XAuth has had me fascinated since it was announced yesterday. If you haven’t heard of it yet, I think Dare Obasanjo’s summary is one of the better descriptions, although his site seems to be having issues this morning.
What is XAuth? It appears to be one service, running on one domain, that will maintain the login state of every user at (ideally) every consumer Identity Provider in the world, in real time. A service users have to opt out of. The goal is discovery of authenticated providers.
There are interesting nuances here. As far as I can tell, for the large providers who are already a fixture on the standard NASCAR page, adopting Xauth means that their logo can only be shown on fewer pages than they are today. This means that Google, Microsoft Live and Yahoo! are essentially volunteering to delist themselves from NASCAR pages when the user is not registered or not logged in. Meanwhile Facebook and Twitter, who are not at this time involved in XAuth, will be there on every single NASCAR page, holding their spot, nice and predictable, day in and day out. If you travel to Zoho, for example, and you are logged out of both Facebook and GMail, you will only see Facebook’s logo. And since xauth.org is by design a single point of failure, any service disruption that threatens revenue for the relying party is likely to result in an abrupt re-adoption of a static NASCAR page. So – what is it that these providers gain from such a dance?
They get to remove the user from the equation. Relying Parties and Identity Providers get to finally discover each other all by themselves, they can talk right over everybody’s heads without prompting users. In one sense, I completely get this! Business runs so much smoother when the decisions get made en masse. Asking the user is time-consuming, difficult, and frequently unappreciated. And eventually you just have to solve the problem and get stuff done.
XAuth, if it succeeds, will be the antithesis of user-centric identity. It is what happens when companies with businesses to run finally realize that asking users is a thankless, hopeless task that can only get in the way. We all know it is easier to ask forgiveness than permission – for better or worse, XAuth is that principle, taken to its logical conclusion.