Google Adopts, Forks OpenID 1.0 316
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Google themselves are claiming they're not supporting OpenID version 1, which is what the article is raving about. They claim they're supporting OpenID version 2.0, which as far as I can tell, that's exactly what they're doing. I can't see any difference between Google's documentation and OpenIDv2's documentation, at all. Can you? His "emphasis added" section clearly says the same thing the OpenIDv2's "emphasis added" section says is the difference between the two protocols in the first place.
Sensational press 1, Rational thinking 0.
Re:Google... learning more from Microsoft everyday (Score:3, Informative)
microsoft's behavior in the last few years is to be commended
Excuse me? Have you been living under a rock? Microsoft has subverted an entire standards body worldwide to push a bloated mess of a document format! Their browser is still a POS, except it's now a more user friendly POS. Microsoft is exactly where they were 10 years ago, they've just adapted to a changed world.
Re:insert foaming (Score:3, Informative)
Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail.
Excellent point. OpenID 3.0 should include provisions for carrying out the authentication via SMTP, and maybe BitTorrent or NNTP.
Meanwhile, in reality, you know that ultimately the URL is the location of your OpenID server, right?
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Microsoft has a history of supporting unfinished or in progress standards, then keeping them that way. Just look at what they do with W3C standards. Keeping is static.
No ECMAScript 4.x, no DOM Events, no Canvas/SVG/etc., no greatly improved JS support because they only "want to make existing content content run better" rather than preparing for what the future may hold. Everyone else is doing that - make JS more robust today, so we can have better apps tomorrow.
MS has no interest in a standard that really works - but they'd love to be able to claim support for an open standard just the same.
Re:Google... learning more from Microsoft everyday (Score:3, Informative)
No, Google is taking OpenID, and putting out their own version.
Google's OpenID is not OpenID, it's GoogleID.
If MS did this, you'd throw a bitch fit.
Re:Hope OpenID blocks their use of the name. (Score:2, Informative)
I'd really hope that whoever owns the OpenID trademark comes after them and forces them to stop calling whatever they're doing "OpenID". If it's not compatible with an existing specification, it's not OpenID. They will risk seriously devaluing their trademark if they allow incompatible implementations to use the name. They need to be ruthless about this. Google can do whatever it wants and call it "GoogleID", but if it's called "OpenID", it needs to be compatible with everyone else claiming to be that.
http://openid.net/what/ [openid.net] says:
... OpenID is not owned by anyone, nor should it be. ...
And considering the guy that created OpenID (Brad Fitzpatrick) now works for Google, and Google has a seat on the board of OpenID, I don't see much happening
Re:How to judge what's going on (Score:5, Informative)
Actually, it IS OpenID 2.0 compatible from what I can tell, but the id to use is obscure. It is NOT backwards compatible to OpenID 1.0. It DOES require the site doing the authentication request to be approved by Google. It does NOT require modifications to any OpenID 2.0 compatible library that I can tell. It DOES recommend modifying your login UI to provide 'login with google', which is just a shortcut to going to OpenID on the special google openid URL.
They list a couple sites on the google group as having been authorized. I found google's special openid url and tried it on livejournal, twitterfeed (not listed on their approved sites list) and on one of the approved sites. Here's my results:
Livejournal: LJ gave me an error. I guess LJ is still 1.0, though I have no proof.
Twitterfeed: Google gave me an error, saying I wasn't authorized to perform the action.
The approved site gave me a 'login with google' option and also a 'login with openid' option. I used the openid one and put in the google openid URL. It brought me to the google openid signin page.
Nowhere did I enter in any personally identifiable information to any of these websites, it uses the same trick yahoo does where you can just put in yahoo.com and it'll work, and respond with the email if I allow it access (except currently google's openid URL is much more awkward). I'm not convinced that anything is going against the OpenID 2.0 spec here, though the fact that every site that wants to support this has to request permission seems kind of odd.
Re:Google... learning more from Microsoft everyday (Score:5, Informative)
Don't forget irrational thinking, -2i!
That would be complex thinking. Irrational thinking would be -pi :)
Re:Google... learning more from Microsoft everyday (Score:1, Informative)
Please provide proof. Google is supporting OpenID 2.0, and the summary is wrong. There IS weirdness in that any site that wants to login with google needs to 1) sign up with google for this privilege and 2) use a special openid URL that isn't all that public or obvious. It uses all OpenID 2.0 under the hood and hopefully in the future google does open federation like they did with google talk. (First nothing, then Earthlink, then anyone).
Note that they're using the protocol currently to allow websites to provide a 'Sign In with Google' option, and are specifically NOT announcing what the openid URL is (though it's not hard to find), since they don't work with most OpenID websites currently (due to the fact that they require the websites to register with google's account stuff to be able to use this). There's no confusion here on the point of the end-user. They don't know google supports openid, and won't try and use it.
Re:Snarky AC comment (Score:2, Informative)
Re:so lets see slashdot bias at work (Score:4, Informative)
um did you completely forget destroying the validity of ISO to push a document format that is useless for 90% of the world to work with, that was pushed through so hard several countries are beginning to reject ALL ISO standards.
so yea MSFT has been a good citizen lately.
Re:How to judge what's going on (Score:5, Informative)
I think so. I don't think they even intend to announce that they support OpenID. I think they're using it as a protocol because all the libraries are already written, but they recognize that you can't just go to random_website.com and use their id URL since 1) they won't let random_website.com use this service, and 2) their id URL is really really weird at the moment (and doesn't use email addresses or any personally identifiable information, sorry everyone else commenting).
I believe the story is just FUD, all around. The summary is wrong (it says it's not OpenID 2.0, Google's page says to use any OpenID 2.0 library). Google hasn't announced they're supporting OpenID, but they are [at least planning on] providing a service that uses OpenID under the hood to do OpenID-like things (namely a "Login With Google" option). I will be very surprised if Google advertises that they support OpenID and that everyone's gmail account is OpenID enabled with this implementation, since it's definitely not going to work for the vast majority of sites.
Re:How to judge what's going on (Score:4, Informative)
It's "computer criminal". "Hacker" means something else.
Yes, legacy systems would tend to treat the OpenID login as your "handle". But they don't have to, and IMO it's bad practice to do so once you join OpenID.
Bruce
Google reality Check (Score:3, Informative)
Yeah that sucks but it's reality.
Google: We do less evil than everyone else(tm)
Let the backlash and my modding down begin!
Google did no such extension either. (Score:5, Informative)
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Re:Google did no such extension either. (Score:4, Informative)
Mod this dude up, the article has it totally wrong. Google is just supporting OpenID 2.0 which happens to be incompatible with OpenID 1.0. It's also worth mentioning that 2.0 was developed by the OpenID group and not Google (unlike some Microsoft 2.0s)
Brad @ Google (Score:3, Informative)
Brad Fitzpatrick the creator of OpenID is working for Google now.
Maybe he knows better what they are doing.
No fork (Score:3, Informative)
What a ridiculous headline.
To quote from the actual posting, "The initial version of the API will use the OpenID 2.0 protocol"
This version was developed by OpenID, and is incompatible with 1.0, but open in the same way for everyone to use, with a number of improvements... Google is forking nothing.
Re:How to judge what's going on (Score:5, Informative)
Re:How to judge what's going on (Score:3, Informative)
Actually, no. Google's mechanism varies from OpenID 2.0 in one key area: the identifier provided is neither an XRI nor an HTTP or HTTPS URL.
Re:Slightly Conflicting Vision Statements (Score:5, Informative)
copied from down thread:
I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Re:Google did no such extension either. (Score:3, Informative)
Re:Google did no such extension either. (Score:2, Informative)