Simplifying the social web with XAuth

Monday, April 19, 2010 | 12:07 PM

Labels: ,

Have you ever seen a webpage with a collection of buttons for sharing or logging in like the ones below?


Screenshot of buttons taken at Pocket Link

Not all of these buttons are equally relevant, but because there is currently no convenient way to share your preferred services publicly, this approach has become extremely popular, even though the complexity of this interface may actually inhibit sharing!

On the desktop, this problem was solved long ago with what is called the “system registry”. When you install a new application, you are asked whether you want the new application to handle certain kinds of files, like photos. So, for example, if you install a new app and set the new application to be the default “handler” for photos, when you double click a photo next time, it’ll automatically open in your new application.

Until today, that kind of registry didn’t exist for the web, but thanks to a new collaboration between Meebo and several parties including Google, an initial launch of a service that acts as a registry for the web can be found at xauth.org.

Let me explain how XAuth works in simple terms: when you sign in to your Google account, Google will notify xauth.org that a user has signed in to a Google account and is maintaining an active session. Throughout this process, Google never shares any of your personal information with xauth.org — only that you have signed into some Google account (Google doesn’t even share which Google account you signed in to). This information is stored locally in your browser, and never on XAuth's servers; XAuth only acts as an intermediary that facilitates sharing this information with third parties that ask for it.

This is similar to installing a new desktop application which registers itself in the system registry. Because the registry is the central place where this information exists, any application that needs this information to function can ask the registry for the list of applications that perform certain functions. Similarly, any site that you visit can ask for the list of your active sessions from xauth.org, and customize its interface according to your preferences.

Now, there are two importance differences between xauth.org and the system registry:

  • First, when you sign out of your Google account, Google will notify xauth.org that your session has ended. Any site that asks xauth.org for the list of active sessions from that point forward will no longer see Google listed.
  • Second, you can control which sites show up on xauth.org, and are therefore available to the sites that you visit. In fact, on xauth.org, you can choose to delete or block service entries, or disable XAuth altogether.

We think that XAuth can simplify and improve the social web, while keeping your private information safe. This is just one of many steps that Google is taking, along with others in the industry, to make the social web easier and more personalized.

15 comments:

Mark Essel said...

Excellent maneuver to opening up one piece of the social web, and solving the two unknown sets problem that other social services are working hard to own.

Look forward to more customized browsing tools to enable sites to know about my interests, behavior, and content best catered to that knowledge without making serendipity impossible.

Avinash Agrawal said...

Great, but how would the new webpage look like ? Is there a screenshot not having the collection of buttons ?

Avinash Agrawal said...

Currently, also if I goto googlesocialweb.blogspot.com/2010/04/simplifying-social-web-with-xauth.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SocialWebBlog+(Social+Web+Blog)
then it shows a "Google friend connect: Join or sign in" at bottom of page, even though I am already signed into my google account on my google chrome browser. So I should not have to click on "Sign in" again which is tedious. Also just like using Microsoft Sharepoint (list of members) with Microsoft office communicator that displays the online status of each person, instead of a static-members-list-using-friend-connect, I should be able to see a more live view of members that are online.

Avinash Agrawal said...

This comment has been removed by the author.

Conrad said...

I'm assuming that this is something the user would opt in to, and that it wouldn't be on by default. Otherwise, it's tantamount to sharing nav history.

Also, a lot of the useless sharing icons that show up are useless because the user isn't a member of the particular social service, not because they aren't logged in. I may not be logged in to Digg, but I may be active there and still want to have it easily available. That makes the bit of info you want "has an account at X" rather than "is logged in to X".

Chris Messina said...

@Avinash: not yet, sorry. Soon, I hope!

Also, Google Friend Connect doesn't automatically join you to networks because it's designed to protect your privacy. For example, if you ended up on a site that supports Friend Connect that you *didn't* want to join, you'd be pretty upset if you were automatically joined. This stuff is tricky, and we have to be careful!

@Conrad: It is up to the provider to decide to make use of this service. Your nav history would not be revealed unless EVERY site you visited decided to list itself as one of your service providers.

Long term you might be able to tweak your service profile to add or remove different services... Currently XAuth only works if you're signed in to a service — so you're right — if you're a Digg user but you haven't signed in or Digg doesn't use XAuth, the retrieving site wouldn't know that you have a Digg account.

Hopefully retrievers would be smart and not make it impossible to use additional services — but instead just optimize for the known/present cases.

InternetNBisnis.co.cc said...

hi...it's great..

* Jewelry Designer: Harjot * said...

It's ok I am not so happy with is though

瑜吟 said...

行動養成習慣,習慣培養人格,人格影響命運..............................

Duderino said...

Me parece excelente! :)

Latrent said...

Other than not being able to participate in an improved social web, are there any other ramifications to assigning xauth.org to 127.0.0.1 in my hosts file? (This seems an easier solution than disabling xauth in each browser I use.)

協盛 said...

想要推動天下,先要發動自己。 ....................................................

Cong said...

Who controls xauth.org?

Chris Messina said...

@Latrent: nope, there shouldn't be any adverse affects to pointing xauth.org to your localhost.

Commons Guy said...

"Similarly, any site that you visit can ask for the list of your active sessions from xauth.org, and customize its interface according to your preferences."

So, let me get this straight: XAuth is specifically designed to empower identity-theft attacks? After all, "any site that you visit" are not all good guys. Knowing what identity providers you use should make attacks much more likely to succeed -- rather than guessing, attackers can present a "session expired, please re-login" for a service they know that you use.