Home > smugmug, smugmug releases, web 2.0, webtoys > SmugMug embraces OpenID

SmugMug embraces OpenID

February 23, 2007

The subject says it all and I’m thrilled. Here’s some details:

  • We’re an OpenID 1.1 Provider. Hundreds of thousands of SmugMug customers can now use their SmugMug homepage URL as their ID on sites all over the net.
  • We don’t yet support Diffie-Hellman association, so if plaintext isn’t ok, you’ll have to fall back to dumb mode. Sorry about that. I’m hoping we can support DH soon, but I’m really waiting for Wez’s PHP patch to use OpenSSL’s functions. I may end up creating a custom build, we’ll see.
  • We’re planning on consuming OpenID for photo comments and other things shortly.
  • We probably have bugs. Sorry about that – let me know and we’ll get them fixed.

OpenID is a fantastic idea, I’ve loved it since I first heard about it, and finally found a day to play with it. AOL recently announced support, and so did Microsoft. OpenID will be everywhere.

I’m a little worried with the direction OpenID 2.0 seems to be going – one of the great things about OpenID is how simple and easy-to-implement it is. I haven’t taken a good, close look yet, but the preliminary 2.0 spec seems to be complicating things a great deal. I see that as a Bad Thing(tm) but maybe I’m smoking crack.

The documentation for OpenID leaves a lot to be desired. Specifically, there’s no example messages, including sample values, for you to make sure your code is doing the right things. Luckily, the spec is so simple that some trial-and-error takes care of things, and someone has written a great narrative overview of the implementation. I will put up an OpenID page on our wiki that includes example requests and responses, including secret keys, so anyone else implementing this from scratch has some values to work from.

LiveJournal (and thus, Brad’s CPAN module used by lots of other services) seems to have some bug in it where it doesn’t like OpenID server URLs without a trailing “/”. It returns a useless (to me?) error message: “naive_verify_failed_network” which meant I spent hours and hours of time going over my code with a fine-toothed comb. Finally, out of ideas, I made a 1 character change to my HTML and everything magically worked. I don’t understand why, since the docs don’t state this, and Vox seems to have an openid.server without a trailing /, but oh well. It fixed my problem. πŸ™‚ Hopefully this will help someone else figure out what that message might mean.

There are clearly still issues around OpenID, such as what happens years from now when your OpenID identities are lingering out there long after you’ve closed the account from which the ID was provided? Someone else may even own or use that old URL if it’s been repurposed. But there seem to be smart people thinking about the problem, so hopefully everyone will figure it out without bloating it or making it unusuable.

I think OpenID is huge, and I’m glad we’re able to move the ball up the field a few more inches.

  1. February 24, 2007 at 1:32 pm

    Well I originally had typed out a rather sarcastic comment about how all the community needed was yet another service having an identity crisis thinking they should be an OpenID provider rather than a consumer. But I thought better of it, and would rather ask you (much more calmly), what your rationale was for choosing to setup a provider, but not a consumer. Think back to when you first started SmugMug… if you had known about OpenID then and planned to integrate it into the site, would have still chosen to setup a provider? Forgetting the fact that you already have a large customer base with usernames and passwords in your system, does it seem like the natural role for a site like SmugMug in the OpenID world is that of an identity provider, or one that consumes identities? I would argue without question that it should be that of a consumer. It not hard to see that many people believe there are simply too many openid providers and not enough consumers. To be perfectly honest, I would rather see sites not adopt OpenID at all if they insist that *they* should be the provider and refuse to consume external IDs. In all fairness, I did see that you are planning on consuming IDs for photo comments and “other things” and that’s great, but I believe that should have been done *first*, and acting as a provider could be added later if it was really desired by the community.

  2. February 24, 2007 at 3:28 pm

    I believe our natural role is both – we provide identities for those who want them, and consume them for those who already have them.

    I also believe there is a chicken-or-the-egg thing going on, and that providers without established user bases *do not* contribute meaningfully to solving the chicken-vs-egg issue.

    Since LiveJournal was until recently the *only* provider I’m aware of with a decent (100,000+) installed base, I believe it helps the OpenID cause to have another one. I’m thrilled that AOL has made the # of people skyrocket to millions. SmugMug adds their volume to the pot, and the world is a better place for it.

    So that’s why I chose to provide first. As I already mentioned, we will shortly consume as well – and I think that’s key too. But growing the pool of people who can use OpenID will encourage other sites to consume.

    Whereas consuming without providing will only make it available to LiveJournal (and now AOL) users, which isn’t very attractive.

    If you think about it like a utility, what do you do first? Sell lightbulbs to people without power (consume), or run power to people without lightbulbs (provide)? How about cars? Who would buy a gas-powered car if there weren’t gas stations?

    You get my point, I hope? πŸ™‚

  3. February 24, 2007 at 3:31 pm

    I should mention, too, that we’ve had *zero* customer requests for consumption of OpenID, and a handful for providing OpenID.

    Since our entire business is built on listening to our customers, I chose to listen yet again. πŸ™‚

    But since I’m a geek, I want to enable both. So that’s what we’ll do.

  4. February 25, 2007 at 12:34 am


    Going to tie it into dgrin as well?

  5. February 25, 2007 at 12:39 am

    hmm… hit submit too soon… I had hoped that the link to the smugwiki would have told me how to use your provider with openid based sites. After my first reply I read the tab I’d opened in the background and saw it was just the wiki’s home page and there wasn’t yet a page on Open ID.

    So how do we use this?

  6. February 25, 2007 at 1:59 am


    dgrin is entirely different software that we didn’t write (vBulletin), which is why it’s not tied into SmugMug directly. I’d love it if vB became OpenID enabled, but that’s not up to me, I’m afraid.

    To use OpenID on a site that accepts it (alas, there aren’t many yet, but they’re coming), simply enter your SmugMug URL into the OpenID box and we’ll handle the rest.

    You can try commenting on anyone’s LiveJournal blog, for example.

  7. February 25, 2007 at 4:05 am

    From the little I’ve read about it, I think OpenID sounds great. I agree though, it would be nice to see more consumers of it.

    On a related, but slightly off-topic note… a shameless plug for my feature suggestion: remove the anti-spammer code (or future OpenID request) when adding a comment if a smugmugger is logged into smugmug? If we’re logged in, we’re not a spamming robot.

    If somebody is changing the commenting authentication, they might want to take that into consideration.

    end plug.

  8. February 25, 2007 at 4:22 pm


    Unfortunately, our biggest comment spammer problem stems from SmugMug users. I agree that we’re not handling it the best way we could, so look for some changes in the future.

    Sorry about that.


  9. February 25, 2007 at 9:53 pm

    ah, I forgot vBulletin wasn’t updated yet. On the other hand, here’s the plugin for your blogging system.πŸ™‚ http://verselogic.net/projects/wordpress/wordpress-openid-plugin/

  10. February 27, 2007 at 9:52 pm

    Don – long time reader, first time commenter.

    Absolutely fantastic post. As always your finger is astutely on the pule.

    FWIW one of our engineers wrote about integrating OpenID into our enterprise wiki, Confluence, on our developer blog just today. Hopefully we’ll be rolling this out as a plugin in the very near future!


  11. Chris Hills
    August 19, 2008 at 12:17 pm

    I came across this page whilst trying to find out if I could use my existing OpenID with SmugMug. Consider this a request! I would not consider using a site as an OpenID provider unless they supported a minimum of 2 non-password authentication methods (e.g. digital certificate, SMS, cardspace, …). The same works in reverse. I doubt I would use my OpenID provider for photo hosting if they provided it. I think sites should stick to doing one thing well. Please, SmugMug, be a good netizen and consume OpenIDs!

  1. February 23, 2007 at 6:07 pm
  2. February 27, 2007 at 9:23 am
  3. February 27, 2007 at 11:26 am
  4. March 12, 2007 at 1:55 pm
  5. March 29, 2007 at 12:32 am
  6. September 16, 2008 at 6:40 pm
Comments are closed.
%d bloggers like this: