The third-party authentication dilemma: does Facebook pwn my site?
I've argued for some time that it is crazy for most websites to have their own authentication (username/password) system these days.
- We the users have no patience for yet another registration process, validation email flow, and password to remember
- Security is too easy to get wrong, unless you truly have security professionals on staff
- Designing sites with a registration process, issuing credentials etc is a legacy holdover from the days when we had no choice. OpenID, OAuth (in particular) have long since changed the game.
And the shift is well underway. More sites these days are offering the ability to authenticate using twitter, facebook, google or other credentials. Janrain chief executive Brian Kissel has said that
..publishers are jumping on-board as they realize it’s valuable to know who their readers are and that it’s much easier to convince them to sign in with an existing account than to create a new one
Perhaps like many sites, you integrated with Facebook Connect to let users sign into your site with their Facebook account. Which all sounds great, until you wake up one day, and are caught you off guard by two bits of news:
- Facebook Connect brand will be deprecated as part of the launch of Open Graph
- There's a movement of disaffected Facebook users concerned with privacy and trust threatening to quit
Jason Calacanis was one of the high-profile Facebook quitters who got "caught" sneaking back in. He explained the reason on a This Week in Startups .. to (temporarily) regain control over all the third-party applications he'd forgotten were using his Facebook account for authentication.
Suddenly, you are feeling the downside of depending on a third-party authentication service:
- The amount of engineering required to "keep up" with the evolving identity management space is unpredicatable since someone else is calling the shots
- Your site and brand is totally exposed to a user backlash over something that you have have no control over and has nothing to do with you
So is there better way?
If your site is directly linked to the third-party service (e.g. a tool for twitter, or a Facebook application) then the answer is no, and the question doesn't even make sense.
But for most cases, we are basically outsourcing the identity management and authentication, and want to avoid getting caught down a blind alley.
Pure OpenID is one approach: it is not controlled by any single vendor, and there are capabilities such as delegation which allow users to pick and choose their provider. The unfortunate fact is that OpenID is far from mainstream, and will likely remain a mystery for most users (even if it is hard at work under the covers of their Google or Yahoo! sign in).
Personally, I think the best approach is to disentangle ourselves from directly dealing with identity providers. By outsourcing the identity management and authentication process to an intermediary that aggregates the services of many identity providers we get a nice compromise:
- Someone else to take on the burden of securing the system and keeping up to date with the improvements made by the various identity providers
- We get to offer the convenience to our users of signing in with a wide range of identity providers
- And I am making my site directly dependent on only one service provider, and one that specializes in identity not other business interests which may potentially bring us into conflict
The best solution I have found so far is Janrain Engage (formerly RPX). I've used this on a number of sites (e.g. CloudJetty - my directory of cloud/SaaS applications), and released a gem (authlogic_rpx) for easily using the service with Ruby on Rails.
If you are concerned about your website getting locked in to a particular authentication provider (whether it is Facebook, twitter or anything else) then I would certainly recommend you check out Janrain Engage.
Now I realise this may come across as an unabashed plug for Janrain, but the truth of the matter is that (a) it works, and (b) I haven't really been able to find any fully baked alternatives. If you do know of other similar services or ways of approaching this problem I'd be really interested to hear about them.
Blogarhythm for this post: IDentity - 玉置成実 Tamaki Nami
The light will shine on me allowing me to make progress and start on the road to my identity
read more and comment..
The CSS Zen Banger
Ever need to try some simple CSS tweaks on an existing website? I needed to do something like that again recently, and a little hack I used to do the job just turned into the CSSZenBanger.
CSSZenBanger is a simple tool for previewing style modifications on an existing web site—mainly intended for web designers who want a quick way to review stylesheet changes without the trouble of setting up a project environment.
This is certainly not a new idea, but I googled in vain for something similar. And while it's pretty easy to make on-the-fly changes with tools like Firebug, sharing the results with others is tricky.
So here it is... if you ever need to test some css fiddles, maybe it can help you too.
Blogarhythm for this post: Cobrastyle - Robyn
read more and comment..
jQuery Essentials
On a jQuery binge today and saw a tweet fly by with this excellent overview by Marc Grabanski (via @elijahmanor)
Motivated me to finally toss out my old jQuery wallpaper. There's a great selection over at devcheatsheet (I'm going with Future Colors for now).
Update (via @mahemoff): Rebecca Murphey has just released the "jQuery Fundamentals" Open-Source jQuery Training Curriculum under Creative Commons. Some kind of awesome!
Blogarhythm for this post: Run with the $ - Lita Ford
LOLs: ..and some dumb script at amazon translated $ to dollar, when she actually sings "money";-)
read more and comment..
Quick Review of jQuery Date/Time Widgets
Once again I find myself browsing around for a better javascript calendar tool. I'm particularly looking for jQuery support, the ability to handle both date and time entry, and — being post-iPhone/Android/iPad 2010 — I'm concerned about making sure it is
finger friendly
(i.e. it works on a touch screen).
The table below summarises my findings at this point (see here for my full survey results). The ranking is just my personal view, and this list is certainly not all inclusive (if you know of other/better options I'd be really interested to hear from you). Each tool links to a test page where I've tried to cut everything back to the bare essentials needed to run a demo. Feel free to pinch the source if it helps.
Conclusions? There are some reasonably effective tools here for quickly dropping in date and time editing support, but at the end of the day I'm not sure that Google haven't already got it right with the simple combo-box time selectors in Google Calendar (is there a widget that includes something similar? Haven't found it yet).
The Field
* indicates the latest versions that I have been able to successfully testjQuery Datepicker [Rank: B]
- jQuery*: 1.4.2
- jQuery UI*: 1.8.2,1.7.3
- Dates: Yes Times: No
- Finger Friendly:Yes
- Comments:The standard widget
Any+Time [Rank: A]
- jQuery*: 1.4.2
- jQuery UI*: n/a
- Dates: Yes Times: Yes
- Finger Friendly:Yes
- Comments: Extensively customisable and scriptable. Supports jQuery UI themes. Also works with prototype instead of jQuery. Cannot edit the bound field while the widget is active [Update 18-Jun-2010: fixed incorrect statement that jQuery themes not supported]
Martin Milesich's Timepicker [Rank: A-]
- jQuery*: 1.4.2, 1.3.2
- jQuery UI*: 1.8.2, 1.7.2
- Dates: Yes Times: Yes
- Finger Friendly: Cannot use the time slider with finger, but you can select a point on the slider with finger OK.
- Comments: Generally neat extension of the standard datepicker. Supports alternate fields to split out date/time component for easier processing.
Trent Richardson's Timepicker [Rank: B+]
- jQuery*: 1.4.2
- jQuery UI*: 1.8.2
- Dates: Yes Times: Yes
- Finger Friendly: Cannot use the time slider with finger. You can select a point on the slider with finger, but there is a minor bug meaning you need to select twice. You can also edit the bound field while the widget is active.
- Comments: Generally a very neat extension of the standard datepicker. Doesn't support all features however e.g. alternate fields
W3VISIONS Date-Time-Picker [Rank: B-]
- jQuery*: 1.3.2
- jQuery UI*: n/a
- Dates: Yes Times: Yes
- Finger Friendly: Yes. Slider button doesn't work with the finger, but can select positions on the slider OK
- Comments: The UI is a bit klunky and no themes support so I didn't bother with a demo page for this
timepickr [Rank: C]
- jQuery*: 1.4.2
- jQuery UI*: 1.7.3
- Dates: NoTimes: Yes
- Finger Friendly: No fingers, no play (unless the device has a trackball you can fallback on)
- Comments: A different take on time entry. Maybe too different.
Additional Resources
- jQuery Home
- Datejs extends javascript Date parsing capabilities and adds nice syntactic sugar
- Date Format extends javascript Date formating capabilities
Alternative Frameworks
jQuery is not the only game in town of course. Here are some others...
- Dojo Date Controls and
TimeSpinner - MooTools Datepicker
- YUI Calendar, timepicker
- Calendar Date Select Prototype-based Rails plugin
- In Railscast 213 Ryan Bates provides some great coverage of date/calendar plugins with Rails
Blogarhythm for this post: Time - Pink Floyd
read more and comment..