services.

2. Edit your other profiles to link back to your site.

Edit your other profiles and set their "home page" or "personal site" or "URL" field to your personal site.

Here's a list of profile sites that have URL fields and support rel-me.

3. There is no step 3. You're done.

examples in the wild

simple home page

Tantek's home page http://tantek.com/ has (simplified markup)

<ul>
<li><a rel="me" href="http://twitter.com/t">Twitter: @t</a></li>
<li><a rel="me" href="http://identi.ca/t">identi.ca: t</a></li>
</ul>

users with separate contact pages

But what if I prefer to have a separate contact or about page with my links to other profiles?

If you prefer to have a separate contact page that links to your other profiles, then

  1. add rel="me" to links from your contact page to those other profiles
  2. add rel="me" to the link from your home page to your contact page

more examples in the wild

separate contact page

Jeremy Keith's home page http://adactio.com/ has (simplified markup)

<ul>
<li><a rel="me" href="/journal/">Journal</a></li>
<li><a rel="me" href="/contact/">Contact</a></li>
</ul>

and then also:

http://adactio.com/journal/ has (simplified markup)

<ul>
<li><a rel="me" href="http://huffduffer.com/adactio/">Huffduffer</a></li>
<li><a rel="me" href="http://twitter.com/adactio/">Twitter</a></li>
<li><a rel="me" href="http://adactio.tumblr.com/">Tumblr</a></li>
<li><a rel="me" href="http://www.last.fm/user/adactio/">Last.fm</a></li>
<li><a rel="me" href="http://www.dopplr.com/traveller/adactio/public">Dopplr</a></li>
<li><a rel="me" href="http://www.vimeo.com/user196031">Vimeo</a></li>
<li><a rel="me" href="http://ffffound.com/home/adactio/found/">Ffffound</a></li>
<li><a rel="me" href="http://readernaut.com/adactio">Readernaut</a></li>
<li><a rel="me" href="http://97bottles.com/people/adactio/">97 Bottles</a></li>
</ul>

authentication preference

If you have a specific preference for what service(s) to authenticate with, just make sure that you list links to your profiles on those other services in preference order (on your home page or contact page as described above).

profile sites

Do you run a site with profiles?

Any social network site or similar site that has user profile pages should:

  1. provide a user interface for a user to enter and publicly publish a URL back to their home page
  2. publish a visible link with rel="me" from user's profile page to their personal home page

Most sites already do this.

authentication sites

Do you run a site with user profiles that you want to let your users use to login to other sites?

In addition to supporting rel-me as described above:

Any site that wants to allow users to login with their credentials from that site on 3rd party sites should:

  1. Support OAuth (2.0 even)
  2. Follow Twitter's conventions for:
    • endpoint paths and other protocol details
    • mimic Twitter's user interface for authentication flow (on both desktop and mobile - they've done a great job)

RelMeAuth providers

Sites that support both rel-me and are also OAuth providers:

sites needing a user login

Do you have a site and want to let users login with their own identity?

Any site that wants to let users login with their own identity should:

  1. provide a user interface for users to enter or choose their preferred online identity (e.g. their own URL)
  2. perform RelMeAuth authentication as described below

how it works

summary algorithm

Summary of the RelMeAuth authentication algorithm

  • input: a user identity (URL) to authenticate
  • output: success or cancel authentication or no authenticatable URLs found
  1. start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.)
  2. iterate through their outbound rel-me links on the user identity URL
    1. if
      1. a rel-me destination is up (HTTP Get succeeded, following any redirects)
      2. and rel-me links back to user identity URL
      3. and has OAuth endpoint
      4. then do OAuth authentication
      5. if authentication succeeded, you're done, the user has been been authenticated with the user identity URL, exit
      6. if it was rejected, the user canceled, thus cancel the entire authentication process, exit
    2. continue iteration with the next rel-me link if any
  3. no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error)

detailed algorithm

  • input: a user identity (URL) to authenticate
  • output: success or cancel authentication or no authenticatable URLs found
  1. start with a user identity URL (e.g from the UI, or from a cookie from previous login etc.)
  2. if the URL is an OAuth provider
  3. then try authenticating with it
    1. if it succeeds, exit
    2. if canceled, exit
    3. otherwise continue
  4. iterate through their outbound rel-me links on the user identity URL (first through direct rel-me links to external sites in order, then iterate through URLs deeper into the personal site in order, e.g. to a contacts page, and iterate through rel-me links from there to external sites in order)
    1. if
      1. a rel-me destination is up (HTTP Get succeeded, following any redirects)
      2. and rel-me links back to the user identity URL
      3. and has OAuth endpoint
      4. then do OAuth authentication
      5. if authentication succeeded, you're done, the user has been been authenticated with the user identity URL, exit
      6. if it was rejected, the user canceled, thus cancel the entire authentication process, exit
    2. continue iteration with the next rel-me link if any
  5. no authenticatable URLs found (either none at all, or any provided had some other error, 404, no response, no OAuth endpoint, other OAuth error)

open source implementations

There are a couple of open source libraries that sites can use to implement RelMeAuth so their users can login using their own identities.

Python

PHP

issues

  • How do you find the OAuth endpoint for any given user profile site/service? -Tantek
    • Use OAuth 2.0 discovery mechanism if supported
    • Use a whitelist of provider site to OAuth endpoint
    • Try the Twitter OAuth endpoint paths on other sites to see if they work - assuming that many OAuth providers will simply mimic Twitter's example as suggested.
  • How do you get an appID to use with any given site's OAuth? -Tantek
    • This appears to still be a manual process, per site, and thus a legitimate limitation of RelMeAuth in comparison to say OpenID.
      • Some services are supporting appkey/secret pair anonymous/anonymous for mobile/desktop apps already. Unsure how popular this is Singpolyma 13:51, 23 April 2010 (UTC)
  • OAuth is for authorization, and as such gives the site I'm ident asserting to access to my account on the id service. This is very bad. Suggested solution: use OpenID instead. Singpolyma 13:51, 23 April 2010 (UTC)
    • OAuth actually suggests granularity in access rather than blanket access (OAuth IETF draft, see Sec 4.8):

      When implementing this protocol, servers should consider the types of access resource owners may wish to grant clients, and should provide mechanisms to do so. Servers should also take care to ensure that resource owners understand the access they are granting, as well as any risks that may be involved.

      Thus for RelMeAuth purposes, the RelMeAuth "consumer"/library should ask merely for "authentication" rather than read, write, update, or delete access. One exception is the "share" scenario, where a site lets a user RelMeAuth login via another site (e.g. Twitter), and then provides a UI for the user to share from that site to Twitter - in that case request auth/read/write access granularity makes sense. Tantek 22:46, 26 April 2010 (UTC)
  • After authing with OAuth, how do you know what user it is that auth'd? OAuth specifically does not tell you that information... Singpolyma 13:54, 23 April 2010 (UTC)
    • Twitter provides user information via the OAuth token and their API, it is recommended that other OAuth providers follow this API convention while OAuth is evolved to provide to capability. Tantek 22:46, 26 April 2010 (UTC)

history

On 2010-02-01 Tantek introduced the basis for and Jeff Lindsay suggested the name for RelMeAuth.

In a follow-up Tantek suggested the following simple protocol for RelMeAuth:

RelMeAuth works for any #OAuth + rel-me site, and enables auto-fallback with use of alternate identities for authentication:

  1. user enters their site URL
  2. iterate through their outbound rel-me links
  3. if
    1. a rel-me destination is up, and
    2. rel-me links back to user's site, and
    3. has OAuth endpoint,
    then do OAuth authentication.

Thus user links to their RelMeAuth profiles in preference order, and authentication code tries them in order. e.g. Twitter, Identi.ca, ... etc.

Later that evening Tantek, Jeff Lindsay, Paul Tarjan and others discussed RelMeAuth at the microformats dinner in Mountain View and afterwards Jeff and Paul implemented RelMeAuth in an open source Python library at Hacker Dojo and discussed/tested it in IRC.

http://krijnhoetmer.nl/irc-logs/microformats/20100203

Less than 24 hours from concept to open source implementation.

articles posts comments

related