I commend you on the cleanliness of your reference implementation. It looks to be a completely by the book rails application. Anyone could contribute I am sure.
This is in sharp contrast to the tent guys who for some reason rolled their own web framework in ruby, leading to a very messy codebase in my opinion.
But more on topic, I am having a bit of trouble understanding what this service is going to do. What is the usecase? I think I got this from it:
1. A user wants an identity, so he registers at aka.nu (or other provider) and gets a nice url like tinco.aka.nu.
2. The user uses this url as an openid url to create an account on stackoverflow.
3. Stackoverflow gets information about the user by querying the url for meta information.
But.. this is exactly what openid does. I have an openid account at myopenid.com, and pointed me.tinco.nl to redirect to it. Now when you go to me.tinco.nl you see my public openid profile. And I log in to stackoverflow with me.tinco.nl as the identifier. And stackoverflow filled in some of the fields with information it got from myopenid.
First off I should note that an aka is an OpenID (see http://paul-odin-openid-test.blogspot.com/2012/12/hey.html) so all of the pros and cons of OpenID should in principle apply to akas. Akas just have a few constraints (a domain name served over HTTPS) and extras (the host-meta file metadata).
Here are a few circumstances where I think these additions could prove useful:
(1) Following akas. Given an OpenID like me.tinco.nl I don't think I can enter it into an app and keep track of what you're up to. The extra metadata allows an app to find your other profiles and subscribe to your activity. One of the features I was working on but didn't finish yet (there's some dormant code at https://my.aka.nu/hub) was to have the ability to subscribe to the host-meta file itself and automatically discover new additions and changes to your profile.
(2) Using your aka as a personal namespace. I'm hoping to add the ability to use create subdomains under your aka (for example a blog at blog.paul.aka.nu). Obviously you can do this already if you have your own domain name but it's generally viewed as an 'advanced' feature. Also there's no reason you can't use an aka as a domain for your email address. Incidentally this was the reason I originally bought aka.nu, as a demo domain for a simplified DNS administration tool I was working on.
(3) Authentication for non-browser apps. Let's say you've posted a photo somewhere and authorized access to me, paul.aka.nu. I could log in myself to wherever it's hosted using that as an OpenID, but what if I'm not using a browser to access it? My client can send you an assertion that it's accessing it under the authority of paul.aka.nu but you still need to go back to paul.aka.nu to verify it, which is where the extra metadata comes into play. (App.net has similar functionality: http://developers.app.net/docs/authentication/identity-deleg...)
It's not. We should be spending time implementing Persona rather than trying to come up with new identity solutions. Mozilla browserid/Persona is good enough or better than any other solution presented thus far, and has the best chance for adoption.
I cannot agree with this enough. I implemented BrowserID on one of my sites once, and never looked back. Now every new project uses BrowserID as the only way to log in.
It is superior to all other ways I've seen in usability, which is ultimately what counts, and integration takes all of two minutes, much less than traditional password auth. Plus, you don't even need to secure any passwords.
I really, really hope it catches on, and Google/Yahoo!/other mail providers start supporting it.
From a usability perspective WS-Federation is far superior to BrowserId. Not least because BrowserId is hobbled by the browser, whereas WS-Fed works across any platform, any architecture (native desktop/phone/tablet, browser, cloud ...), any OS.
Note that this is my personal opinion. I think we should be trying to come up with new solutions - BrowserId/Persona some some identity problems, but nowhere near all.
Have a read through Kim Cameron's post [1] to get a feel for how naive, if noble, Mozilla's efforts are.
It's interesting in that it's trying to learn from newer efforts and back-port aspects of them into OpenID, while maintaining backward compatibility. I'm still not sure who it's for, though, since OpenID shows that URL-based IDs are really hard for the general public...
That said, I wouldn't go as far as dreamdu5t in suggesting that we as a community stop working on alternative solutions. I work on Persona and think it's fantastic, but no identity system is a panacea.
Of course, I would really love to read a more thorough post from the author regarding his decision to roll his own system.
PS: ecaron, I think I owe you a coffee and a much belated email. :)
I have been working on a centralized identity system at https://www.credport.org, and a question that is always looming my mind is:
Can identity systems be designed? Can they be explicitly built or are they a by-product?
Arguably, the biggest (consumer) identity systems out there (Facebook, Twitter, Google) have not been designed to be identity systems but ultimately turned out so. The biggest designed and most open solution, OpenID, has seen very limited traction.
In many ways, the broad majority of consumers probably don't care much about the great (and awesome) implications of identity systems and what would be possible if people were to work together by having a broadly accepted identity system.
The way we are currently going about it is to always have these implications in mind, but work extremely hard to provide value to both consumers and producers outside that realm.
That's because people like you go out and reinvent the wheel and create yet another centralized platform instead of implementing an existing decentralized option. It's hubris. Facebook wants to manage my identity. Its no shocker that they don't implement an identity system that they don't control.
If you're not paying, you are the product. That includes your identity and that includes forcing others to go through them when they want your identity. That's annoying. Implement BrowaerID please.
That's in large part what WebFinger was created for, which I used as a model when developing this project: http://hueniverse.com/webfinger/
Gmail actually used to support it to a degree (it came along with Buzz) but in September I think they removed the host-meta file. WebFinger is still a big part of OStatus (which is what identi.ca is based on).
The main issue I have with WebFinger is that unless you have your own domain name, it's either tied to an e-mail service, or you get an identity that looks like an e-mail address but isn't. Gmail had it, then dropped it, and given Google+ I don't think they would have too much interest in bringing it back. OStatus acct: identifiers are a lot like e-mail addresses but I don't think they function as such.
Of course if you have your own domain you can make it so that isn't the case, but most people don't and if you try to create a free domain that makes it easy for people to do that sort of thing you basically end up with aka.nu anyway.
No, please, keep reinventing the wheel, keep doing the same thing that everyone has been doing for the last two years. "We need a better way to do identity and auth!" "[here's a rehashed email-login system]" or "[here's a new identity management system I built instead of using an existing one. surely this one will take off!!!!!1111]"
What is needed is an identity solution that does multiple protocols, e.g. SAML, WSFed, OpenID, Oauth etc. to believe that authentication is not going to change or morf in any way with the billions of developers on the planet is not reality. The solution this developer has come up with is just the beginning of his journey. I believe its a great start, my hat is off to you. But, please stop developing in Ruby. Its like speaking in old world Latin.
This is in sharp contrast to the tent guys who for some reason rolled their own web framework in ruby, leading to a very messy codebase in my opinion.
But more on topic, I am having a bit of trouble understanding what this service is going to do. What is the usecase? I think I got this from it:
1. A user wants an identity, so he registers at aka.nu (or other provider) and gets a nice url like tinco.aka.nu.
2. The user uses this url as an openid url to create an account on stackoverflow.
3. Stackoverflow gets information about the user by querying the url for meta information.
But.. this is exactly what openid does. I have an openid account at myopenid.com, and pointed me.tinco.nl to redirect to it. Now when you go to me.tinco.nl you see my public openid profile. And I log in to stackoverflow with me.tinco.nl as the identifier. And stackoverflow filled in some of the fields with information it got from myopenid.
What is your unique selling point?