Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Adopts, Forks OpenID 1.0

Posted by timothy on from the complicationism dept.

An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."

20 of 316 comments (clear)

  1. Google... learning more from Microsoft everyday by JCSoRocks · · Score: 5, Insightful

    Substitute Microsoft's name for Google and it'd be just another day in tech. Interesting to see Google doing this though.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
    1. Re:Google... learning more from Microsoft everyday by Johnno74 · · Score: 5, Insightful

      Yes, except just yesterday Microsoft joined OpenId, _without_ this sort of stunt.

      IMHO, microsoft's behavior in the last few years is to be commended, they are worlds away from where they were 10 years ago.

      Sadly, google seems to be heading the other way.

    2. Re:Google... learning more from Microsoft everyday by Anonymous Coward · · Score: 5, Informative

      According to what evidence?

      Google themselves are claiming they're not supporting OpenID version 1, which is what the article is raving about. They claim they're supporting OpenID version 2.0, which as far as I can tell, that's exactly what they're doing. I can't see any difference between Google's documentation and OpenIDv2's documentation, at all. Can you? His "emphasis added" section clearly says the same thing the OpenIDv2's "emphasis added" section says is the difference between the two protocols in the first place.

      Sensational press 1, Rational thinking 0.

  2. Re:so lets see slashdot bias at work by Microlith · · Score: 5, Insightful

    Google will be cheered or booed depending on what they do with their changes to OpenID. They could very well turn around and propose it for version two or whatnot of OpenID. After all, if it isn't compatible then what the hell is the point.

    Microsoft is hated because they DEFINED "embrace and extend." They regularly use it as a weapon against their competitors. We have yet to see Google use their version of OpenID, much less use it against anyone.

    Never mind that OpenID screams "single point of failure" to me.

  3. Re:Slightly Conflicting Vision Statements by Anonymous Coward · · Score: 5, Funny

    EMBRACE AND EXTEND!!!!

    oh...wait...I'm confused, this a Google article, not a microsoft article

  4. How to judge what's going on by Bruce+Perens · · Score: 5, Interesting
    Whether or not this is Google overturning an open standard can be judged upon:

    1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?

    2. How close is what they are doing to the latest version of the standard, not 1.0?

    3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?

    4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?

    Bruce

    --
    Bruce Perens.
    1. Re:How to judge what's going on by Bruce+Perens · · Score: 5, Interesting

      The string typed in is sufficiently different from what OpenID uses today that it would be easy to disambiguate. Putting this in an OpenID library, without increasing complication to the library user, sounds easy enough.

      I think what Google is saying here is that if 99% of users are used to typing in their email address, and not used to typing in a URL as their ID, you should try to make your ID scheme work with an email address rather than invent something new. This actually sounds sensible. But I haven't looked very deeply and would be happy to hear from folks with more expertise.

      Bruce

      --
      Bruce Perens.
    2. Re:How to judge what's going on by spectral · · Score: 5, Informative

      Actually, it IS OpenID 2.0 compatible from what I can tell, but the id to use is obscure. It is NOT backwards compatible to OpenID 1.0. It DOES require the site doing the authentication request to be approved by Google. It does NOT require modifications to any OpenID 2.0 compatible library that I can tell. It DOES recommend modifying your login UI to provide 'login with google', which is just a shortcut to going to OpenID on the special google openid URL.

      They list a couple sites on the google group as having been authorized. I found google's special openid url and tried it on livejournal, twitterfeed (not listed on their approved sites list) and on one of the approved sites. Here's my results:

      Livejournal: LJ gave me an error. I guess LJ is still 1.0, though I have no proof.
      Twitterfeed: Google gave me an error, saying I wasn't authorized to perform the action.
      The approved site gave me a 'login with google' option and also a 'login with openid' option. I used the openid one and put in the google openid URL. It brought me to the google openid signin page.

      Nowhere did I enter in any personally identifiable information to any of these websites, it uses the same trick yahoo does where you can just put in yahoo.com and it'll work, and respond with the email if I allow it access (except currently google's openid URL is much more awkward). I'm not convinced that anything is going against the OpenID 2.0 spec here, though the fact that every site that wants to support this has to request permission seems kind of odd.

    3. Re:How to judge what's going on by BlueGecko · · Score: 5, Insightful

      I agree with you wholeheartedly that Google's solution is better, Bruce, but...it's not the standard. The proper way to do this, and one I'd have been fine with, would be to support OpenID, plus this alternative that's much easier for the average user to understand. That's not what Google did, and I don't think we're out-of-line for faulting them for it.

    4. Re:How to judge what's going on by spectral · · Score: 5, Informative

      I think so. I don't think they even intend to announce that they support OpenID. I think they're using it as a protocol because all the libraries are already written, but they recognize that you can't just go to random_website.com and use their id URL since 1) they won't let random_website.com use this service, and 2) their id URL is really really weird at the moment (and doesn't use email addresses or any personally identifiable information, sorry everyone else commenting).

      I believe the story is just FUD, all around. The summary is wrong (it says it's not OpenID 2.0, Google's page says to use any OpenID 2.0 library). Google hasn't announced they're supporting OpenID, but they are [at least planning on] providing a service that uses OpenID under the hood to do OpenID-like things (namely a "Login With Google" option). I will be very surprised if Google advertises that they support OpenID and that everyone's gmail account is OpenID enabled with this implementation, since it's definitely not going to work for the vast majority of sites.

  5. Re:Why OpenID fails by coryking · · Score: 5, Insightful

    Because for the average person, it's a lot easier to set up a blog than it is to get their ISP to set up custom DNS records.

    There you go again. What the hell are you talking about? Now to log into some stupid site, I have to get a blog too? Huh?

    Admit it, the URL thing sucks ass. Email addresses are something we all have, and many websites are using email addresses as your login already. If OpenID did email, even *if* there wasn't any DNS trickery like I suggest, life would have been 100% easier. But no, I'm sure there is some "valid" reason the purity trolls who wrote the spec had against something so simple and logical, so they decided URL's would be best, usability be damned.

  6. Re:Slightly Conflicting Vision Statements by mini+me · · Score: 5, Interesting

    To make matters even more confusing, Microsoft has embraced, but not extended.

  7. Re:Stop your complaining by FooBarWidget · · Score: 5, Insightful

    "Rubbish. For people like your dad, OpenID is both simple *and* simpler than having to sign up for dozens of sites just to post a comment."

    That's true if you count the step. The thing you overlooked is, he doesn't know what OpenID is! Try to explain OpenID to a random person on street. How big is the chance that he understands it and will even care? Have you ever went through an OpenID registration process? There's no way my dad understands that. The barrier to entry for average users is too high.

    There's more to usability than simply counting the number of steps.

    "Suppose we live in a world where everybody implements OpenID (as a consumer and provider)."

    It's useless to speak of such a world. It simply doesn't exist. The hard reality is that OpenID adoption is still low.

    "If I "can't possibly expect [your dad] to do something as complex" as that, I weep for your dad - and you, given that you got 50% of your genes from him."

    Oh yeah, like launching a personal attack on me will make the usability problems magically go away. If anything, this is a sign of your weakness.

  8. Google sees the problem with OpenID 2.0 by IGnatius+T+Foobar · · Score: 5, Interesting

    Having implemented OpenID 1.1 Relying Party support myself, I think I can definitely see what Google is up to, and it isn't evil, people. OpenID 1.1 was elegant simplicity. Our team built OpenID Relying Party support in just a couple of days without even using any external libraries. OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee. There were four different groups vying to define the standard for single-sign-on for the web, so what did they do? They basically just glommed all of the different technologies together and called it OpenID 2.0. There are all sorts of things you have to support, like I-Names (which no one is going to use). In the end our team decided to just implement OpenID 1.1 and rely on the recommendation for backward compatibility which is built into OpenID 2.0 (a recommendation which Yahoo ignored, btw).

    So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."

    It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.

    Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
    1. Re:Google sees the problem with OpenID 2.0 by Shados · · Score: 5, Insightful

      OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee

      Basically all open standards do, or eventually do, which is why many commercial entities decide to roll up their own. Yup, while definately many of the times when Microsoft did something like this WAS out of "evil", a large portion was for the same darn reason as this. There's VERY few open standards that aren't an insane mess of "I'll add your idea if you add mine" crap.

  9. Re:Slightly Conflicting Vision Statements by mr_mischief · · Score: 5, Funny

    Google:

    1) write a good search engine
    2) ???
    3) grow to critical mass where you can guarantee yourself users
    4) embrace
    5) extend
    6) release extensions to the community
    7) get users based on 1-5 using the new system
    8) advertise the hell out of everything to the users on this system, too
    9) profit!
    10) repeat steps 4 through 9

    Microsoft:

    1) write decent BASIC tools
    2) ???
    3) get someone else's OS preloaded by IBM and ride their coattails to ubiquity
    4) embrace
    5) extend
    6) close off extensions
    7) hook users through lock-in created in steps 3 through 6
    8) extinguish open system
    9) profit!
    10) repeat steps 4 through 9

    The '???' steps come a little early in these. Sorry about that.

  10. Re: Google Version!! by TaoPhoenix · · Score: 5, Funny

    Embrace, Beta, Languish!

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  11. Re:Why OpenID fails by burndive · · Score: 5, Insightful

    Do you already have a Google Account nickname set up and ready to enter into the login field? Did you even know such a thing existed? Does Joe The Plumber (TM) know that?

    I do, but then again, I use OpenID the way God intended: I have my blog delegate to a 3rd party that specializes in it (myopenid.com).

    My blog URL is exactly what I want to show the world my identity. It's the hub of a significant portion of my public online content.

    Why does a blog that I'm commenting on need to know my e-mail address? They might spam me.

    An e-mail address is private information. A URL is just as unique, with the added benefit of being public.

    --
    ...because "hacker" sounds way sexier than "code drone."
  12. Google did no such extension either. by Anonymous Coward · · Score: 5, Informative

    I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.

    If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.

  13. Re:Slightly Conflicting Vision Statements by Anonymous Coward · · Score: 5, Informative

    copied from down thread:
    I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.

    If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.