If you’ve ever tried using one of the many sharing widgets available on the web, you know that there are a lot of web services out there that support sharing. That presents a challenge for publishers, who often wind up showing widgets for the big players like Facebook and Twitter, while neglecting the smaller services their users may be members of. Now Meebo, in tandem with a roster of partners including Google, Yahoo, Microsoft, MySpace, JanRain, Disqus and Gigya, has developed a new open standard called XAuth designed to put an end to this problem. And it has the potential to do much more.
Here’s how the official site, XAuth.org is describing the platform:
XAuth is an open platform for extending authenticated user services across the web.
Participating services generate a browser token for each of their users. Publishers can then recognize when site visitors are logged in to those online services and present them with meaningful, relevant options.
Users can choose to authenticate directly from the publisher site and use the service to share, interact with friends, or participate in the site’s community. The XAuth Token can be anything, so services have the flexibility to define whatever level of access they choose.
So what does that mean? Imagine visiting TechCrunch and seeing share buttons tailored to the services you use. If you don’t use Google Buzz but are an avid Reddit user, we could automatically hide Buzz and swap the appropriate Reddit button in. Yes, there are already ways to do this, but currently TechCrunch.com would have to issue requests to every popular sharing service each time a new user visited the site, which isn’t always practical — XAuth is more efficient, because it already knows which services you belong to.
But what about privacy? There is a central XAuth server that exists to facilitate data transfer between domains, but your personal information is never actually transferred through it. Instead, all personally identifiable information is stored in your browser using HTML5’s local storage — XAuth.org exists to verify which tokens a third party has access to. If you’re still wary, you can choose to opt out of XAuth using a control panel at XAuth.org.
When it comes to exploring XAuth’s potential, personalized sharing buttons are just the beginning— services can include whatever information they want in their token. Say MySpace decided it wanted to allow Meebo to automatically have access to its users’ friend lists. MySpace could include a session ID as part of its token that would grant Meebo access to that data, without any input required from the user. Using XAuth, MySpace could grant access to this token only to a select few partners on a whitelist, or it could open it up to any third parties who wanted it.
In effect, XAuth’s flexibility allows any social service provider to achieve the ‘auto-connect‘ functionality that we hear Facebook plans to launch soon. That could be powerful, but it also has the potential to be creepy — do users really want their information pre-populated as they browse the web? The answer isn’t clear yet.
That said, most sites (particularly sites where security is a priority) will probably only use XAuth to inform third parties that the user has an account with them, without actually sharing any of their personally identifiable data (in other words, we’ll see the personalized button scenario discussed above).
Update: Here’s a video taken by Robert Scoble of Meebo CEO Seth Sternberg explaining XAuth: