While the WebFinger protocol’s simplicity and ease of use is a tremendous boon for developers who simply want to capture some public profile information about a user, the protocol also has a number of shortcomings that we should address.
The WebFinger protocol is built around the concept of consuming user public data that the provider has decided to give out.
Think of this concept in the same way as viewing the Facebook profile of a user whom you are not friends with and who doesn’t share his information with anyone but his friends. You might see a basic badge containing his nickname and profile picture, but you will not be provided with all the privileged data that you might if you were using a protocol such as OAuth.
This concept is perfectly fine if you’re just looking for account links or some basic profile information about a user to provide additional data about him—this is specifically what WebFinger should be used for.
The shortcomings arise when you want to access information outside the public realm. Understanding the limits of the protocol—and the fact that it is not a back door into a user’s profile—will help you avoid being frustrated by the type of data that is returned to you.
As mentioned at the beginning of our WebFinger discussion, there are several types of data that providers may make available through the WebFinger protocol, but it doesn’t enforce these within the specification ...