Inside NPR.org

Plumbing

Should NPR Embrace OpenID?

Zach Brand here — I head up technology for NPR's Digital Media efforts. Our most recent additions to the codebase is our new registration engine / authentication tool. Initially, we're using the registration system for newsletter subscriptions, but in the coming months it will also allow users to participate in social networking features on the site. I realize that — like a lot of technology — as long as it works, you don't really notice it. That said, I think our new registration and log-in process is very easy, intuitive and pretty snappy. Check it out. The PHP development on this was the work of Joanne Garlow, Jason Grosman and Ivan Lazarte. The project process itself was managed by Jennifer Tuohy with help from K. Libner. Kudos to them and the rest of the team involved.

We are still looking to tune the authentication and SSL certs so it creates the fewest prompts in the various browser / OS combinations. Of course like all Web apps, I expect it will change and evolve as we go.

During this project a couple questions arose. First, was there any open source tool that would do the job? We pained a bit over this one since we do try to be as open source friendly as possible. Despite a couple valid contenders, none of them were well-suited to our current and future needs, so we did decide to build it ourselves. Which leads to the second question: do we integrate with OpenID? This time, our answer was yes. Unfortunately, to meet the timeline needed, we were not able to include OpenID on day one. Sooooo... the architecture of the system was built in such a way that that we will be able to add OpenID compatibility into it down the road. How quickly it is incorporated will likely be impacted by how much demand we do or don't hear. So please, chime in with your thoughts, critiques or even compliments.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Should NPR integrate with OpenID? Absolutely yes!

OpenID is a great concept and will be helped by such visibility. And the more NPR utilizes such web 2.0 / new media tools, the more I trust NPR's perspective as a news media organization for the 21st century.

I hope you are able to make this happen. Congrats with all the great progress the NPR teams are making in the new media fields.

Sent by Jen Simmons | 3:24 PM | 7-9-2008

We just added OpenID to The Conversations Network. http://conversationsnetwork.org. See info here: http://www.blogarithms.com/index.php/archives/2008/06/26/openid-adventures/ and http://www.blogarithms.com/index.php/archives/2008/06/30/openidandemai/. It's easy to implement, but much more work to properly integrate with an existing auth scheme. Not much adoption by members yet. Glad to offer any help/advice on the process.

Sent by Doug Kaye | 4:07 PM | 7-9-2008

To be honest I'm curious as to what the arguments *against* OpenID would be, other than time.

It just seems like such a no-brainer that you would have consistent information across several portals, nullifying the annoying need to re-register. Also, as Jen mentioned, I think visbility is an issue -- but not only on the level of NPR adopting it, but also it shows NPR's continued commitment to new -- and forward-looking -- technology.

Congrats on building the framework such that it can be integrated in the future, and I look forward to seeing it adopted!

Sent by Brian Retchless | 4:27 PM | 7-9-2008

Zach,

All security technology decisions should be prefaced by what is the price/cost of the security system failing?

In the case of OpenID, you are depending on the identity policies of the OpenID issuer. For example, Yahoo.com issues OpenIDs but they, I believe, refuse to depend upon them. (Of course, they don't need to depend upon Yahoo OpenIDs for themselves but they refuse to exploit them from other domains.)

You also need to ask yourself, what service are you providing your customers with OpenID? How are the current browser mechanisms that remember user names and passwords or cookies inadequate for your customers? Are you protecting credit card numbers or just newsletter subscriptions?

Overall, I bet OpenID is pointless complexity for your listeners.

Andrew

P.S. Since you have my email address from my post submission, I am happy to have a more detailed discussion with you offline.

P.P.S. Posting from Safari had some kind of problem. This was posted from Mac Firefox.

Sent by Andrew Donoho | 7:04 PM | 7-9-2008

Hi Andrew,

One of the reasons we are thinking hard about OpenID is because of our member stations. NPR and its many stations all have their own platforms for content, and there is no unified system. Public broadcasters are using everything ranging from Wordpress to Ning to Kickapps to power local projects, and each time, users have to create yet another login.

The thinking is that OpenID could be a useful first step in connecting the dots between what we're doing with social media and what stations are doing, so a user might start by registering at their station's site, but then want to participate in ours as well - or vice versa. So even if users aren't using OpenId aggressively, it's potentially an important step in having better interoperability between public broadcasting sites.

Sent by andy carvin, npr | 12:17 PM | 7-10-2008

Hi, Andy.

My feeling is that the current OpenID just doesn't offer much in terms of your long-term goals such as single sign-on across multiple NPR and station web sites. My recommendation is to make sure that all of the people involved with your decision-making process really *use* OpenID for accessing multiple sites for at least a week. They may be unimpressed with the functionality. That having been said, I'm glad we did it even if just for making a statement that open authentication technologies are a good direction for all of us. But it's more for that purpose (and for our geekiest members) than for any real user benefit.

Sent by Doug Kaye | 7:05 PM | 7-10-2008

Thanks for the comments.
Brian -- I think the arguments on 'why not' comes down to this: sure it's a good idea but is it a good use of effort. Of course maybe part of the question is a role for NPR to play helping encourage things like OpenID. The reality is that I think few people are clued into it. So to Andrew D. initial point -- if I can spend time and resources working on OpenID or on other projects that enable social media, discussions or some other means to engage with you all more -- I am probably more inclined to the later. As per my original post, practical reality is that it will likely be driven by demand. That said, while OpenID may be a bit clunky still, I absolutely agree with Doug -- open authentication is a good direction for all of us.

Sent by Zach Brand | 3:57 PM | 7-11-2008

I respect Doug Kaye very much, but I believe OpenID offers distinct value to your users, right now. And I say providing value to your listeners is a laudable long-term goal.

I for one wouldn't create an account on your site today, dispite being a regular NPR listener. I have too much account overhead in my life already. But I wouldn't hesitate to sign in with OpenID.

That said, only geeks are actually using OpenID today. But that's how things start. They have to start somewhere.

Sent by Brian Christiansen | 1:01 AM | 7-18-2008

Zach, I'm on the Marketing Committee of the OpenID Foundation and would like to follow up with you directly, what's the best way to reach you?

Cheers, Brian

Sent by Brian Kissel | 1:13 PM | 8-6-2008

Inside NPR.org