h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

OpenID is a standard for decentralised federated login.



I really should write a Guide Entry about this, but I've never implemented OpenID, though I do use it.

This is how it works. It's difficult to remember different usernames and passwords for every site, and it's dangerous to have the same usernames and passwords for every site. So it's handy to be able to log into other sites with your Google account, or Microsoft account, or Facebook account, or Yahoo! account, or Twitter account, or whatever. To post on ScienceBlogs, or Typepad, or StackExchange, or various other sites, you can sign in with a wide variety of external accounts. Each one works differently under the hood, and the coders have to go to a lot of pain to make the experience seamless for the end user. Or that's the way it used to be. Nowadays, many of them work in the same way: OpenID (Facebook Connect is one of the few remaining standouts). And many sites allow you to pick from a list of options or to enter the URL you want, and sign in with any account.

OpenID is becoming more and more common. And it would be nice to present that sort of login screen to the new h2g2. (We're going to have to build a new login system anyway, so we may as well.) This would allow users the choice of a standard username/password login, or a variety of external options. And it could be built so that one person could have multiple means of login. (I can log into StackExchange with my Google account or with my own OpenID on timothy.green.name. Either way, I get into the same account.)



1. It would be nice for noohootoo to allow OpenID login.

2. For privacy reasons, the BBC may not give us login details for h2g2 Researchers. If you'd signed up with the BBC website, would you want your e-mail address passed on to a third party? (The BBC may give us e-mail addresses but not passwords, in which case we could just ask everyone to regenerate their passwords through an "I forgot my password" function. But they may not even give us e-mail addresses. It depends on how seriously they take user privacy and suchlike. We'd be happy for whoever runs h2g2 to have our e-mail addresses, but people who made one post and left may not be. Some people may be happy to have an account on the BBC and unhappy to have any of those details passed on to any third party.)

3. The BBC does not implement OpenID, but are a member of the OpenID consortium and may be persuaded to do so. (It's fairly easy to persuade big organisations to become OpenID providers, allowing people to use their BBC iD account on other sites. It's harder to persuade them to become OpenID consumers, allowing people to use their own accounts on the BBC site. But it's not necessary the BBC do that for our purposes anyway.)

4. The OpenID standard allows extensions, whereby extra information could be included along with the normal login token.

Therefore, it would be nice if we could use BBC iD logins on noohootoo, by way of an implementation of OpenID with an extension which passed on the researcher number (DNAID). There would be three options: "This person signed up to the BBC prior to h2g2's departure, and has the U-number XXXX", "This person signed up the the BBC after h2g2's departure", and "This person has a BBC iD, but has never posted on a BBC DNA messageboard, and therefore does not have a DNAID". (I don't know whether that last category exists. In any case, we wouldn't need to distinguish the last two categories, treating them just as a normal OpenID login.)

Thus, we could preserve BBC accounts on the new h2g2 by allowing people to sign into the new h2g2 with their BBC iD. And the BBC would not be violating anyone's privacy, because they would be passing on the information only of those people who explicitly chose to have their information passed on.

And once you'd signed into the new h2g2 once with your BBC iD account, you could add a number of other login options, such as standard username/password, or a few other OpenID accounts (Google, Yahoo!, your own domain name, whatever). And then you could sign into the new h2g2 with any of them, and whichever way you did it you'd get into the same account.



The preceding is quite technical. The following is purely technical.



Assuming we get the DNA software and database:

5. The DNA software can run multiple related sites. We may have no immediate plans to do this, but it would be nice to keep it in mind as a possibility. Perhaps 606 want a DNA board after all, because they'd like to retain their legacy content. I'd quite like to reopen the hub and perhaps GetWriting and the WWII board. Or even brand new boards. These could be on separate domain names, but share a database.

6. Multiple domain names sharing user login details are possible. The StackExchange network does it, but in a very fiddly way (it requires iframes and HTML5 local storage and is a mess). There's an easier way.

7. The OpenID standard includes a "reply immediate" method. This does not present the user with a login screen. Instead, there's a quick check for whether the user is logged in. If they are logged in, their credentials are presented immediately.

So we could do it this way. Let's imagine we operate DNA boards on h2g2.com, example.org, and example.net. We can run a login for all of these at id.myh2g2.com. In this situation, h2g2.com, example.org, and example.net are OpenID consumers, who will consume OpenID *only* from id.myh2g2.com. Meanwhile, id.myh2g2.com is an OpenID consumer (so you can log in with your Google, Yahoo!, Microsoft, MyOpenId, whatever account), a BBC iD consumer, a Facebook Connect consumer, a Twitter login consumer, and has a standard username/password interface. And it allows you to add multiple login methods to one account. Once you've logged into id.myh2g2.com, it also serves as an OpenID provider to the DNA boards (and to anyone else who asks it to, but it would ask your permission before logging into them, just as MyOpenId asks your permission the first time you ask it to log you into any site (this means you could use your DNA account to log into other sites)).

So when you land on h2g2.com without any cookies, there's a quick check against id.myh2g2.com to see whether you're logged in. You're not, and you don't even notice this. You continue browsing h2g2 as a logged-out visitor (h2g2.com will place a cookie so it doesn't do the check every time you visit a new page). You then click the log in button and are directed to id.myh2g2.com to log in. And you continue browsing h2g2 as a logged-in visitor. And then you visit example.net. The OpenID "reply immediate" method is called, and hey presto!, you're logged in there too.

If you log out on any site, we can log you out of all sites without sending you on a series of redirects to clear all your cookies. We just have to change our record of your login credentials. You'll still have the cookies, but they'll be meaningless.

Your OpenID URL would be of the form id.myh2g2.com/member_id/XXXXX. (Actually, perhaps not. Because then if you use your DNA account to sign into another site, they know your h2g2 identity. Which could have privacy implications. Perhaps your OpenID URL would be of the form id.myh2g2.com/id/OXOXOX where OXOXOX is a meaningless token which is related to your DNAID by a lookup table, with no mathematical relationship. So you can sign into other OpenID-accepting sites without compromising your privacy by revealing your h2g2 identity. All you reveal is that you have an h2g2 identity, not what identity it is. Yes, I have done a certain amount of reading about online privacy.)



Incidentally, I'm using "noohootoo" to mean post-BBC h2g2. I think some people are using the same word to mean barlesque h2g2. I'm not sure which meaning is original. Perhaps I shouldn't use the word at all, to avoid confusion.

TRiG.

Context makes it pretty clear which definition of noohootoo you're using. Just about everything else may be flying over my head, but I got that much! (I remember seeing "noohootoo" before The Announcement, so I'd say Barlesque-related is the original definition)

Thanks Trig for this excellent piece of research and, like you said, this could turn into an Entry.
I will have to read it again, and maybe once more, to really understand all of it but I got the highlights.
I like the idea of using OpenID not in the least because it allows us to smooth over the transition away from the BBC for the Community by not having to re-register (oy! the pain! loosing my beloved U numbuh).

! Martin
---
I thought I heard a Dolphin Whistle ...

I think the BBC/Barlesque became noobloohootoo
or just bloohootoo
and noohootoo
is the future.

~jwf~

Re Trig's essay:

I see a lot of 'welcome ~jwf~' type messages on a lot of webpages.
Even ones that I've never visited before and most I've never logged
into. Perhaps logging into Beebweb Opens my ID to the www.
Oh lordy, my cookies are a-crumbling.

Obviously one has to be old enuff to remember party-lines to really
enjoy the web.


~jwf~

... or just boohoo

I doubt it's the BBC releasing your ID to the web, jwf. It could be Facebook, or it could be Disqus, which runs comments on a lot of blogs. Or something else.

This is how OpenID works for the user (what's going on under the hood is more complicated):
If you go to StackExchange and try to sign in with, for example, your Google account, this is what happens:

1. You'll be taken to Google, where you sign in (if you're already signed in, this step will be skipped).
2. Google will ask you whether you want to use your Google account to sign in to StackExchange (and will have a tick box you can select to "skip this question for this site from now on").
3. You'll be returned to StackExchange.

So the next time you visit StackExchange, you can select to log in with your Google account and will be immediately logged in, without doing anything further.

TRiG.

Hi TRiG. I think we had a discussion about this somewhere else but I can't find it now.

Can you clear something up for me? Are you suggesting that researchers (i.e. people with an existing h2 account) can log in with openID? Or are you suggesting that people without an h2 account could use openID to post here?

*bumps*

I caught up with TRiG here, Ben: http://www.bbc.co.uk/dna/h2g2/alabaster/F1749280?thread=8236096

re Bluhootoo... don't forget classic goo is also blue.
I always heard about the bugs related to the redesign being bugs in noohootoo. this was before the bomshell that we were beind disposed of.

So, is Goo is troobloohootoo?

Does anyone have any other questions to ask about this? The id.myh2g2.com domain is available. And I see there's already been some discussion about 100 posts into F19585?thread=8238874 about having a separate site where ranty or nasty posts can be moved. Having them on a separate domain would allow NetNanny-type software to block out that domain while allowing access to h2g2 itself.

TRiG.

(When I say it's available, I mean I own it.)

TRiG, are you aware of Taff's dilemma (and I'm sure it affects others too). It's a bit off topic, maybe I'll bring it up on c2 or a no researcher left behind thread. It would be good to have some techy input (I know Taff has had some convos on this already somewhere, haven't seen them though).

I think there is more to discuss about openID, but we're all a bit caught up at the moment Are you moving on this currently or is there time still to discuss it?

As in, access to BBC-sites only while at work? Yes, but I have no idea what to do about it.

TRiG.

It's not really a technical problem, it's a problem with the policy his employers have. Unless they change that there's not a great deal that can be done about it. It sucks, but work very often does suck.

Perhaps a letter of recommendation from one of the Powers To Be stating that h2g2.com will replace the bbc.co.uk/h2g2 url might help to whitelist the h2g2.com domain ?
Just thinking out loud.

At the end of the day, I think it's got to be up to Taff to make a representation to *his* Powers That Be, if he thinks it will do any good. But he does work in a prrrretty restricted environment, so I doubt it.

As I said, sometimes work sucks, and all you can do is try to improve it yourself or try to find a new job. He's far from the only one in that position.

I think there will be others too, and it might help if we put together a help list of things people can do. eg explaining the differences between a white list and blacklist.

I think maybe Pastey has talked to Taff? Not sure, but thought it might be good if the information was visible.