Google Adopts, Forks OpenID 1.0

An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."

Re:Google... learning more from Microsoft everyday

According to what evidence?

Google themselves are claiming they're not supporting OpenID version 1, which is what the article is raving about. They claim they're supporting OpenID version 2.0, which as far as I can tell, that's exactly what they're doing. I can't see any difference between Google's documentation and OpenIDv2's documentation, at all. Can you? His "emphasis added" section clearly says the same thing the OpenIDv2's "emphasis added" section says is the difference between the two protocols in the first place.

Sensational press 1, Rational thinking 0.

Re:Google... learning more from Microsoft everyday

microsoft's behavior in the last few years is to be commended

Excuse me? Have you been living under a rock? Microsoft has subverted an entire standards body worldwide to push a bloated mess of a document format! Their browser is still a POS, except it's now a more user friendly POS. Microsoft is exactly where they were 10 years ago, they've just adapted to a changed world.

Re:Google... learning more from Microsoft everyday

[Touvan]

Microsoft has a history of supporting unfinished or in progress standards, then keeping them that way. Just look at what they do with W3C standards. Keeping is static.

No ECMAScript 4.x, no DOM Events, no Canvas/SVG/etc., no greatly improved JS support because they only "want to make existing content content run better" rather than preparing for what the future may hold. Everyone else is doing that - make JS more robust today, so we can have better apps tomorrow.

MS has no interest in a standard that really works - but they'd love to be able to claim support for an open standard just the same.

Re:How to judge what's going on

[spectral]

Actually, it IS OpenID 2.0 compatible from what I can tell, but the id to use is obscure. It is NOT backwards compatible to OpenID 1.0. It DOES require the site doing the authentication request to be approved by Google. It does NOT require modifications to any OpenID 2.0 compatible library that I can tell. It DOES recommend modifying your login UI to provide 'login with google', which is just a shortcut to going to OpenID on the special google openid URL.

They list a couple sites on the google group as having been authorized. I found google's special openid url and tried it on livejournal, twitterfeed (not listed on their approved sites list) and on one of the approved sites. Here's my results:

Livejournal: LJ gave me an error. I guess LJ is still 1.0, though I have no proof.
Twitterfeed: Google gave me an error, saying I wasn't authorized to perform the action.
The approved site gave me a 'login with google' option and also a 'login with openid' option. I used the openid one and put in the google openid URL. It brought me to the google openid signin page.

Nowhere did I enter in any personally identifiable information to any of these websites, it uses the same trick yahoo does where you can just put in yahoo.com and it'll work, and respond with the email if I allow it access (except currently google's openid URL is much more awkward). I'm not convinced that anything is going against the OpenID 2.0 spec here, though the fact that every site that wants to support this has to request permission seems kind of odd.

Re:Google... learning more from Microsoft everyday

[Francis]

Don't forget irrational thinking, -2i!

That would be complex thinking. Irrational thinking would be -pi :)

Re:so lets see slashdot bias at work

[peragrin]

um did you completely forget destroying the validity of ISO to push a document format that is useless for 90% of the world to work with, that was pushed through so hard several countries are beginning to reject ALL ISO standards.

so yea MSFT has been a good citizen lately.

Re:How to judge what's going on

[spectral]

I think so. I don't think they even intend to announce that they support OpenID. I think they're using it as a protocol because all the libraries are already written, but they recognize that you can't just go to random_website.com and use their id URL since 1) they won't let random_website.com use this service, and 2) their id URL is really really weird at the moment (and doesn't use email addresses or any personally identifiable information, sorry everyone else commenting).

I believe the story is just FUD, all around. The summary is wrong (it says it's not OpenID 2.0, Google's page says to use any OpenID 2.0 library). Google hasn't announced they're supporting OpenID, but they are [at least planning on] providing a service that uses OpenID under the hood to do OpenID-like things (namely a "Login With Google" option). I will be very surprised if Google advertises that they support OpenID and that everyone's gmail account is OpenID enabled with this implementation, since it's definitely not going to work for the vast majority of sites.

Re:How to judge what's going on

[Bruce+Perens]

It's "computer criminal". "Hacker" means something else.

Yes, legacy systems would tend to treat the OpenID login as your "handle". But they don't have to, and IMO it's bad practice to do so once you join OpenID.

Bruce

Google did no such extension either.

I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.

If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.

Re:Google did no such extension either.

[MadnessASAP]

Mod this dude up, the article has it totally wrong. Google is just supporting OpenID 2.0 which happens to be incompatible with OpenID 1.0. It's also worth mentioning that 2.0 was developed by the OpenID group and not Google (unlike some Microsoft 2.0s)

Re:How to judge what's going on

[alphakappa]

They did support the standard. The standard is OpenID 2.0 which was created by openid itself. Yes, it's not compatible with OpenID 1.0, so what? It's not Google's job to make protocol 2.0 compatible with protocol 1.0 - it's up to the protocol creators.

Re:Slightly Conflicting Vision Statements

copied from down thread:
I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.

If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.