XAuth, OAuth, and Yahoo! OpenID


xAuth Logo More and more websites are integrating with third-party services, including logging in and content sharing. Users who log in with existing accounts are far more valuable than users who register new accounts. And that's where XAuth (eXtended Authentication) comes in.

Unlike newly registered accounts, existing third-party accounts have rich profile data and services capable of driving tremendous referral traffic back to the originating website. For example, sites that accept Yahoo! OpenID can get the user's name, email address, and profile picture. When combined with the Yahoo! Updates service, Yahoo! OpenID users can share their activities on websites with their contacts on Yahoo! Mail and Yahoo! Messenger. The days of having to register a new account, remember a new password, fill out a profile, and find your friends — just to use a new website — are quickly coming to an end.

Services like Echo and JanRain RPX are having tremendous success accepting third-party logins. Yahoo! is consistently one of the most popular sign-in options on mainstream websites.

Yahoo! supports open standards like OpenID and OAuth. We believe that users and publishers should have choices in how users identify themselves online. It's only natural that people want to keep different aspects of their lives separate, and users often have separate accounts for different purposes, such as for work and for personal use.

Because of the proliferation of online identity and service providers, users can be overwhelmed by all the different choices, often called the NASCAR problem. We've been working with other industry leaders on XAuth (eXtended Authentication) to help solve the NASCAR problem, while keeping the playing field level and open for new participants.

XAuth allows a website to automatically detect the services that the user actually uses. For instance, a website could automatically determine that the user is a Yahoo! user and customize its user experience (UX) to encourage the user to sign in with their Yahoo! OpenID, or to share content using Yahoo! Updates. The concepts behind XAuth have already been explored in the experimental x-has-session API defined in the OpenID User Interface Extension, which has already been implemented by some providers.

XAuth has the potential to solve more than just the NASCAR problem: It has the potential to eliminate the friction involved in using third-party services across the web. Currently, users must go through a relatively heavy OAuth flow to approve data sharing. XAuth can be used to automatically share public data and services, enabling a seamless experience across the web.

To find out more about XAuth, check out xauth.org. Stay tuned for more news as we continue to make Yahoo! OpenID more powerful and easier to use.

Allen Tom
Allen Tom (@Allen Tom), Yahoo! Membership Architect
Allen is a big fan of OpenID and is an OpenID Foundation community board member.