Connecting Standards: RESO and OpenID Connect

Published May 30, 2017
Don Thibeau, The OpenID Foundation, with Jeremy Crawford, CEO, Real Estate Standards Organization   One of the sure signs of increasing momentum is when other standards organizations adopt yours. And it’s particularly noteworthy when that adoption not only builds on OpenID Connect, but adds OpenID Connect conformance compliance as part of the overall standards certification requirements to its innovative standards portfolio. Leading that effort in the Real Estate Industry is RESO, a new member of the OpenID Foundation. But I’ll let Jeremy Crawford tell the story. Jeremy: “The Real Estate Standards Organization (RESO) is tasked with the challenging goal of standardizing all of the real estate data in the US and Canada. This includes the data payload, the fields, formats, transport mechanism, and authentication/authorization. At the heart of our efforts is the RESO Data Dictionary, which serves as the real estate industry’s ‘Rosetta Stone’ for real estate data and the RESO Web API, the latest cutting edge standard for data delivery between endpoints. Hundreds of MLS, brokers and technology companies gather data. But what good is it if the data cannot be shared or understood? The Data Dictionary ensures that each system ‘speaks’ the same language. It is the common standard that defines real estate data in consistent terms and data structures. “RESO standards all started with the Real Estate Transaction System (RETS) or RETS, an 18 year-old standard for transporting real estate data based on XML and virtually every major real estate website uses it. But the world has changed quite a bit since 1999, and the industry desperately needed something new and easy to use that was mobile and developer friendly. Moreover, the initial learning curve for RETS can be a little daunting, and we want to attract new software companies and developers to our industry. We've created the RESO Web API standard to make life a little easier for everyone who needs to deal with real estate data.   The strategic approach “Developing the RESO Web API presented us with two huge strategic opportunities: first, we could unshackle ourselves from the proprietary world of RETS and move into the global technology space where collaboration is key. The result is we have expanded our realm outside of residential real estate to power the data in other industries because there are many companies working in multiple industries, including real estate, and already using OData and/or OpenID Connect standards. “Firms like DocuSign works across a plethora of industries and in real estate leverages RESO standards and OpenID Connect as it relates to transaction management. Prempoint is another great example, which relies on standards like OpenID Connect for the industries it serves, including community management, commercial and utility site operators, real state management and property preservation. These are the kinds of new businesses that are able to provide products and services to brokers and agents by relying on RESO standards because of our new RESO Web API. “Second, RESO has emerged as a leader in standard collaboration. Personally, I’ve had the great privilege of sitting on the xDTM Standards advisory board, and now RESO is collaborating with ECCMA, MISMO, PRIA, BLDS, MITS, OASIS, OpenID Connect Foundation, and OSCRE standards organizations. Among our most productive collaborations has been with the United States Department of Energy (BEDES) and our efforts through new Better Buildings Home Energy Information Accelerator, alongside the Council of MLSs and others to help Multiple Listing Services (MLS) across America provide a consistent “energy-transparent” shopping experience for consumers. New technology from RESO, like our Web API, is connecting us globally and to more industries and their respective rich datasets than ever before.   The technical details “Now how did we get there? RESO member Cal Heldenbrand from FBS, a security expert who does the authentication portion of the Spark API on development, describes the technical path we took for the creation of the Web API.” Cal: “The data transport portion of the RESO API standard is leveraging the latest version of the OData standard, a global standard used worldwide for transporting data in an efficient and consistent manner. On the authorization side, we initially started using the OAuth2 standard around January 2014. At that time, OpenID Connect was very cool looking as an extension to Oauth2, but the subject matter experts were hesitant to recommend it to RESO until it was a fully finalized, ratified standard. “There are hundreds of software companies working together in our industry. Writing an interoperable OAuth2 protocol using the framework wasn't trivial. Since there are many various options for implementing client based user authentication with OAuth2 standard, it seemed like every major installation in the world had their own spin on it. That's not good. It also meant that we couldn't just copy how someone else did it: we had to develop our. “Plus, the absence of endpoint metadata means we had to create a document where everything lives, then ask clients to hard code URLs for every OAuth2 provider. That’s a lot of busywork for a developer to add a new identity provider (IdP) to a software installation. “After OpenID Connect became a finalized standard we showcased a presentation at a RESO conference highlighting how one website in our industry could accept identities from Google, Microsoft, Amazon, and also from our own OpenID Connect Provider as it was already being done by one of our charter members, FBS, the creators of Flexmls on its Spark Platform. Since it's an actual protocol standard, it’s was easy to demonstrate that with a simply plug in IdP and a small configuration change, the OpenID Connect client libraries would handle the rest. That's really powerful. In our industry, we are used to SSO integrations taking weeks to complete. With OpenID Connect, that turns into minutes. “The certification process was pretty easy as well. I was expecting it to be more intensive! Our environment is Ruby on Rails, and I used Nov’s openid_connect Ruby gem for constructing ID Tokens. Other than that, my Provider is written from scratch. It took me about 2 weeks to have a very simple provider running for demo purposes. Then another 2 weeks to have it fully compliant with the certification tools. This is also along side my usual day job tasks of web operations. I'd have to say this was a breeze compared to the old OpenID 2.0. Thanks for making a great standard!" And thanks to Cal and the Real Estate Standards Organization (RESO) team for sharing their use case and feedback. We will be telling the OpenID Connect story at some of the real estate industry events this year.