Slashdot Log In
Google Adopts, Forks OpenID 1.0
Posted by
timothy
on Wed Oct 29, 2008 04:20 PM
from the complicationism dept.
from the complicationism dept.
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
Related Stories
[+]
MySpace Joins OpenID Coalition 272 comments
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
[+]
IT: Microsoft Joins the OpenID Foundation 142 comments
wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)
Submission: Google Adopts, Forks OpenID by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Slightly Conflicting Vision Statements (Score:5, Funny)
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
Everyone else's vision statement:
Fuck OpenID, I'm in control now.
Re:Slightly Conflicting Vision Statements (Score:5, Funny)
EMBRACE AND EXTEND!!!!
oh...wait...I'm confused, this a Google article, not a microsoft article
Parent
Re:Slightly Conflicting Vision Statements (Score:5, Interesting)
To make matters even more confusing, Microsoft has embraced, but not extended.
Parent
Re:Slightly Conflicting Vision Statements (Score:5, Funny)
Parent
Re:Slightly Conflicting Vision Statements (Score:4, Funny)
It truly is a sign of the apocalypse.
Microsoft being "un-evil" and Google eviling it up.
Parent
Google did no such extension either. (Score:5, Informative)
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Parent
Re:Google did no such extension either. (Score:4, Informative)
Mod this dude up, the article has it totally wrong. Google is just supporting OpenID 2.0 which happens to be incompatible with OpenID 1.0. It's also worth mentioning that 2.0 was developed by the OpenID group and not Google (unlike some Microsoft 2.0s)
Parent
Re:Slightly Conflicting Vision Statements (Score:5, Funny)
Google:
1) write a good search engine
2) ???
3) grow to critical mass where you can guarantee yourself users
4) embrace
5) extend
6) release extensions to the community
7) get users based on 1-5 using the new system
8) advertise the hell out of everything to the users on this system, too
9) profit!
10) repeat steps 4 through 9
Microsoft:
1) write decent BASIC tools
2) ???
3) get someone else's OS preloaded by IBM and ride their coattails to ubiquity
4) embrace
5) extend
6) close off extensions
7) hook users through lock-in created in steps 3 through 6
8) extinguish open system
9) profit!
10) repeat steps 4 through 9
The '???' steps come a little early in these. Sorry about that.
Parent
Re: Google Version!! (Score:5, Funny)
Embrace, Beta, Languish!
Parent
How to judge what's going on (Score:5, Interesting)
1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?
2. How close is what they are doing to the latest version of the standard, not 1.0?
3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?
4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?
Bruce
Parent
Snarky AC comment (Score:4, Interesting)
Dear AC,
This is an understandable assumption but doesn't reflect the facts. For example, Symbian has purchased consulting services from me. If you look here [theregister.co.uk], you'll notice that I am not afraid to criticize them.
Had Google taken me on and allowed me to work on the PR for this, I would have had them communicate about it differently. It's no trouble for Google to get this stuff back into OpenID, but they obviously didn't take the trouble to assure people that would happen.
Bruce
Parent
Re:Snarky AC comment (Score:5, Insightful)
If you want this, you need to go to W3C and start a standards activity. Browser authentication has remained the same, it seems, for a very long time. And if you actually implement it, you find it's lacking. For example, there is no way to log out! Browsers generally send authentication with each request to the site after you sign on.
Bruce
Parent
Re:How to judge what's going on (Score:5, Interesting)
The string typed in is sufficiently different from what OpenID uses today that it would be easy to disambiguate. Putting this in an OpenID library, without increasing complication to the library user, sounds easy enough.
I think what Google is saying here is that if 99% of users are used to typing in their email address, and not used to typing in a URL as their ID, you should try to make your ID scheme work with an email address rather than invent something new. This actually sounds sensible. But I haven't looked very deeply and would be happy to hear from folks with more expertise.
Bruce
Parent
Re:How to judge what's going on (Score:5, Insightful)
I agree with you wholeheartedly that Google's solution is better, Bruce, but...it's not the standard. The proper way to do this, and one I'd have been fine with, would be to support OpenID, plus this alternative that's much easier for the average user to understand. That's not what Google did, and I don't think we're out-of-line for faulting them for it.
Parent
Re:How to judge what's going on (Score:4, Interesting)
Parent
Re:How to judge what's going on (Score:5, Informative)
Parent
Re:How to judge what's going on (Score:4, Insightful)
Parent
Re:How to judge what's going on (Score:4, Informative)
It's "computer criminal". "Hacker" means something else.
Yes, legacy systems would tend to treat the OpenID login as your "handle". But they don't have to, and IMO it's bad practice to do so once you join OpenID.
Bruce
Parent
Re:How to judge what's going on (Score:5, Funny)
There is nothing similar in the 2.0 OpenId standard.
HAHA DISREGARD THAT, I DON'T READ STANDARDS
Parent
Re:How to judge what's going on (Score:5, Informative)
Actually, it IS OpenID 2.0 compatible from what I can tell, but the id to use is obscure. It is NOT backwards compatible to OpenID 1.0. It DOES require the site doing the authentication request to be approved by Google. It does NOT require modifications to any OpenID 2.0 compatible library that I can tell. It DOES recommend modifying your login UI to provide 'login with google', which is just a shortcut to going to OpenID on the special google openid URL.
They list a couple sites on the google group as having been authorized. I found google's special openid url and tried it on livejournal, twitterfeed (not listed on their approved sites list) and on one of the approved sites. Here's my results:
Livejournal: LJ gave me an error. I guess LJ is still 1.0, though I have no proof.
Twitterfeed: Google gave me an error, saying I wasn't authorized to perform the action.
The approved site gave me a 'login with google' option and also a 'login with openid' option. I used the openid one and put in the google openid URL. It brought me to the google openid signin page.
Nowhere did I enter in any personally identifiable information to any of these websites, it uses the same trick yahoo does where you can just put in yahoo.com and it'll work, and respond with the email if I allow it access (except currently google's openid URL is much more awkward). I'm not convinced that anything is going against the OpenID 2.0 spec here, though the fact that every site that wants to support this has to request permission seems kind of odd.
Parent
Re:How to judge what's going on (Score:5, Informative)
I think so. I don't think they even intend to announce that they support OpenID. I think they're using it as a protocol because all the libraries are already written, but they recognize that you can't just go to random_website.com and use their id URL since 1) they won't let random_website.com use this service, and 2) their id URL is really really weird at the moment (and doesn't use email addresses or any personally identifiable information, sorry everyone else commenting).
I believe the story is just FUD, all around. The summary is wrong (it says it's not OpenID 2.0, Google's page says to use any OpenID 2.0 library). Google hasn't announced they're supporting OpenID, but they are [at least planning on] providing a service that uses OpenID under the hood to do OpenID-like things (namely a "Login With Google" option). I will be very surprised if Google advertises that they support OpenID and that everyone's gmail account is OpenID enabled with this implementation, since it's definitely not going to work for the vast majority of sites.
Parent
Making Extensions Possible Without Evil (Score:5, Insightful)
It's open development if the extension is as open as the original standard. It's not an accepted standard until the standards group accepts the extension.
Is it an Open Standard if you can't extend it openly? I am entirely against closed extensions to open standards, and unnecessarily incompatible extensions, the classical "Embrace, Extend, Extinguish" stuff. But I am equally against standards being a ball and chain that prohibits further innovation. You should be able to produce an extension that you make open on the same terms as the original standard.
It looks to me as if Google is attempting to hit OpenID with a clue stick on a really obvious issue, saying "Normal folks use email addresses to log in, dummies!". And I am being told that what they are doing is really close to OpenID 2.0.
Bruce
Parent
Re:How to judge what's going on (Score:5, Insightful)
And because Microsoft has a record of doing just that repeatedly, it would be reasonable to do so.
Please don't forget all of the bad practice around approval of Office Open XML, which made a sham of ISO, and their very recent maneuver to take over the OpenDocument standard group at ISO.
At the moment, I am less likely to trust Google regarding democracy and civil liberty issues than I am regarding Open Standards. Because they have a record on that.
But I agree that they screwed up the relationship and PR issues around this move. They should know better.
Bruce
Parent
Re:Slightly Conflicting Vision Statements (Score:5, Informative)
copied from down thread:
I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Parent
don't be evil (Score:5, Funny)
Google... learning more from Microsoft everyday (Score:5, Insightful)
Re:Google... learning more from Microsoft everyday (Score:5, Insightful)
Yes, except just yesterday Microsoft joined OpenId, _without_ this sort of stunt.
IMHO, microsoft's behavior in the last few years is to be commended, they are worlds away from where they were 10 years ago.
Sadly, google seems to be heading the other way.
Parent
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Google themselves are claiming they're not supporting OpenID version 1, which is what the article is raving about. They claim they're supporting OpenID version 2.0, which as far as I can tell, that's exactly what they're doing. I can't see any difference between Google's documentation and OpenIDv2's documentation, at all. Can you? His "emphasis added" section clearly says the same thing the OpenIDv2's "emphasis added" section says is the difference between the two protocols in the first place.
Sensational press 1, Rational thinking 0.
Parent
Re:Google... learning more from Microsoft everyday (Score:5, Funny)
Don't forget irrational thinking, -2i!
Parent
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Don't forget irrational thinking, -2i!
That would be complex thinking. Irrational thinking would be -pi :)
Parent
Re:Google... learning more from Microsoft everyday (Score:4, Interesting)
IMHO, microsoft's behavior in the last few years is to be commended
Yeah, they behaved so well during the whole OOXML/ODF stuff.
they are worlds away from where they were 10 years ago.
One half-assed attempt at a good deed (that isnt actually good in any real way as they're only providing OpenID not accepting it from others) doesn't erase decades of screwing people over.
Parent
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Microsoft has a history of supporting unfinished or in progress standards, then keeping them that way. Just look at what they do with W3C standards. Keeping is static.
No ECMAScript 4.x, no DOM Events, no Canvas/SVG/etc., no greatly improved JS support because they only "want to make existing content content run better" rather than preparing for what the future may hold. Everyone else is doing that - make JS more robust today, so we can have better apps tomorrow.
MS has no interest in a standard that really works - but they'd love to be able to claim support for an open standard just the same.
Parent
Re:Google... learning more from Microsoft everyday (Score:4, Interesting)
I'm not saying what Google is doing is right but they're just getting to the point where as MS was taking the slow route to the same destination.
Parent
Re:Google... learning more from Microsoft everyday (Score:4, Funny)
They drank Flavor Aid at Jonestown.
Parent
New and improved feature? (Score:4, Insightful)
Google OpenID: New and improved personal information gathering.
Stop your complaining (Score:5, Insightful)
OpenID usability sucks.
There, I said it. It's true. My computer-illiterate dad just wants to post a comment on a blog, or to login to a new website. You can't possibly expect him to do something as complex as reading up on what OpenID is, signing up for an OpenID account on a totally different website that has got nothing to do with the original website that he was on, and then logging in by entering a long magical URL. People like him - average users - have trouble enough understanding usernames and passwords! The recently published OpenID usability study confirms all the criticism that I've had on OpenID.
While OpenID is technologically sound, its usability is not. If Google's version is more usable, but is still open, then I'd gladly support it even if it's not compatible with the "official" OpenID standard. I don't care whether they're being "nice" or "evil" or whatever, I want better usability because software is supposed to be usable.
Re:Stop your complaining (Score:5, Insightful)
"Rubbish. For people like your dad, OpenID is both simple *and* simpler than having to sign up for dozens of sites just to post a comment."
That's true if you count the step. The thing you overlooked is, he doesn't know what OpenID is! Try to explain OpenID to a random person on street. How big is the chance that he understands it and will even care? Have you ever went through an OpenID registration process? There's no way my dad understands that. The barrier to entry for average users is too high.
There's more to usability than simply counting the number of steps.
"Suppose we live in a world where everybody implements OpenID (as a consumer and provider)."
It's useless to speak of such a world. It simply doesn't exist. The hard reality is that OpenID adoption is still low.
"If I "can't possibly expect [your dad] to do something as complex" as that, I weep for your dad - and you, given that you got 50% of your genes from him."
Oh yeah, like launching a personal attack on me will make the usability problems magically go away. If anything, this is a sign of your weakness.
Parent
Re:Stop your complaining (Score:4, Insightful)
Reading your thread you do a very fine job justifying a means to an end, but I'd still wager that the means that Google used are abominable.
"It means that now, people who have Google accounts can login to my website without having to register."
It also means FooBarWidget's dad (the proverbial Joe the Plumber of this thread) also has to remember that on every other site he has to use something else. And if he wants to use his Yahoo or MSN account, he has to remember its something totally different. Google has simply added to the confusion by throwing in their own proprietary non-interoperable standard, further fractioning a standard you've already argued is unusable for its complexity.
The only acceptable way to make this a win for users was to make some kind of a standard. Google didnt. Instead they've only further exacerbated the mess of online identity standards. I'm happy that you're happy that you can tell your dad to just use his email, but for Dad thats only ever going to work on a very very small handful of sites for users who happen to want to use their google account identity; for the other 99.99% of use cases it only murkier the water further.
The real insult-to-injury here is that OpenID already supports email logins. Theres no reason Google couldnt have let good ole dad login with foo.dad@gmail.com; OpenID translates this to http://gmail.com/ [gmail.com] which happens to be a valid web address. But instead of implementing an existing standard at no cost to developers everywhere, Google added more complexity for developers and more confusion for users.
I dont see whats salvagable about this. Google didnt add anything new for users, made it so users of gmail couldnt use 99.999% of OpenID consumers, put a huge burden on developers, and confused a lot of users struggling with an complex system whose only boon was interoperability.
I'm happy its easy for you and your dad. But theres about eighty things a 9 year old programmer would have made better decisions about, and at no cost to the rediculously low bar you've set for your expectations.
Parent
And this is why... (Score:4, Insightful)
...Google scares me more than Microsoft. Even as a die-hard Linux and BSD user, a FOSS zealot, I rest easy knowing Microsoft in its current form will likely be dead in less than a decade. Google, on the other hand, stands to become the Internet-age version of Standard Oil. This is the first "publically-visible" sign of their slide into Microsoft-like evilness, and unlike MS, they will probably be around a long, long time.
Think about it: the OS doesn't *really* matter (if it did OS X and Linux and all the rest would never have any users). Even MS knows this, as they prepare to break into the "cloud" market. Even the applications aren't *that* important now, with the number of people working on converters and programs like OpenOffice. What's important is data, raw information, and Google is a massive data broker.
Be very, very careful how much you trust to Google.
So they're experimenting (Score:5, Insightful)
Google is a research company; they're doing research. They are improving OpenID, in their opinion. Nobody relies on Google OpenID, they haven't stepped up to make an OpenID implementation and then started adding extensions, and finally broken compatibility to force conversion to their special vendor-locked-in crap. They've come out and said, "We are going to implement something new, based on OpenID."
Wait until Google Docs stops exporting to deprecated MS Word 97 format (and ignorers .docx entirely), but does export to Google Document Format for their new Google Desktop Office; then you'll see Microsoft behavior.
Google sees the problem with OpenID 2.0 (Score:5, Interesting)
So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."
It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.
Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.
Re:Google sees the problem with OpenID 2.0 (Score:5, Insightful)
Basically all open standards do, or eventually do, which is why many commercial entities decide to roll up their own. Yup, while definately many of the times when Microsoft did something like this WAS out of "evil", a large portion was for the same darn reason as this. There's VERY few open standards that aren't an insane mess of "I'll add your idea if you add mine" crap.
Parent
Re:so lets see slashdot bias at work (Score:5, Insightful)
Google will be cheered or booed depending on what they do with their changes to OpenID. They could very well turn around and propose it for version two or whatnot of OpenID. After all, if it isn't compatible then what the hell is the point.
Microsoft is hated because they DEFINED "embrace and extend." They regularly use it as a weapon against their competitors. We have yet to see Google use their version of OpenID, much less use it against anyone.
Never mind that OpenID screams "single point of failure" to me.
Parent
insert foaming (Score:5, Interesting)
You see, it is OPEN, right? I mean, it says so right in the name of the protocol *OPEN*ID right? And google is cool right? So OpenXyz + Google = Win, right? I mean, OpenID sucks, right? What is wrong with somebody embracing it and then fixing the problems by extending it to be better? Nothing. After all, it is OpenID.
I think if I ever start a company that publishes the most evil DRM spec on earth, I'd probably name it OpenDRM or FreeDRM just so I can win over the Slashdot crowd. As long as it has Open or Free in the name, you can pretty much get away with murder, especially when your Slashdot corporate karma is "excellent".
But seriously, OpenID needs more then a face lift. For starters, based on my experience with Stackoverflow, browsers need to auto-fill the OpenID box with my URL, er, login name (cough). Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail. Oh, and then when they are done with that, how about moving it down the network stack so that the damn thing can be used to authenticate against protocols other then HTTP, like say, IMAP or something. Oh wait, except OpenID was never intended to be used to authentication... or was it? Nobody really knows because even OpenID proponents says you shouldn't use it for anything other then trivial accounts and if you use it for anything else, you are mis-using the spec!
Parent
Why OpenID fails (Score:5, Insightful)
I've got one word for you
Huh? No seriously. Huh?
OpenID is just so damn unintuitive that nobody really gets it. It is a fucking login. Why can't it be an email address? Why can't it resolve the right place to conduct authentication business via DNS the same way SMTP gets it's MX record based on everything after the @domain.com?
Seriously, the more people try to explain it, the more it just makes peoples eyes glaze over. All they see, and all I see, is a fugly looking URL that is supposed to magically authenticate me, only as a web developer, I'm told I can't actually trust the authentication because the protocol wasn't designed for it. Or something. My head spins now.
Parent
Re:Why OpenID fails (Score:5, Insightful)
There you go again. What the hell are you talking about? Now to log into some stupid site, I have to get a blog too? Huh?
Admit it, the URL thing sucks ass. Email addresses are something we all have, and many websites are using email addresses as your login already. If OpenID did email, even *if* there wasn't any DNS trickery like I suggest, life would have been 100% easier. But no, I'm sure there is some "valid" reason the purity trolls who wrote the spec had against something so simple and logical, so they decided URL's would be best, usability be damned.
Parent
Re:Why OpenID fails (Score:5, Insightful)
Do you already have a Google Account nickname set up and ready to enter into the login field? Did you even know such a thing existed? Does Joe The Plumber (TM) know that?
I do, but then again, I use OpenID the way God intended: I have my blog delegate to a 3rd party that specializes in it (myopenid.com).
My blog URL is exactly what I want to show the world my identity. It's the hub of a significant portion of my public online content.
Why does a blog that I'm commenting on need to know my e-mail address? They might spam me.
An e-mail address is private information. A URL is just as unique, with the added benefit of being public.
Parent
Re:so lets see slashdot bias at work (Score:4, Interesting)
Hell, I honestly think it's possible to root for Microsoft these days. .NET, including the stuff they've just announced, is an open standard, and MS is encouraging competing implementations. They're working with Mono to ensure it has good Silverlight support, including proprietary codecs. They have their own cloud service, yet worked with Amazon so that Windows could be on EC2. They offer a free version of VisualStudio that's more than sufficient for hobbyist work, and ironically arguably have the most open and easy-to-target 3rd-gen gaming console for small development shops. They're supporting OpenID, making IE increasingly standards-compliant, and, with Windows 7, look like they might actually have a pretty nice operating system that I might not feel a pressing need to migrate away from. They're definitely not perfect—I'm still royally pissed at their behavior over OOXML—but they're doing an awful lot of things right these days.
Google, on the other hand, is going the opposite direction. They've done a proprietary fork of OpenID (which, despite the other comments on here, I definitely find offensive, because locks you into Google in exactly the same way Passport locked you into Microsoft). They closed their SOAP service and offer no alternative. They've basically said Gmail will never use IMAP properly, and they consider that a feature, not a bug. They do business in China on the argument that "well, someone had to do it, so why not us." They still do a tremendous amount of things right, but, just as I think we should acknowledge that Microsoft nowadays is doing a lot of things right, I think we need to start acknowledging that Google is doing a lot of things wrong.
Nobody's perfect, and situations can change surprisingly quickly. I remember when IBM was the evil overlord and Microsoft was our savior.
That was 1992.
Just because Google's been good up to now is no reason to assume they'll continue to be.
Parent
Re:so lets see slashdot bias at work (Score:4, Informative)
um did you completely forget destroying the validity of ISO to push a document format that is useless for 90% of the world to work with, that was pushed through so hard several countries are beginning to reject ALL ISO standards.
so yea MSFT has been a good citizen lately.
Parent
Re:It doesn't matter.... (Score:4, Interesting)
Parent