xAuth: A look at the new standard for social connectivity
The number of social web services has boomed in the past few years, and it is quite likely that you are signed up for only a few of them. Unfortunately each and every website you visit is sure to slap you in the face withe option to share on Reddit, post on Facebook, tweet on Twitter, digg on… Digg, submit to StumbleUpon, share on Google Buzz, bookmark on Delicious, post to Blogger, and about a thousand more that you often only find out about when you click to share a link.
If you use one of the less common services, the method to share a simple web-page might be so trying it might just be better to call your friends up and dictate the URL instead.
In an attempt salvage this mess of services which often do the same job, Meebo in collaboration with Google, Microsoft Corp., MySpace, Yahoo!, JanRain, DISQUS, and Gigya have unveiled a new mechanism which can provide a much smoother flow to social networking.
xAuth, aims to be a way out of this mess by offering a centralized service for registering your sessions with various social networks. It is not to be confused with OAuth which is an open standard for securely sharing your private data between services without giving away your password.
With xAuth, whenever you sign into any service, the service can notify xAuth.org, that the current user has an active session with the service. Information about your currently held sessions is stored in a localStorage object on your own computer, xAuth.org merely provides access control to your data.
Now when you visit a website which is xAuth enabled, it will be able to find out which all social networking services you are logged into using the xAuth.org service. Knowing this it can then provide you with relevant options for social connectivity instead of merely throwing up all possible options on the page.
As a blog post from Google explains, this is akin to your file associations registry on your computer. You computer stores your preference for which application should be used for handling what file type, and automatically uses it whenever the relevant file type is used. Imagine instead if your computer popped up a list of each and every application installed on your computer each time you double clicked a file! This is essentially what happens on the internet now. While most websites will highlight a few prominent services, this is not really a solution.
The flow of xAuth is as follows:
- You log into a service which creates an xAuth token (the extender)
- This xAuth token can be anything
- The token can be as minimal as a simple binary value which signifies that you are connected to a particular service, or it can have more information
- Each token has an expiry date, and can be set to expire with the browsing session
- The token specifies which external websites can access this token. It can contain wildcards, and simply specify a “*” to give all domains access.
So you have control over which domains know that you are signed on to which service. Of course at this point of time, the domain might not — probably — even know who “you” are, it merely knows that the current user browsing this site has an account on a service.
You visit a website which supports xAuth (the retriever) which tries to access the tokens on your computer:
- The website will specify the domains it is interested in, such as “www.youtube.com”, “www.google.com”, “www.twitter.com”
- It cannot specify a wildcard “*” to retrieve all domains
- The website will get a list of all tokens (in JSON format, keyed by domain) which it has requested and has access to.
- The website can then use this data to optimize its interface based on the services you are connected to.
Since localStorage is tied to a specific domain — in this case xauth.org — websites will not be able to access your tokens without going through xauth.org first. This was xauth.org can provide controls for your tokens. The xauth script creates an <iframe> object which loads xauth.org and thus has access to your localStorage data. Using window.postMessage — a HTML5 specification — the host page can access your token data. When you log out of a service it will expire its token. It is still up the the website to provide meaningful social interactivity features.
Since the system relies on new technologies, localStorage which is part of the Web Storage specification; and window.postMessage which is a part of the HTML5 specification, it only supports newer browsers which support these features. The xauth.org website lists IE8 , Safari4 , Chrome3 , FF3 .
xAuth looks like it can change the way we interact with the web for the better, and being an open standard makes it all the more lucrative. Who better to start such an initiative than Meebo, which has been providing free services for integrating multiple social networking websites, and a unified interface for multiple chatting services from quite some time.
You can check out the demonstrations, sample and documentation on the xauth.org website for more information.