XAuth. What is it?

Posted By: Thomas Shaw, 8:00am Thursday 24 June 2010

Extended Authentication (XAuth) is a new open platform to extend authenticated user services across the web. You may have noticed that more and more websites are integrating with 3rd party services to allow users to use their existing profile (ie Facebook, LinkedIn, OpenID) to connect with your site.

Unlike newly registered accounts, existing 3rd party accounts have rich profile data and services capable of driving tremendous referral traffic back to the originating website.

The average internet user has more online services than ever (Emails, Social Networks)
Many of these services provide APIs (OpenSocial, OpenGraph Protocol) thru delegated authentication (OAuth) to websites
Websites don't have an easy way of knowing which services a visitor uses so they present all available options and push the decision to the user

A solution was proposed called XAuth. XAuth tells a webpage "this is where the site visitor does social networking." Then, OAuth is the way the user logs in there, granting the site permission to access their info without seeing their password.

If you're familiar with OAuth, you might be wondering what the difference is between that system of secure authentication and XAuth.

Note: Do not confuse this XAuth with the xAuth (lower case "x", upper case "A") released by Twitter or X Window authorisation

XAuth tells you where to ask for OAuth from. Remember... the "auth" short for authentication is a little misleading as XAuth is actually a discovery service - not authentication! But just because the user has an active session on one provider doesn't necessarily mean that they'll want to use that provider to sign in?

Having a function that can automatically work out if the user is already logged in to another site can improve the users overall experience with your website.