Zilla Smash!

I said I was working on it this morning, and I wasn’t even lying!  I’ve just updated the Xbox Live Friends Gadget to version 1.1 which brings with it almost everything I promised in the previous post!

New Stuff!

I’ve created an actual landing page for the gadget, http://patcavit.com/xbox-live-gadget/. There’s also a page helping people copy gadgets from their old install to a new one, http://patcavit.com/xbox-live-gadget/how-to-update/. Both of these pages need a lot of work but it’s a start. Had to learn a lot of wordpress knowledge I had long forgotten to be able to do that stuff!

So here’s what did end up making the cut for 1.1

• The backend web service caches results now, makes updating faster (but the data is no less fresh!)
• Expanding in height was retarded, the guidelines were correct. To solve the problem of more than 5 online contacts without expanding there’s now pagination!
• Undocked state exists now, might even be marginally useful.
• Flyout has a link to open up xbox.com to send user a message over XBL
• Error Handling for bad data from the WS
• New background images, no longer quite so boring!
• List updates are animated with a subtle fade effect. Probably needs more tweaking, but I think it makes a big difference.
• Checks to make sure you have the latest version of the gadget and will nag you if not
• (Online) Instructions for updating the gadget to save you from having to retype your friends list
• (Online) Actual web page for the gadget to provide some useful info

Unfortunately showing offline contacts didn’t make it. That task is quite a bit bigger than I originally though, but may still be coming down the pipe in a future update. There’s already a list of things I’m going to be working on next, so here’s a peek

• Show total count of online friends somewhere
• Flyout wonkiness
• Make flyout more useful (it’s getting there slowly!)
• List update fades interfere with the hover effect. This will be amusing to fix, I just know it.

So there’s still plenty for me to do and that was just after having one other person look at this. I’d love to get some feedback so I could keep working on this. After really getting into it I’m having a blast working with gadgets.

And now, pictures!

I’ve been working on this off and on ever since releasing 1.0, I definitely feel like this is deserving of a whole tenth of a full version bump.  Quick list of things that have changed so far off the top of my head.

1. The backend web service caches results now, makes updating faster (but the data is no less fresh!)
2. Expanding in height was retarded, the guidelines were correct. To solve the problem of more than 5 online contacts without expanding there’s now pagination!
3. Undocked state exists now, might even be marginally useful.
4. Flyout has a link to open up xbox.com to send user a message over XBL
5. Error Handling for bad data from the WS
6. New background images, no longer quite so boring!
7. List updates are animated with a subtle fade effect. Probably needs more tweaking, but I think it makes a big difference.

There’s still a few things left I want to do before making 1.1 official like update nagging and possibly adding a toggle to the settings page to show all your contacts and just filter it so that the only ones are a different color and show up first. Not sure about that one yet, but it’s a possibility.

Look, it’s a SCREENSHOT of the new stuff! Ok so mostly I wanted to play with a Windows Live Writer “Polariod Image” plugin, but it’s still a perfectly reasonable picture. I don’t feel bad for a second about posting it, so there!

One last thing, I’ve given the gadget a “proper” home page at http://patcavit.com/xbox-live-gadget/ thanks to Wordpress’s support for pages and custom templates.  It took some hunting to figure out how to make a static page include a list of posts from a certain category, but http://www.transycan.net/blogtest/2007/09/10/static-frontpage-combined-with-dynamic-content/ was incredibly helpful in answering the questions I had.

Oh that reminds me I have to update the homepage in the gadget metadata…

What’s the problem?

Knowing when my friends are online on Xbox Live has been a problem I’ve struggled with for years. When Microsoft announced the Xbox Community Developers program I thought I had found the answer. Then the recipients of the 50 API keys they gave out promptly made a bunch of websites I couldn’t care less about…

Except for 360voice.com (<3 their RSS feeds, I’m right here). I really like the daily summaries that pop up into Bloglines, it’s cool knowing what games I should get so we can play more.

But even 360voice doesn’t handle the status info I was interested in. There’s no good way to have a list of my friends updating in the background so I can tell with a glance who is online and whether or not I should join them. Plus there’s the hassle of actually getting someone else to sign up for it, so far I think all of 3 or so friends of mine are on there.

The other issue is one that isn’t anyone’s fault, per se. I don’t want to have to open a webpage to know who is online. The Xbox.com friends page is certainly easy to read, and it sticks all your friends at the top so you can scan it quickly. It still suffers from the fact that I have to actively go to it if I want to see who is online. I could hook up one of the Firefox extensions that checks a page for updates, but that still isn’t what I’m looking for.

That sounds like it should work…

So how do I get an unobtrusive, automatically updating list of my friends to sit on my desktop so I know at a glance who is online? Well I’m rocking Vista and dual-monitors, so I fired up the Sidebar and added the Xbox Friends Watch gadget. It’s doubly neat because it not only does what I want but it uses Silverlight so there’s lots of fancy animations and the like.

I was pretty happy with this solution for a while, but it’s still not quite right. Despite me having more than 5 friends on Xbox Live, I can’t get updates for them. The gadget will happily add them and even appears to render them on its list, but it doesn’t support scrolling of any sort. You can kinda mouseover the very bottom and see the highlight travel to the other people on your list, but you’ll never know if they are online or not. Adding gamertags to it wasn’t the easiest thing in the world either, as the settings dialog expects tags to be commas-separated , which I always found to be pretty clunky.

Like I mentioned, the hard limit of 5 gamertags wasn’t a huge issue for me and I was happily using the Xbox Friends Watch gadget for several months. Eventually though I was having to swap people in and out of the list on a pretty regular basis, depending on which group of friends I was going to try and play with next. It didn’t make sense to me that I would have to do that, so I went looking to see if there were any other options out there.

Not quite, next!

The closest I found was Duncan MacKenzie’s Xbox to Twitter application. It’s very cool, and something I contemplated running for a while before deciding that I spammed Twitter (and Facebook, thanks to the Twitter App) and people probably wouldn’t care that much. Besides, I’m not looking for ways to broadcast to other people that I’m online, I want a way to keep tabs on my friends and know when they’re online.

So Xbox to Twitter wasn’t what I needed, but it did get me the hook I needed to be able to solve my problem. As part of his twitter app Duncan also put up a Webservice API you can hit to get Xbox status info for a gamertag. Even better, he put up a REST version of it that you can hit using plain old HTTP. It’s super simple, check this out:

http://duncanmackenzie.net/services/GetXboxInfo.aspx?GamerTag=Tivac

<?xml version="1.0"?>

<XboxInfo xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance

xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <AccountStatus>Gold</AccountStatus>

  <PresenceInfo>

    <Valid>true</Valid>

    <Info>Last seen 58 minutes ago</Info>

    <Info2 />

    <LastSeen>2008-04-14T15:42:05-05:00</LastSeen>

    <Online>false</Online>

    <StatusText>Offline</StatusText>

    <Title>www.xbox.com</Title>

  </PresenceInfo>

  <State>Valid</State>

  <Gamertag>tivac</Gamertag>

  <ProfileUrl>http://live.xbox.com/member/tivac</ProfileUrl>

  <TileUrl>http://tiles.xbox.com/ti...8M6cr.jpg</TileUrl>

  <Country>United States</Country>

  <Reputation>99.98135</Reputation>

  <ReputationImageUrl>http://live.xbox.com/xweb/...gif</ReputationImageUrl>

  <GamerScore>12860</GamerScore>

  <Zone>Recreation</Zone>

  <RecentGames>

    <XboxUserGameInfo>

      <Game>

        <Name>Halo 3</Name>

        <TotalAchievements>49</TotalAchievements>

        <TotalGamerScore>1000</TotalGamerScore>

        <Image32Url>http://tiles.xbox.com/tiles/oo/P5/0...</Image32Url>

        <Image64Url>http://tiles.xbox.com/tiles/zS/3N/1W....jpg</Image64Url>

      </Game>

      <LastPlayed>2008-04-10T00:25:48-05:00</LastPlayed>

      <Achievements>25</Achievements>

      <GamerScore>770</GamerScore>

      <DetailsURL>http://live.xbox.com/en-...o=tivac</DetailsURL>

    </XboxUserGameInfo>

    ...

  </RecentGames>

</XboxInfo>

A little hard to parse in this format, I know. Hitting that URL in your browser will make it easier to understand though. I also shortened all the URLs and removed a the previous 9 games I had played because honestly, it’s not that interesting and it makes the XML way longer.

This is it though, the data that I needed to solve the problem of “I want to know what friends are on Xbox Live” (at least for me!). All I needed to do was to figure out how to use that info. Reaching back into the depths of my memory I recalled my previous attempt at building sidebar gadgets (http://patcavit.com/2007/05/04/vista-gadget-headaches/) and how I in fact had tried to build this very gadget once before. Except it failed horribly because I couldn’t automate a Windows Live login. Well wonder of wonders, with this API I don’t have to!

Finally, some progress!

So after a few days of hacking in JavaScript and PHP I’ve got a sidebar gadget that takes a list of Xbox gamertags and will update to let you know when any of them are online. It even uses the cool Gadget Persistent Storage library to store your list of gamertags when you remove and re-add the gadget. A lot of this is powered by a small subset of YUI because programming JS without it is too painful. Specifically I’m using Reset, DOM, Event, JSON & Connection.

There are of course some caveats to this, but there always are.

Getting a list of gamertags isn’t automated. I’m not even sure the people who have direct access to the Xbox Community Developers Program ever got this capability. I doubt it. It means that for now you’ll still need to input a bunch of gamertags by hand. Fortunately this list is newline separated, so it’s very quick to add a bunch of them. I’ve got some stub code in there to parse it from a copy/paste of your Xbox.com friends management page, but it isn’t ready for anyone to actually use yet.

1. It violates Microsoft’s Gadget UI Guidelines, in that gadgets shouldn’t change size on anything other than a click. Mine does automatically depending on the number of people online. It could even conceivably become taller than your monitor. Microsoft is definitely right about this and I think it sucks, but I didn’t figure out a clean way of paginating the data that could stand. This is something I’m going to work on in the future, but for now it’s crappy.
2. There’s no undocked state. More accurately, it’s the exact same docked to the sidebar and undocked. Ideally it would expand a bit to shower bigger icons, larger text, and gamerscore (at a minimum) when you undocked the gadget. That’s on the list of things I’d like to do someday, but since I never use the gadget undocked is pretty low priority.
3. There’s still some weird behaviors. Here’s the ones I know about.
   1. Sometimes the requests to the server for user info just take forever and return empty.
   2. Opening a new flyout when there’s already one open causes the flyout to lose focus until you click on it. This appears to be a Sidebar/Gadgets limitation so it’s unlikely to be fixed.

Still, it works like I need it to which is really the only important thing! I’d love to have some other people use it and give me feedback though. I’m always down for hearing about bugs as well, though no promises that they will be something easily fixable.

It’s not the prettiest thing in the world, I’ve modelled it after xbox.com and the flyout details are powered by the Embeddable Gamercards offered on xbox.com. Here’s an example of the what those look like

Put your gamertag here too.

It’s lazy but it gets the data I want in there without a lot of hassle on my part. In the future I would like to have a nicer flyout more akin to what Xbox Friends Watch has. Unfortunately, that’ll be a a good chunk of work to get the interactions right so that’s a challenge I’m putting off for another day. I don’t even really use the flyouts in my day to day gadget usage, but it’s nice to be able to interact and get a bit more information.

As usual I’ve written way too much and not posted enough links to just get the damn thing, so here you go!

Xbox Live Friends Gadget 1.0

Image Uploading using YUI Uploader Widget

A few days ago the YUI team released the latest and greatest version of the YUI Library, YUI 2.5.0. Along with the usual round of bugfixes and speed improvements this release came with several new components. I personally was the most excited about the Uploader component, as the technology that powers it also underpins the upload process on Yahoo! Video. I didn’t write the upload pages but I’m expected to be able to provide bugfixes and enhancements to those pages, so what better way to learn how they work than from the ground up with the Uploader?

Yes, I know there’s quite a few better ways. This was the most fun sounding way. What can I say, I like 4 day projects in my spare time instead of just reading the existing code. Besides, I wanted a better understanding of it from a lower level than just how the upload code on VYC works.

As mentioned in the YUI Blog posting about 2.5.0, the Uploader is what not only powers VYC uploads but Flickr uploads as well. Flickr exposes more of it due to their allowing of multiple files uploaded at once. That’s not really very easy to do on VYC due to the much larger file sizes being used. Still, it’s there. I promise.

I’ve had a free-for-all, open to anyone image uploader chilling out for quite some time at http://tivac.com/upload/. I wrote it to solve a problem, namely the other image uploading services available at the time sucked. It was just a quick little thing, with some basic JS that would hide the form element and create a new one so you could upload more than one file at a time. When you were done it would barf out thumbs of the images along with some common types of link code for forums and the like. Nothing fancy at all. Well, the new YUI Uploader seemed pretty much tailor-made to work instead of creating new form elements.

Here’s a good representation of my thought process while I contemplated redoing the image uploader.

I think that paints a pretty compelling picture of why I’d go with the YUI lib over the original solution. Aside from requiring Flash 9 and not working on the latest OSX because Adobe and Apple are feuding, there’s really no downside. It’s provably better in every way. Since this is just a junky little personal project and not something important, I don’t even provide a fallback HTML form any more. That’s just how I roll.

Actual implementation was pretty basic. The YUI documentation is excellent as always. It more or less started life out as a copy of their Simple Upload Example and then I hacked the crap out of it. The flow ended up being something along the lines of the following.

1. Browse for image files.
   
2. If you selected one you don’t actually want to upload, clicking it’s filename will remove it.
   
3. Upload the files, watch all the fun progress bars whiz around.
   
4. As each file completes, its filename is replaced with a thumbnail and various different pre-filled link codes for HTML and forums.
   
5. You can also hit the Export button to just get a list of the URLs of the uploaded images.
   

It sounds complicated because I’m an engineer and don’t explain things well. The cool nerdy thing about this is how very event-driven it is. For example, take a look at this code chunk.

//certain things can only happen once the SWF is ready to rock

this.uploader.addListener('contentReady',   this.swfReady);

//event handlers

this.uploader.addListener('fileSelect',         this.onFileSelect);

this.uploader.addListener('uploadStart',        this.onUploadStart);

this.uploader.addListener('uploadError',        this.onUploadError);

this.uploader.addListener('uploadProgress',     this.onUploadProgress);

this.uploader.addListener('uploadCancel',       this.onUploadCancel);

this.uploader.addListener('uploadComplete',     this.onUploadComplete);

this.uploader.addListener('uploadCompleteData', this.onUploadCompleteData);

There’s an event fired by the flash object for pretty much everything you could want. The only event I found myself wishing it supported was a “allUploadsComplete” method. As it was I had to create a cache of all the file ids being uploaded, and in my handler for uploadComplete I would remove each id from the cache. If there’s no more files left to upload, hey presto we’re done! A little roundabout, especially when having to watch out for files that were selected and then removed.

The other fun thing I decided upon was that instead of using innerHTML and getting back big chunks of HTML from the server (wrapped in JSON, of course) I’d instead use skeleton structures hidden in the DOM. A quick

YUD.get('upload_skeleton').cloneNode(true);

and you’ve got yourself a nice chunk of HTML just waiting for some delicious data to be inserted. The actual insertion is pretty boring DOM traversals, but by using a skeleton as the base it avoids heavy node creation/appending or a massive innerHTML dump. The page’s DOM is a little heavier because it contains these stubs, but there’s only two of them and page weight isn’t a big concern for this project.

The progress meters are basically a total ripoff of Flickr, I feel a little bad about it but I really liked their approach of using a background image and just changing the x offset each time uploadProgress was called. It’s so simple and to the point that I didn’t see any reason to make it more complicated.

So that all works fine, but I was worried that if I didn’t copy the URLs correctly right away the images would be lost forever. That meant that I had to write a little PHP script that would output linked thumbs of all the images that had been uploaded. Since this is a totally unrestricted image uploader there’s been a few instances of people uploading porn and the like. I’d rather not deal with that, so there’s a little delete script as well. It’s protected by a .htaccess/.htpasswd basic auth setup. Nothing fancy, but it keeps other people from being able to delete my images.

The images are laid out in a big floating grid using Hedger’s very awesome work on getting display: inline-block to work across browsers. Item List Grid : Practice with display:inline block across browsers. It’s a technique we also used extensively on VYC so it was the first thing that came to mind when just floating a bunch of images that weren’t the same height went all crazy.

Oh, right. All the icons are the insanely awesome work of Mark James, specifically his Silk set of icons. I’m sure you’ve seen them used pretty much everywhere. There’s a good reason for that, they rock.

I’ve zipped up the source for anyone who wants it, it’s all pretty well-commented. You will have to handle the file permissions yourself though. UPDATE: Sitzmar wanted me to point out that all the paths are hard-coded for my uploader.  He says I should be ashamed, I say he should shut up.  Also I don’t think I included the .htpasswd (obviously) or the .htaccess.  Those are easily set up, a quick search on the internet will answer all questions.

upload.zip

This is gonna be a long one, so watch out. I’ve been collecting feeds of people who I consider to have really worthwhile things to say about my chosen career (web development, for the people who don’t know that about me already). I’ve got quite a list, and since I’m of the opinion that sharing is caring I will be providing a huge list of links to sites that I think are awesome and deserve your attention.

I make no claims that this list is authoritative, in fact I’d love feedback pointing out really smart people I missed. I read a lot of feeds but none are more dear to me than the ones contained with my “development” folder. Adding new items to it is a joy each and every time.

• Usability/Design

  • 456 Berea Street, full text

    Roger Johansson does a great job of covering usability issues on the web.

  • 90 Percent of Everything: Usability Blog

    Harry Brignull and Andy Baker cover usability design both on the web and in client apps.

  • flow|state

    Usability fascinates me, and this is one of the best usability blogs I’ve ever seen. Updates are infrequent, but always incredibly insightful.

  • Looks Good Works Well

    Bill Scott left Yahoo! for Netflix but we won’t hold it against him. His UI design comments are fantastic.

  • Theresaneil’s Weblog

    Another really fantastic UI blog. I wish there were a lot more done this well.

• Web Development

  • A List Apart

    Great writers and a ton of content makes this a great resource. Doesn’t update that often, but always great content.

  • Bite Size Standards

    Tiny little nuggets of web knowledge, updates infrequently but with useful info.

  • Ajaxian

    Ajaxian’s great about updating with the newest and greatest javascript libraries and techniques.

  • Bartelme Design – Journal

    Small Design firm based out of Austria that posts nice wallpapers and some decent articles every now and then.

  • CSS Help Pile

    Monster collection of CSS tips and tricks, always a nice reference to have around.

  • CSS, JavaScript and XHTML Explained

    Browser quirks, CSS techniques, all sorts of stuff. Updated rarely.

  • DOM Scripting Task Force

    Unofficial group dedicated to promoting good Javascript, I can get behind that goal.

  • Douglas Crockford’s The Department of Style

    Crockford discovered JSON and writes great articles about Javascript best practices. Also see javascript.crockford.com and JSLint.com.

  • Dustin Diaz

    A Googler (we won’t hold it against him) yet he still loves YUI (yay!). Produces a lot of really interesting code snippets.

  • Fiftyfoureleven.com

    Mike Papageorge runs this general web developer resource/weblog. Good stuff though getting a little stale.

  • Firebug - Web Development Evolved

    Firebug development blog, updates almost never but good to have a subscription to in case it does.

  • Foo Hack

    Isaac Schlueter is a fellow Yahoo! and writes some fantastic pieces about web development.

  • Garrett Dimon

    Garrett Dimon’s weblog is wonderfully minimal, yet still provides really great insights into the development process.

  • HedgerWow`s Blog

    I worked with Hedger last summer, he’s a true mad scientist in the world of web developers. Seriously, I have no idea how he comes up with most of this but it’s insane and amazing.

  • If..Else Log

    Only occasionally development related, but still a good read.

  • JoeHewitt.com

    Joe created Firebug, so you know he’s pretty damn smart. Too bad his site appears to be unloved these days. Staying subscribed just in case!

  • John Resig

    Author of JQuery and an all-around Javascript genius, I love reading about John’s continuing adventures.

  • Johnnie Manzari

    Interesting observations about the web, definitely worth checking out.

  • Julien Lecomte’s Blog

    Julien’s the author of the YUI compressor and consistenly posts things you should be reading.

  • Matt Snider JavaScript Resource

    Matt Snider does a great job of breaking down JS and investigating all the 8 bajillion frameworks floating around these days.

  • Nate Koechley’s Blog

    One of the main YUI guys, Nate’s super smart and consistently posts interesting stuff. Not always web dev related, but always worth checking out.

  • Particletree RSS Digest

    Great articles, wish they’d start updating again a bit more regularly.

  • Pete Freitag’s Homepage

    Pete’s a Cold Fusion guy but still posts things that apply to web dev in general.

  • Ryan on WordPress

    I like WordPress an awful lot, so keeping tabs on its development is a good idea.

  • Schillmania: DHTML and other client-side experiments

    Scott Schiller is a web dev genius. I have no idea how he’s so good at what he does, I wish I did. He’s at Flickr now, before that he worked on the really impressive new Y! Photos that was canned.

  • Simon Willison’s Weblog Entries

    Django co-creator, Simon also writes a lot about OpenID.

  • SitePoint.com

    Lots of good articles to be found here.

  • snook.ca

    Lots of PHP talk, it’s good stuff.

  • Solution Watch

    Features new websites that do things well. Good for keeping up with the current state of web dev.

  • Vitamin Master Feed

    Vitamin is kind of like A List Apart, another big group of contributors writing amazing articles.

  • WordPress Development Blog

    Keeping tabs on WP development, even if I don’t have my hands into the guts as much as I used to.

• General Development

  • Coding Horror

    Jeff Atwood’s posts are always well thought out and engaging, I love his blog.

  • Joel on Software

    Joel Spolsky writes about software development from a very pratical place, having done quite a lot of it himself.

  • Programmer’s Notepad

    Programmer’s Notepad rocks my world. I use it every day and love it to pieces. Keeping up with releases via a feed is tops.

  • Rasmus’ Toys Page

    Rasmus is really, really smart. Not surprising, given that he wrote a bunch of PHP (the language itself, not just PHP code). He’s another Yahoo! as well.

  • StickBlog

    Lots of good development tips to be found, as well as general programming talk.

  • untidy blog » PN

    Programmer’s Notepad author’s personal blog. The feed is just for the PN category, because that’s the programming related stuff!

And just in case you made it to the end of that huge list, here’s a link to everything I read on a not-at-all daily basis. It’s a little ridiculous. My Feeds.

I am insanely busy with work stuff, but we’re in the home stretch and that’s really exciting. I will share more about what I’ve been doing soon!

I’ve tossed a copy of my senior project up at http://patcavit.com/dev/classfinder/, a quick inspection makes it look like it’s working fine but I can’t say for sure.

For those that don’t know this is an attempt to make the Classfinder tool at Western Washington University not only easier to use but also cleaner and faster with more emphasis on getting out of the way. To that end it has a few features that the original Classfinder doesn’t have, including a freeform search box that will guess what you searched for and dynamic scratchsheet handling. You can add classes instantly without having to go to a seperate page. No screenshots for now.

It’s not the prettiest thing out there but it’s very functional and tries to take better advantage of screen real-estate than the previous Classfinder. I’m pretty happy with how it turned out overall.

Since I’m not doing any real Restek work any more I decided to resurrect the CVS Pie Graph that I wrote ages ago. It broke during the transition to the new DB class that uses PDO. Fortunately, it’s a pretty simple query so getting it running again wasn’t difficult. We still store CVS checkin stats so the data is reasonably up to date as well.

Somehow I’m still leading Gordon but we all know that won’t last. He’s a monster even with being farmed out to HITS part-time. Kian’s apparently taken himself out of the running by making the script ignore all his checkins. Seems to me he just doesn’t like losing.

More than anything this just reminds me of how long I’ve been doing this, it’s definitely time I let somebody else take their hack at it. I’m really curious to see what new apps come out as well as where the old ones are taken. It’s harder nowadays to justify a wide-ranging rewrite to Deb but I bet if someone really clever comes along it could be arranged. Things have settled out and become a lot more stable during my time at Restek but there’s always room for improvement in these kind of things.

Last summer I got an amazing opportunity to intern at Yahoo! for 3 months. It was a really cool experience and I learned a ton while working on a project that at the time I could not talk about. As it turns out, that project has finally gone public beta and I can talk about it (at least so far as it exists and stuff I guess).

All New My Yahoo

I worked on the team that made that, albeit in a earlier and less polished form. It’s hard to tell what of my code survived since according to my old manager they had to throw out a lot of the old designs. However, the weather widget still looks like the same one I wrote with some moderate refactoring. That was cool to see as I’m pretty proud of that weather widget. The “Set My Yahoo! as your Home Page” link is still there and appears to still work the same way. I can’t say for sure on any of this because untangling jsmin’d javascript is no fun.

The new beta can be accessed by going to http://cm.my.yahoo.com/upgrade and I have to say I like it quite a bit. The inclusion of the big ad on the right is too bad but with AdBlock I never see it so it’s a non-issue for me. The team has done a really amazing job on this in the 6 months I’ve been gone, a lot of the early designs have been polished until they practically shine. It’s definitely still feeling the performance blues but I have no doubt that they’ll get it running smoothly before launch.

As some of you may have noticed I was really excited when Yahoo! released their BBAuth tool right before their Open HackDay (My post about BBAuth). It seemed like a great idea, as tons of people already have Y! accounts. Little did I know that BBAuth wasn’t really a good solution as a single sign-on utility. It sounds silly for me to say that especially when the Official BBAuth Site says “BBAuth also offers a Single Sign-On (SSO) facility so that existing Yahoo! users can use your services without having to complete yet another registration process.” In the real world when I implemented Y! BBAuth as a SSO provider I ran into some issues.

First though, a quick overview of how BBAuth works. You set up an entry in the BBAuth DB for whatever site/webapp you’re going to use it with, providing some general info like contact details and the endpoint for when a user has successfully logged-in. Once that’s done you get a shared secret and an application ID. These are used in all future calls to hash info so that it’s reasonably secure and can’t be easily snooped along the wire. A special login URL is crafted that points the user to Y!’s login page, and once they enter their Y! credentials they are asked to give permission to whatever site for the info that has been requested. Once they agree they are redirected back to the site along with some encrypted info depending on what the site had asked for.

BBAuth works just fine, but even if you don’t ask for any Y! info your users still have to go through and agree to allow the site to use their info. My problem is then that I don’t want the user’s info. When I set up my site to use BBAuth I even told Y! that I didn’t want to use any info. All I want is Yahoo!’s promise that the user is a real Y! user and some sort of unique hash that my system can use. I’ll get the info I need for whatever app I’m running at the time, but none of what I do would be asking for Y! Photos info. I’m not saving any login credentials via cookies or anything, I just want a simple login mechanism that I don’t have to maintain. Clicking through one page doesn’t sound so bad until you realize that every time the user logs in they have to go through it. That’s pretty annoying and makes the jump to a Y! login page even more jarring.

There’s a post on the ydn-auth group by Jeremy Zawodny (Jeremy’s Post) that addresses this issue and says that this functionality is apparently a special case for BBAuth. Seems a little odd but I suppose that they were more concentrated on the usage cases for sharing a user’s Y! info with a 3rd party site. So they know about it and are looking into it, but until then I can’t really say I’m pleased with the actual implementation of BBAuth as a SSO provider.

After implementing BBAuth and being disappointed with the SSO performance, I began looking into other solutions. I really didn’t want to require users to sign up for yet another account because everyone hates that. It seems like there’s been a lot of buzz lately around OpenID (Technorati stats for “OpenID”). I figured I should at least give it a shot considering the large surge of interest behind it. First I had to figure out how OpenID actually worked.

Short Version: instead of a login that is some clever play on your name (Tivac lol) or something you identify yourself using a URI that links back to an identity provider. The identity provider stores your details and provides password authentication, so that when you visit an OpenID-enabled site you enter in your identifying URI and get bumped to your identity provider. You log in there, specify what details the site should be able to see from your profile, and then say “Ok” and get sent back. Note that this is what it’s like using MyOpenID.com because I was too lazy to set up my own half-assed identity provider.

So, how does OpenID work as a SSO provider? From a user’s point of view it’s pretty dead-simple. Looking at it as a developer adding it to an existing property proved to be considerably more work than I expected. I used the JanRain OpenID Library for PHP when working to get OpenID logins enabled on my testing site. Now I know the title of the article doesn’t say I’m comparing the libraries I used for each, but it’s still interesting to look at the differing amounts of code required for BBAuth and OpenID implementation in a fairly typical hosting environment.

The first thing that struck me as kind of odd was that I needed to move two folders totaling 33 files onto my shared path. I had forgotten that OpenID uses Yadis (Wikipedia page linked because the homepage at yadis.org has been vandalized) as part of the protocol. I didn’t realize that I’d need to be installing classes to support Yadis as well as OpenID. Once I had gotten all those files copied into the proper places and confirmed they were on my shared path it was time to look at the examples provided.

OpenID provides a decent example setup for both consumer and server roles, where consumer is providing the SSO login and server is actually running your own identity server. I only want to run a consumer right now, so I used just those files. After getting the form setup and trying it out I discovered that my PHP install has no big integer math library installed. This necessitates running in “Dumb Mode” which according to the documentation means my login form is more susceptible to relay attacks. Great.

After defining a new constant telling OpenID to run in dumb mode I was able to be successfully bounced out to my Identity Provider, sign in, and be bounced back to my site.

Avoiding any in-depth analysis of the security between the two as I’m not qualified to comment, which did I prefer implementing and using? That’s not actually an easy question to answer. BBAuth was certainly much smaller in terms of code required. It also has the advantage of using Yahoo!’s login system, it’s not exactly scientific but I don’t know anyone who doesn’t have a Y! account. So BBAuth has a huge built-in userbase right there. Both services require bumping the user out to a 3rd party login page so that’s a draw. I knew it was part of how both worked going in and it isn’t an issue for me in this case. Implementing OpenID had some bumps but thanks to the distributed nature of the project I don’t need to go sign my web application up anywhere. If I want to shift around page names I don’t have to remember to go update any entries in a Y! database anywhere. Any OpenID Identity Provider worth their salt will also provide a mechanism to say “Always Allow this site” which is something that BBAuth currently lacks.

In the end I wasn’t able to come up with a conclusive win on either one. BBAuth has that annoying extra page every visit but tons of people have Y! accounts. Implementation was also pretty quick and easy. OpenID took more work but with a decent Identity Provider will only require one page not on my site. It’s also got the whole distributed thing going for it. As it stands now I’ve implemented both and users can just choose their favorite. I’d prefer to just offer one but I don’t think there is one that offers a compelling enough featureset over the other to go with a single one yet. Going with both gives me flexibility and an excuse to keep playing with both of them.