Chris Baus

Basecamp OpenID support and REST (It ain't seamless yet)

It has been a strange week in Tahoe. In town it is mostly business as usual, but yesterday the fire reared up near a residential area causing more evacuations, sirens, road closures, and a small dose of chaos. There is a constant linger of burnt campfire in the air, but mostly life goes on -- they are still serving the best espresso drinks in town at Alpen Sierra.

So back to business. I've been playing around with Basecamp's OpenID support. I had hoped the very bright folks at 37signals could provide a template for using OpenID with REST style APIs. Their solution is to generate a password for use with their APIs. This is probably a pragmatic solution, although it is still pretty awkward for users.

Let's assume I developed a site that uses OpenID authentication exclusively. Now I want to access the Basecamp API to add items to users' todo lists. Since users have allowed access to both my site and Basecamp it would be nice if my site could access Basecamp API without re-authenticating.

Unfortunately, given the Basecamp solution, I would have to ask users to provide a cryptic generated password from Basecamp in an inherently insecure way. My site would either have to store that password or request it every time I wanted to access the Basecamp API.

Years ago I interviewed with a company called Bowstreet. This was in *gasp* late 1998. After signing a stack of NDAs, I was led into a room overlooking the scenic Portsmouth Harbour and presented with their vision of the web as a system of seamlessly interconnected services. In the end I followed my heart to the High Sierra, but I was heavily influenced by that discussion and convinced that the web would eventually be seamlessly interconnected.

Fast forward 8 years. Web services are far more than just a concept discussed under NDA. Every major web site now provides some sort of programmatic interface which is strategically important to their business. But the seams -- they are everywhere. And the biggest duck taped and stapled seam of all is identity.

OpenId does solve one very important problem: one universal id for all sites. But it is fundamental to the value proposition of identity solutions like OpenId, that web services work seamlessly as well. It isn't there yet.