Are You Ready for Live ID?

Communism doesn't work because people like to own stuff. - Frank Zappa

Microsoft has rolled out its Live ID Web Authentication SDK and from some of the forum posts I've seen, developers are already misunderstanding what they really have to work with. You see comments like "hey, but it won't give me their email", or "Useless!", etc. Wrong!

Windows Live ID is the authentication used by Microsoft’s web sites and services - for example, Hotmail and Live.com. Windows Live ID is the evolution of the original Passport Service -- the name change ostensibly to focus on Window Live services and its ability to federate in a multi-property, multi-service identity world. If you don't believe this is big, let me give you one number: currently, more than 380 million users have credentials that work with Windows Live ID. D00d, that -- is big!

Oh, and by the way - it's not just for the web. There is also a Windows Live ID Client SDK.

Mostly the offering has been driven by MS Identity Guru, Kim Cameron, with the idea that there is a “metasystem” that utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other. This is all web standards -- isn't that the direction that everything is supposed to be going? I'm not so sure that Google and Yahoo, with their authentication schemes and API's, are getting this...

Frankly, I think it is deplorable that Microsoft took so long to "get it" - and to finally do this. However, it now appears that Microsoft has indeed "got it" -- and that the commercial competitors have actually gone backwards in that they "do not".

The most important aspect of this rollout is that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (Active Directory Federation Server). This means that Windows Live ID can interact with other identity implementations and that you can integrate your corporate Active Directory environment into Windows Live ID. In other words, what was once a closed system (Passport) has now been transformed into an open, standards -based, transparent system.

When you put the sample IFRAME - based Live ID sign-in "control" on a page, and a Live ID user "signs in", the AppId information you've stored when you registered your property (site) with LIve ID tells it to redirect to the page you've designated. At this point you can capture the unique UserId string for that user, which will always be the same for your application. Now this requires a bit of thinking "outside the box" for most developers.

Normally, you would have a new user create a membership - with their username, email, password, etc. Your membership provider would store this information and this would enable the user to come back and log back in at your site. You would probably email them a link to "activate" so that you don't get "spambers". You would authenticate them via the username and password they provide. With Live ID, it is reversed just a bit. A new user signs into your site with their Live ID and -- THEY ARE ALREADY AUTHENTICATED -- you just don't have their user information yet. So, what you do is look up their UserId (their Live ID identifier described above) and if they aren't in your system, you take them immediately to your sign-up form where they can now enter their name, email, preferences, etc. For standard ASP.NET Membership provider authentication, the password you would use would the same as the username, and that is the unique user ID string returned from Live ID (it's a GUID).

This is then stored in the database using the UserId you got from the Live ID sign-in as the "Lookup" to get the member info back out when they revisit. Since this information is stored in a cookie, they can have a persistent, seamless login using the all - familiar Live ID mechanism. If your user doesn't want to provide the required Membership ("registration") information, then they may be able to authenticate with Live ID, but it is up to you whether you want them to have full "User" privileges.

This is very easy to do with the standard ASP.NET Membership Provider implementation by writing a custom Membership Provider class and using the UserId string to do the ValidateUser work. You don't really need a password, since your user is already "legit" from Live ID. In fact, you don't even need to use the membership provider - you can just do a database lookup from your own non-opaque Users table.

What's the downside?

The downside is that you've relegated your authentication process to an outside mechanism that you don't control. What if it is very slow (it is known to be so, occasionally)? What if it simply goes down for an extended period? I've had trouble accessing my Live SkyDrive folders account for several days - all I get is an error page. Not good. Maybe the best compromise is to use Live ID as I've described but also allow for your regular sign-in mechanism as a "fail safe". Again, not very difficult to implement.

I humbly predict that as soon as developers start to "get it" with Live ID and CardSpace integration (already available in Beta) you are going to see some major, major changes in how web sites authenticate their users. There's already a Mozilla CardSpace extension for Firefox, and whether you understand it or not, CardSpace is going to be very big. It is already supported with OpenID. Combine it with Live ID and I say you've got a real win-win for everyone.

The Live ID SDK has downloadable sample code in ASP.NET (C#), Java, Perl, PHP, Python, and Ruby. Right now the documentation terms of service says you can have 1 million authentications without any fees.

N.B. I've now added an article with downloadable solution code that implements all this here.

Comments

  1. Anonymous6:22 AM

    I see LiveID and OpenID being just alternative logins in many situations. In DotNetNuke we are rolling out support for LiveID, OpenID, CardSpace and AD in our next release due out in a couple of weeks. This will allow administrators to configure one or more authentication providers so that users can authenticate against whichever federated service holds their authentication information. I really see LiveID and the others solving some really difficult identity problems for us.

    ReplyDelete
  2. peterbromberg6:31 AM

    Excellent, Joe! Thanks for the useful comment.

    ReplyDelete
  3. Anonymous10:30 PM

    I can't say I fully understand what LiveID does, though I'd readily believe the number of people who are now using it thanks to Hotmail. It never fails to amuse me the number of professionals I see handing out their hotmail email addresses. At least, on one hand, it's easy for people to remember the domain.

    ReplyDelete
  4. peterbromberg5:38 AM

    You certainly made a point, since Microsoft, which renames virtually everything they either acquire or produce, saw fit to keep the name when they acquired Hotmail.

    ReplyDelete

Post a Comment

Popular posts from this blog

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

One of the most annoying things a developer (who would normally delight in writing code, not futzing with markup) can have is getting rendering issues between different browsers. The two biggest players are of course Internet Exploder and Firefart (as I lovingly like to refer to each). In most cases that's going to take care of 98 percent of your total site traffic. IE has had a proprietary "word-break" style attribute for a long time, and this made it into the CSS 3.0 spec. But that doesn't necessarily help you with Firefox right now. Firefox literally - (and I consider this completely idiotic, since it's been in their bug database for FIVE YEARS) does not have a reliable CSS style element to force table cell content to break in the middle of a word in order to stop the content from expanding your table / div off the page or over other content on the page. Here's a partial fix, which will work for most tables and browsers. The style declaration (I call it m
Read more

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

I've taken a more than cursory interest in the whole Remote Scripting (.NET species) vs. AJAX and now ATLAS discussion, mostly because I started using Remote Scripting since Microsoft first released it, and because I continued to refine it after seeing Brent Ashley's excellent work with JSRS, which was one of the first "real" cross-browser solutions back in 2000 (that's the turn of the Century for you history buffs). Now Bertrand Leroy, a Microsoft guy whose work I like , has authored some very interesting ASP.NET 2.0 script callback stuff that he points to on his blog, and he is obviously (at least, to me he is) involved quite heavily in the development of this new ATLAS infrastructure that they'll preview at PDC. Leroy's most recent post brings to the surface what I agree are the major differences between the "AJAX a - la .NET" approach as popularized by Michael Swartz with his AJAX.NET library, and Leroy's RefreshPanel, the ASP.NET 2.0 b
Read more

IE7 - Vista: "Internet Explorer has stopped Working"

Image
This one was a bitch. All of a sudden for no reason at all, out of the blue, I get this dialog "internet Explorer has stopped working". I didn't install any new software, crap- I didn't do anything! So here I am using FIREFART to go on the internet and find out what to do! Damn! Good thing I've got the sucker on the same machine (I'm not "anti-Firefox", i just don't use it that much except to check my page renderings). The Fix The fix (at least for me): 1) Go into Control Panel, and choose "Internet Options". 2) Under the "Advanced" tab, press the "RESET" button at the lower right: Don't ask me why this happens, or why the fix works. That's a BUG, D00D - I don't care how you slice it!
Read more