SmugMug embraces OpenID
The subject says it all and I’m thrilled. Here’s some details:
- We’re an OpenID 1.1 Provider. Hundreds of thousands of SmugMug customers can now use their SmugMug homepage URL as their ID on sites all over the net.
- We don’t yet support Diffie-Hellman association, so if plaintext isn’t ok, you’ll have to fall back to dumb mode. Sorry about that. I’m hoping we can support DH soon, but I’m really waiting for Wez’s PHP patch to use OpenSSL’s functions. I may end up creating a custom build, we’ll see.
- We’re planning on consuming OpenID for photo comments and other things shortly.
- We probably have bugs. Sorry about that - let me know and we’ll get them fixed.
OpenID is a fantastic idea, I’ve loved it since I first heard about it, and finally found a day to play with it. AOL recently announced support, and so did Microsoft. OpenID will be everywhere.
I’m a little worried with the direction OpenID 2.0 seems to be going - one of the great things about OpenID is how simple and easy-to-implement it is. I haven’t taken a good, close look yet, but the preliminary 2.0 spec seems to be complicating things a great deal. I see that as a Bad Thing(tm) but maybe I’m smoking crack.
The documentation for OpenID leaves a lot to be desired. Specifically, there’s no example messages, including sample values, for you to make sure your code is doing the right things. Luckily, the spec is so simple that some trial-and-error takes care of things, and someone has written a great narrative overview of the implementation. I will put up an OpenID page on our wiki that includes example requests and responses, including secret keys, so anyone else implementing this from scratch has some values to work from.
LiveJournal (and thus, Brad’s CPAN module used by lots of other services) seems to have some bug in it where it doesn’t like OpenID server URLs without a trailing “/”. It returns a useless (to me?) error message: “naive_verify_failed_network” which meant I spent hours and hours of time going over my code with a fine-toothed comb. Finally, out of ideas, I made a 1 character change to my HTML and everything magically worked. I don’t understand why, since the docs don’t state this, and Vox seems to have an openid.server without a trailing /, but oh well. It fixed my problem. 
Hopefully this will help someone else figure out what that message might mean.
There are clearly still issues around OpenID, such as what happens years from now when your OpenID identities are lingering out there long after you’ve closed the account from which the ID was provided? Someone else may even own or use that old URL if it’s been repurposed. But there seem to be smart people thinking about the problem, so hopefully everyone will figure it out without bloating it or making it unusuable.
I think OpenID is huge, and I’m glad we’re able to move the ball up the field a few more inches.
February 23rd, 2007 at 6:07 pm
[...] With AOL signing on, Firefox 3.0 promising integrated OpenID support, Yahoo getting in on the act and up-and-coming sites such as Digg, NetVibes and SmugMug signing on it looks as though this one might be here to stay. [...]
February 24th, 2007 at 1:32 pm
Well I originally had typed out a rather sarcastic comment about how all the community needed was yet another service having an identity crisis thinking they should be an OpenID provider rather than a consumer. But I thought better of it, and would rather ask you (much more calmly), what your rationale was for choosing to setup a provider, but not a consumer. Think back to when you first started SmugMug… if you had known about OpenID then and planned to integrate it into the site, would have still chosen to setup a provider? Forgetting the fact that you already have a large customer base with usernames and passwords in your system, does it seem like the natural role for a site like SmugMug in the OpenID world is that of an identity provider, or one that consumes identities? I would argue without question that it should be that of a consumer. It not hard to see that many people believe there are simply too many openid providers and not enough consumers. To be perfectly honest, I would rather see sites not adopt OpenID at all if they insist that *they* should be the provider and refuse to consume external IDs. In all fairness, I did see that you are planning on consuming IDs for photo comments and “other things” and that’s great, but I believe that should have been done *first*, and acting as a provider could be added later if it was really desired by the community.
February 24th, 2007 at 3:28 pm
I believe our natural role is both - we provide identities for those who want them, and consume them for those who already have them.
I also believe there is a chicken-or-the-egg thing going on, and that providers without established user bases *do not* contribute meaningfully to solving the chicken-vs-egg issue.
Since LiveJournal was until recently the *only* provider I’m aware of with a decent (100,000+) installed base, I believe it helps the OpenID cause to have another one. I’m thrilled that AOL has made the # of people skyrocket to millions. SmugMug adds their volume to the pot, and the world is a better place for it.
So that’s why I chose to provide first. As I already mentioned, we will shortly consume as well - and I think that’s key too. But growing the pool of people who can use OpenID will encourage other sites to consume.
Whereas consuming without providing will only make it available to LiveJournal (and now AOL) users, which isn’t very attractive.
If you think about it like a utility, what do you do first? Sell lightbulbs to people without power (consume), or run power to people without lightbulbs (provide)? How about cars? Who would buy a gas-powered car if there weren’t gas stations?
You get my point, I hope?
February 24th, 2007 at 3:31 pm
I should mention, too, that we’ve had *zero* customer requests for consumption of OpenID, and a handful for providing OpenID.
Since our entire business is built on listening to our customers, I chose to listen yet again.
But since I’m a geek, I want to enable both. So that’s what we’ll do.
February 25th, 2007 at 12:34 am
Awesome.
Going to tie it into dgrin as well?
February 25th, 2007 at 12:39 am
hmm… hit submit too soon… I had hoped that the link to the smugwiki would have told me how to use your provider with openid based sites. After my first reply I read the tab I’d opened in the background and saw it was just the wiki’s home page and there wasn’t yet a page on Open ID.
So how do we use this?
February 25th, 2007 at 1:59 am
@cabbey:
dgrin is entirely different software that we didn’t write (vBulletin), which is why it’s not tied into SmugMug directly. I’d love it if vB became OpenID enabled, but that’s not up to me, I’m afraid.
To use OpenID on a site that accepts it (alas, there aren’t many yet, but they’re coming), simply enter your SmugMug URL into the OpenID box and we’ll handle the rest.
You can try commenting on anyone’s LiveJournal blog, for example.
February 25th, 2007 at 4:05 am
From the little I’ve read about it, I think OpenID sounds great. I agree though, it would be nice to see more consumers of it.
On a related, but slightly off-topic note… a shameless plug for my feature suggestion: remove the anti-spammer code (or future OpenID request) when adding a comment if a smugmugger is logged into smugmug? If we’re logged in, we’re not a spamming robot.
If somebody is changing the commenting authentication, they might want to take that into consideration.
end plug.
February 25th, 2007 at 4:22 pm
@wanderAround:
Unfortunately, our biggest comment spammer problem stems from SmugMug users. I agree that we’re not handling it the best way we could, so look for some changes in the future.
Sorry about that.
Don
February 25th, 2007 at 9:53 pm
ah, I forgot vBulletin wasn’t updated yet. On the other hand, here’s the plugin for your blogging system.
http://verselogic.net/projects/wordpress/wordpress-openid-plugin/
February 27th, 2007 at 9:23 am
[...] Don MacAskill over at SmugMug (my favorite photo sharing site) brought my attention to OpenID, a budding solution to an old computer problem: If you use a computer, you have way too many passwords to conveniently remember. You might use one or two passwords, perhaps a simple one for web sites that you do not care much about and a more complex, carefully guarded one for things like your bank account. The thorny problem pricks you when one site has a policy which prevents you from using your favorite password and you have to create a special one for just that site: how do you remember it? [...]
February 27th, 2007 at 11:26 am
[...] We announced OpenID support last week. I then responded to some comments asking us why we were a provider first, rather than a consumer. Now, I’m answering some more comments basically asking why they should care about OpenID and how it helps SmugMug customers. [...]
February 27th, 2007 at 9:52 pm
Don - long time reader, first time commenter.
Absolutely fantastic post. As always your finger is astutely on the pule.
FWIW one of our engineers wrote about integrating OpenID into our enterprise wiki, Confluence, on our developer blog just today. Hopefully we’ll be rolling this out as a plugin in the very near future!
m
March 12th, 2007 at 1:55 pm
[...] There have been a spate of announcements recently with a number of companies both large and small announcing that their products will ’support’ OpenID. Each of these announcements was met with a rousing standing ovation by the bloggers over at Techmeme. First Microsoft (with Hypercard), then AOL, Digg, Wordpress, SmugMug and many more. OpenID support is a good thing, it means that I can have a single online identity with a single identity provider of my choosing, and I can then use this identity to login to web applications that support OpenID but without the need to fully signup (you still need to set preferences etc.) [...]
March 29th, 2007 at 12:32 am
[...] I think OpenID is huge, and I’m glad we’re able to move the ball up the field a few more inches [...]
August 19th, 2008 at 12:17 pm
I came across this page whilst trying to find out if I could use my existing OpenID with SmugMug. Consider this a request! I would not consider using a site as an OpenID provider unless they supported a minimum of 2 non-password authentication methods (e.g. digital certificate, SMS, cardspace, …). The same works in reverse. I doubt I would use my OpenID provider for photo hosting if they provided it. I think sites should stick to doing one thing well. Please, SmugMug, be a good netizen and consume OpenIDs!