Facebook’s transparent use of OpenID

There was a bit of excitement last month when Facebook became an OpenID relaying party. Many of the big names such as Yahoo!, Google, MySpace, etc. have long been providers of OpenIDs to their users, but Facebook is now accepting third-party OpenIDs as a way to login to their site. What’s even more unusual and why I’m writing this post is that it wasn’t until a couple of days ago that I noticed how they’d implemented OpenID:

Existing and new users can now link their Facebook accounts with their Gmail accounts or with accounts from those OpenID providers that support automatic login. Once a user links his or her account with a Gmail address or an OpenID URL, logs in to that account, then goes to Facebook, that user will already be logged in to Facebook.

I don’t think this brief explanation on the Facebook developer blog does justice to how this works in practice. What it means is that if you link your Facebook account to your OpenID, you will automatically be logged in to Facebook if you are logged into your OpenID provider and visit http://facebook.com On any other OpenID enabled site, you click a button or type your OpenID into a login box and are then logged in to the site you’re visiting.

With Facebook, they’ve done away with the need to enter your OpenID credentials altogether. If you’re logged in to your OpenID provider, pause for three seconds on http://facebook.com and you’ll be automatically logged in. If you log out of Facebook and then visit http://facebook.com, you’ll be automatically logged in again. It doesn’t seem to work if you visit any other Facebook URL.

So, for example, if you link your Google account to your Facebook account and, like many of us, are logged in to Google throughout the day using GMail, Google Reader, Google Docs, Google Calendar, or whatever, you never have to think about logging in to Facebook. It’s the closest to a transparent single-sign-on across consumer/social sites that I can think of.

I exchanged a few comments about this with Paul Walk on Twitter, who is less impressed by this than I am. What if you want to log out of Facebook? Really log out? You’d need to log out of your OpenID provider. What if you want to stay logged in to your OpenID provider but log out of Facebook? Why would you want to do that? For most users, I can’t think of a reason. Occasionally I want to log out of a site and ensure I’m completely logged out because I’m testing something. When that happens, I open a different browser, clear cookies and/or use the private browsing mode in Safari or Chrome. The benefits to Facebook’s approach seem to outweigh the occasions when I’d want to do this.

Other than habit, can you think of a reason why you’d want to log out of Facebook but remain logged into your OpenID provider?

Surely what’s important here is whether you are logged in to the world-wide-web or logged out of the world-wide-web. It would be more secure, surely, to know if you were logged in or logged out rather than whether you were logged in to some sites and logged out of others. If I lock my front door, I know that every room in my house has been secured. I don’t need to lock every room in the house, too. When I unlock my front door, I have the freedom to move around my house. And so do guests. This is where single-sign-on becomes potentially dangerous, because it opens up multiple services that have been otherwise protected by multiple authentication credentials. If someone else uses your browser, they have access to all your accounts. That could be useful when you and your partner share accounts on some websites, but dangerous if you leave your PC unattended or have your laptop stolen from a public library.

However, I imagine that most people on the web are using one or two weak passwords across the web services they use because they can’t remember multiple login details. Surely one good password to protect multiple accounts which is used to log in and out of multiple services is better than one or two weak passwords that are used everywhere? If I have one ‘key’ that works everywhere, I’m more likely to get into the habit of using it than I am if I have to remember to log out of multiple sites.

I know of three important blog posts about Facebook’s use of OpenID, two from Luke Shepard, the principle developer of OpenID on Facebook and another from Simon Willison. A month before Facebook implemented their ‘linked accounts’ feature, Luke Shepard was discussing some ideas about OpenID login on his blog. Now that OpenID login to Facebook has been implemented, he’s been discussing the logout process. Following on from these two posts, Simon Willison provides a key overview to the current implementation in light of the new Facebook username feature:

At any rate, their consumer implementation is fascinating. It’s live right now, even though there’s no OpenID login box anywhere to be seen on the site. Instead, Facebook take advantage of the little known checkid_immediate mode. Once you’ve associated your OpenID with your Facebook account (using the “Linked Accounts” section of the settings pane) Facebook sets a cookie remembering your OpenID provider, which persists even after you log out of Facebook. When you later visit the Facebook homepage, a checkid_immediate request is silently sent to your provider, logging you in automatically if you are already authenticated there.

It’s brilliant (well, I think so), to see how a seemingly minor part of the OpenID specification, can be turned into a significant improvement (well, I think so), to the user experience and signals the way for a transparent single-sign-on experience across the web, using an OpenID provider of your choice. I look forward to the day when I login to my OpenID provider (actually, my browser does that automatically when I start it up), and from then on, I’m transparently logged in to the sites I use across the web, until I log out of my OpenID provider. One day, I’ll log in to my browser and be logged in to all the web services I use. One day, I’ll log out of my browser and be logged out of all the web services I use.

The user is in control

Just a quick nod to Andy Powell’s post yesterday about Identity in a Web 2.0 World. As I’ve said before, I’m trying to catch up with the issues Andy discusses and develop them into a blueprint for the Mozilla/Creative Commons/P2P University Open Education course, I am participating in.

Andy writes:

…identity in a Web 2.0 world is not institution-centric, as manifest in the current UK Federation, nor is it based on the currently deployed education-specific identity and access management technologies.  Identity in a Web 2.0 world is user-centric – that means the user is in control…. The important point is that learners (and staff) will come into institutions with an existing identity, they will increasingly expect to use that identity while they are there (particularly in their use of services ‘outside’ the institution) and that they will continue using it after they have left.  As a community, we therefore have to understand what impact that has on our provision of services and the way we support learning and research.

I am therefore reassured that my blueprint outline is not completely off the wall:

University students are at least 18 years old and have spent many years unconsciously accumulating or deliberately developing a digital identity. When people enter university they are expected to accept a new digital identity, one which may rarely acknowledge and easily exploit their preceding experience and productivity. Students are given a new email address, a university ID, expected to submit course work using new, institutionally unique tools and develop a portfolio of work over three to four years which is set apart from their existing portfolio of work and often difficult to fully exploit after graduation. I think this will be increasingly questioned and resisted by individuals paying to study at university.

My proposal is to show there are existing technical solutions which would allow an individual to register as a student at a university, provide the institution with their Facebook, Google, Yahoo!, OpenID, etc. identification and from then on, the student uses their existing ID to authenticate against any university online resource. There’s an example of how this might happen in the JISC Review of OpenID, which describes one of the project aims as the development of

bridging software that will allow OpenIDs from any source to be used as identities within the production UK (SAML) federation.

The University of Kent host a demonstrator of this OpenID-to-Shibboleth bridge.

The other aspect of my blueprint is institutional support of a Personal Learning Environment (PLE). I am suggesting that the WordPress Multi User platform is one technology that could support the characteristics of a PLE, being:1

  • Focus on coordinating connections between the user and services
  • Symmetric relationships
  • Individualized context
  • Open Internet standards and lightweight proprietary APIs
  • Open content and remix culture
  • Personal and global scope

The PLE implementation which I have in mind is not, like the VLE, a monolithic system but rather a platform which aggregates and co-ordinates external user-centric services into a coherent learning environment. It is a parasitic system, feeding off content from existing online services such as blogs, social bookmarking, wikis and social networks, but also a rewarding environment which supports and develops the student’s existing portfolio2 throughout their period of study.

I’ve shown how WordPress can aggregate and archive course activity, how it can enhance the discovery and connectivity of an individual’s and institution’s online profile through the addition of semantic-web-enabling plugins, how it can syndicate filtered content to other internal and external systems (through the use of feed2js, it can also syndicate content to legacy systems like Blackboard, which don’t support embedded web feeds). I’ve also shown that it can support a lightweight social network that integrates with an institution’s LDAP/Active Directory authentication system, and that social network can be OpenID enabled, allowing users to optionally link their OpenID to their WordPress/LDAP account and login via OpenID instead.3

Finally, the institutional and wider benefits to the public can be found when the cumulative data of the platform is itself aggregated into a structured site that enables discovery and re-use of content. An example of this is our Community Posts site, and I have also previously discussed the potential development and exploitation of this resource. Designed and licensed carefully, such a site could provide open educational resources at both user and programmatic levels.

So what empowers the user/student and puts them in control? Data-Portability and Creative Commons licensing?4.

  1. Taken from, Personal Learning Environments: Challenging the dominant design of educational systems. Scott Wilson, Prof. Oleg Liber, Mark Johnson, Phil Beauvoir, Paul Sharples & Colin Milligan, University of Bolton. 2006 []
  2. In many ways, I am thinking of ‘Identity’ and ‘Portfolio’ as being largely synonymous during the student’s period of study. []
  3. I’ve tested this with DiSo’s OpenID plugin, which works in principle, but I suspect that once set up, the OpenID login for the specified account, completely bypasses the LDAP authentication. Surely just a small amount of development would provide tighter integration. Incidentally, a Shibboleth plugin (by the same author of the OpenID plugin) for WordPress also exists. []
  4. Actually, I’m starting to think that CC licensing is little more than an interim step to a better understanding of ‘data’. See ‘You don’t nor need to own your data‘ When knowledge is transmitted online, every aspect of its representation is in a form of data. Both information and instruction become ‘data’ – isn’t it backwards to think of knowledge in terms of something ‘owned’ Do you think of instructional methods as ‘yours’? []

My revised ALT-C proposal

I’ve just re-submitted this proposal for a demonstration at ALT-C 2009. It’s called WordPress Multi-User: BuddyPress and Beyond. It won’t be confirmed until June, but for the record, here it is…

‘BuddyPress’ is a new social networking layer for WordPress Multi-User blogs. It provides familiar, easy to use social networking features in addition to a high-quality and popular blogging platform. The University of Lincoln have been trialing WordPress MU since May 2008 and have been using BuddyPress since February 2009 to promote an institutional social networking community built around personalised and collaborative web publishing.

This session will demonstrate the versatility of the WordPress MU platform. We’ll look at an installation that is enhanced with BuddyPress, LDAP authentication, mobile phone support and advanced privacy controls. You’ll see how simple it is to set up site-wide RSS syndication and aggregation, enhance your blog with semantic web tools, publish mathematical formulae with LaTeX, send realtime notifications to Facebook, Twitter and IM, publish podcasts to iTunes, and embed GPX and KML mapping files. We’ll also look at how to embed WordPress content in your VLE and other institutional websites. The use of a temporary ‘ALT-C 2009 BuddyPress’ installation will be encouraged.

There will be opportunities throughout for questions and answers and participants will leave with a good understanding of the advantages and disadvantages of WordPress and the resources and skills required to provide a social networking and blogging platform in your institution.

Open Education Project Blueprint

Each participant on the Mozilla Open Education Course, has been asked to develop a project blueprint. Here is the start of mine. It’s basically a ‘Personal Learning Environment’ (PLE)1and I’m going to try to show how WordPress MU is a good technology platform for an institution to easily and effectively support a PLE. I’m going to place an emphasis on ‘identity’ because it’s something I want to learn more about.

Short description

University students are at least 18 years old and have spent many years unconsciously accumulating or deliberately developing a digital identity. When people enter university they are expected to accept a new digital identity, one which may rarely acknowledge and easily exploit their preceding experience and productivity. Students are given a new email address, a university ID, expected to submit course work using new, institutionally unique tools and develop a portfolio of work over three to four years which is set apart from their existing portfolio of work and often difficult to fully exploit after graduation.

I think this will be increasingly questioned and resisted by individuals paying to study at university. Both students and staff will suffer this disconnect caused by institutions not employing available online technologies and standards rapidly enough. There is a legacy of universities expecting and being expected to provide online tools to staff and students. This was useful and necessary several years ago, but it’s now quite possible for individuals in the UK to study, learn and work apart from any institutional technology provision. For example, Google provides many of these tools and will have a longer relationship with the individual than the university is likely to.

Many students and staff are relinquishing institutional technology ties and an indicator of this is the massive % of students who do not use their university email address (96% in one case study). In the UK, universities are keen to accept mature, work-based and part-time students. For these students, university is just a single part of their lives and should not require the development of a digital identity that mainly serves the institution, rather than the individual.

How would it work?

Students identify themselves with their OpenID, which authenticates against a Shibboleth Service Provider.2 They create, publish and syndicate their course work, privately or publicly using the web services of their choice. Students don’t turn in work for assessment, but rather publish their work for assessment under a CC license of their choice.

It’s basically a PLE project blueprint with an emphasis on identity and data-portability. I’m pretty sure I’m not going to get a fully working model to demonstrate by the end of the course, but I will try to show how existing technologies could be stitched together to achieve what I’m aiming for. Of course, the technologies are not really the issue here, the challenge is showing how this might work in an institutional context.

I think it will be possible to show how it’s technically possible using a single platform such as WordPress which has Facebook Connnect, OAuth, OpenID, Shibboleth and RPX plugins. WordPress is also microformat friendly and profile information can be easily exported in the hCard format. hResume would be ideal for developing an academic profile. The Diso project are leading the way in this area.

Similar projects:

UMW Blogs?

Open Technology:

OpenID, OAuth, RPX, Shibboleth, RSS, Atom, Microformats, XMPP, OPML, AtomPub, XML-RPC + WordPress

Open Content / Licensing:

I’ll look at how Creative Commons licensing may be compatible with our staff and student IP policies.

Open Pedagogy

No idea. This is a new area for me. I’m hoping that the Mozilla/CC Open Education course can point me in the right direction for this. Maybe you have some suggestions, too?

  1. See Personal Learning Environments: Challenging the dominant design of educational systems []
  2. See the JISC Review of OpenID. []

OAuth, OpenID, XMPP with WordPress

Automattic, the company behind WordPress, released an update to Prologue, their theme for group discussion, today. I read about this, minutes after reading about the new OAuth features in WordPress 2.8 and an hour or so after reading about a new Facebook Connect plugin for BuddyPress, the social networking layer for WordPress. All this stimulation proved a bit too much for me, so this post is an attempt to plot what’s happening here and what might be possible in just a few months from now…

So, I have the BuddyPress Facebook Connect plugin working on a my test installation…

BuddyPress Facebook Connect

Nothing fancy going on there. Basically, new users to the site can register using their Facebook credentials. The plugin doesn’t do anything for existing users on the site. They just login with their local account as usual. For a first release, the plugin is a good proof of concept and with a bit more integration work will make it easy for Facebook users to join BuddyPress sites.

The new Prologue theme, P2, is impressive, too…

P2 on wordpress.com

It takes advantage of the new threaded comments feature in WordPress 2.7+ , has ‘realtime’ notifications (unless I’ve missed something, the use of the term ‘realtime’ is a stretch – see below) and has some nice keyboard shortcuts…

Keyboard shortcuts

One thing that’s lacking is a Twitter-like realtime notification that a new post has been made and you should refresh your bowser. Twitter doesn’t use it for the user home page, but they do on their search page and I like it.

Twitter notifications

Moving on, OAuth functionality for WordPress is still in development but the latest code from the SVN trunks of both the DiSo plugin and WordPress does appear to work…

OAuth options

Be warned that it does not run on a server where PHP runs as a CGI. I tried to run it first on Dreamhost, but it gave an error showing that getallheaders() is an undefined function.

I need to spend more time with the OAuth plugin to see how it will actually work in practice. One of the first use-cases for it is to allow client applications like the iPhone app, to be able to post remotely without sending a password using XML-RPC. If anyone has any ideas and wants to test it with me, please leave a comment. As I understand from the announcement, it’s working but it’s still early days… For more information, see Will Norris’ presentation from last August.

Finally, there’s mnw, a new plugin for WordPress that provides support for the OpenMicroBlogging specification. With this, users from other sites using the specification, such as identi.ca and other Laconica-based services, can subscribe to your blog/omb site and receive updates whenever you publish a new post or page. So this…

WP OMB…ends up here…

WP posts on identica

mnw is still a bit rough around the edges but it was only released as V0.1 a month ago, so that’s to be expected. Note that mnw only seems to work on single WP installations (WPMU produces a familiar error message which I think is wp_nonce related) and does not work on WP 2.8 trunk. Also, identi.ca complained of my avatar image being the wrong size. In the example above, I’d removed my avatar from the mnw settings, but I’ve since found that a .png of 96px seems to work OK.

What does it mean for me and you?

So, what does all this mean? In terms of wordpress.com, we might speculate that before too long, they will add the BuddyPress layer to their 4.5m blogs to create a sizeable social network. The P2 theme shows posts in realtime, they’re already offering an XMPP firehose of blog posts and there are plugins that offer XMPP functionality for WordPress, so remote real-time updates aren’t far away and realtime remote publishing already exist using XML-RPC. With the P2 theme, anyone can create a Twitter-like site that any number of registered users can post to and anyone can comment on. Add OpenID authentication and OAuth authorisation and you’ve got a large, mature and open social (micro)blogging service.

For self-hosted WordPress users, it’s even closer to being a reality. I’ve had a site running today that accepts new user registrations via the DiSo OpenID plugin and those users can then post updates to the Prologue themed site and join a threaded group discussion. If I enabled XML-RPC posting, users could post in ‘realtime’ to the group site from their iPhone or other other client app. With OAuth support, this would be possible from desktop and mobile applications as well as other sites such as Flickr, without exchanging protected user data such as a password. Those updates could also be broadcast via XMPP in realtime, which I’ve done on another blog I was testing.

WordPress Flickr account setup

Things are a bit different for WordPressMU/BuddyPress installations. As you’ve seen above, I’ve got a BuddyPress site running that accepts users joining via Facebook connect.  Functionality is limited to social networking and it still has some issues that need working on before it’s ready for every-day use (I’ve noted them on the BP forum). WPMU blogs (by which I mean blogs not the overall site) don’t allow new-user registrations so the blog adminstrator needs to sign up new users. Users registered via Facebook don’t have an email address associated with their account, so blog admins can’t add these types of users as the process requires a username and email address of a new or existing user.

However, by activating the right plugins, registered WPMU users (I’m thinking university staff and students) could participate in a group microblog using the P2 theme, LDAP and/or OpenID for login and XML-RPC and XMPP for remote publishing and receiving posts. It won’t be too long before you can send and receive WordPress posts via your GMail or Jabber account (on your iPhone/iPod) in realtime (hopefully with support for tagging), and all of that data is simply WordPress data and has RSS feeds hanging off every tag and wrapped around every post.

Just a thought.

Facebook to the repository via SWORD

A post to note that I have successfully deposited a document into our institutional repository from my Facebook account using the Facebook SWORD app, written by Stuart Lewis

There’s a few things worth mentioning: It’s a 3.1.1 EPrints IR, hosted at our university and maintained by EPrints Services. EPrints has supported SWORD since v3.1. Originally, the FB app didn’t work for the following reasons:

  • The ‘Depositing on behalf of’ field has to be left empty. I was told by Seb at EPrints Services that this is ‘disabled by default’.
  • The repository URL needs to point at the ‘service document’, not the base URL of the IR. For us, that is http://eprints.lincoln.ac.uk/sword-app/servicedocument
  • We use LDAP for authentication and the IR configuration needed to be tweaked to account for this when depositing via SWORD.
Once we’d overcome these issues, my ‘test.txt’ doc was successfully deposited from my desktop to the University of Lincoln IR via Facebook:
…with a few caveats:
  • The app announced ‘Item Deposited!’ and gave a URL which resulted in a 404 dead link http://eprints.lincoln.ac.uk/sword-app/collections/1738/deposit. I don’t know why. I thought it was because I wasn’t logged in to the IR, but even after logging in, the link was dead.
  • The app (maybe it’s defined in the SWORD spec, I haven’t checked), zipped up my metadata and document, which resulted in depositing two items: My test.txt document and the original zip file were both showing in my item list. This could be because of the way our IR is configured to unpack zip folders. I don’t know.

  • The metadata mapping was partially successful. The referreed status didn’t map across at all and the URL reference I gave mapped to the ‘Identification number’ field in EPrints, rather than the ‘Related URLs’ field, which was what I was expecting. Maybe the SWORD app field could be renamed ‘Identification URL/DOI’ or similar? The title, abstract and my name were correctly mapped. It’s a shame that my email address wasn’t autocompleted as it would be if I were depositing through the normal EPrints workflow. 
Despite these issues, it’s good to see this working in principle and I imagine that the above could be rectified quite easily. Perhaps someone can offer their solutions here?

As Stuart notes on his blog, the main value in this kind of app is the ability to broadcast to your Facebook friends that you’ve just deposited something in an IR. My main gripe, however, would be that it doesn’t make the deposit process any easier, which is what interests me about the SWORD protocol. Working this way…

  • I have to use two applications to make my document public, the benefit being that other people are told about what I’ve just done. 
  • The EPrints URL that the app points to, even if it was working, points to a non-public space, so my friends don’t have a direct link to the document from within Facebook. 
  • The metadata fields in the present version of the app, are not configurable which means that I have to add more metadata through the EPrints interface. 
  • Finally, it does seem odd to upload a document from my desktop to Facebook only to send it to another application and finish off the process of deposit there. It would be more useful, if I could deposit files that I already hold in Facebook. I don’t use Facebook enough to really know if there are apps that allow you to create documents within Facebook, but if there were, then perhaps Facebook could be used as a (collaborative?) working space and the SWORD app used to deposit final versions to an IR.

Facebook glue

A press release from the University of Leicester last week, summarises the findings so far of a research project which “focuses on how pre-registration engagement with the University of Leicester Facebook network influences students’ post-registration social networks and their understanding of the University.” They’ve found that “a high proportion of freshers use the internet to smooth the settling-in process.” No real surprise there, but these kind of studies are important, not only to better understand the student experience, but also better understand how the Internet and social networking in particular, is affecting social relations in general.

A survey of 221 first year students conducted between April and June this year found that more than half (55 per cent) had joined Facebook to make new friends prior to entering university, while a further 43 per cent joined immediately after starting university. Nearly three quarters said Facebook had played an important part in helping them to settle in at university.

So within the first few weeks of joining university, 98% of students (who responded) were using Facebook to some extent. The way the quote above is worded doesn’t make it entirely clear whether 55% of students joined Facebook to make new university friends or socialise with existing friends and meet new friends in general. Later in the press release they say that “59% of respondents considered that the way that they used Facebook had changed since they came to University.” So we know that at least 59% of individuals were using Facebook prior to entering university. They quote some respondent’s motivations for joining Facebook:

  • To meet people before coming to university and because most of my friends at home used it.
  • Because my friends all had it and one of them told me that it was a good way to meet people going to the same uni as me.
  • To hopefully get into contact with people who were living in my building or were on my course through facebook groups. I hoped that knowing these people before I got there would give me a head start at uni.
  • To keep in touch with friends and for a bit of fun. Also to see if I could find anyone going to Leicester Uni living in my halls.

I suspect that the 55% is a mix of some people consciously joining with university in mind and others who were using Facebook regardless of entering university. Still, university life clearly accounts for a lot of Facebook registrations and an even greater amount of Facebook activity.

Over a third of respondents also said they used Facebook to discuss academic work with other students on a weekly basis, and more than half responded positively to the idea of using Facebook for more formal teaching and learning – although only 7 per cent had actually done so. Many suggested ways in which Facebook could be used, such as providing social support for students in departments and informing students about changing lecture times.

This is good to read and follows JISC’s In Their Own Words report about the move to increased learner autonomy.

But the survey also found that 41 per cent of students were against being contacted directly by tutors via Facebook. A report on the preliminary findings warns that the university will need to tread carefully if it wants to use Facebook to communicate with students for administrative or teaching and learning purposes.

So “more than half” of students welcome using Facebook for teaching and learning and 41% were against it? Or is that “more than half” of “over third of respondents” welcome the use of Facebook for teaching and learning? Again, not entirely clear to me, but I imagine it’s the former and that attitudes are going to shift even further in that direction over time.

My own experience is that the longer and more extensively I’ve used services like Facebook (in fact, the Internet in general), the fewer walls I construct to protect the normal divisions in my life. Not only is it too difficult to maintain separate identities on Facebook, but the boundaries between work, leisure, education and our private lives are far less distinct than they would otherwise be. You only have to look at the number of family photos on Flickr, the number of work related Facebook networks and the amount of discussion occuring online where people use their same identity for both work-related discussion and non-work-related discussion to see that walls are falling rather than being constructed through the use of the Internet.