[OpenID] Google custom discovery
Breno de Medeiros
breno at google.com
Mon Jul 13 16:34:30 UTC 2009
The short answer is that the Yadis protocol was not designed to scale
well for web architectures, and in particular it interacts poorly with
caching. Deploying solutions on "bare Yadis" is difficult and
inefficient for large providers such as Google.
The long answer is explained in nice detail here:
http://www.hueniverse.com/hueniverse/2008/09/discovery-and-h.html
On Fri, Jul 10, 2009 at 7:35 PM, Santosh Rajan<santrajan at gmail.com> wrote:
>
> Short of pimping something I have started off here, Why didnt Google go for
> something like this?
> http://wiki.openid.net/OpenID-discovery-for-Email-Like-identifiers
> http://wiki.openid.net/OpenID-discovery-for-Email-Like-identifiers
>
> This would have avoided XRDS and would have been more in line with the
> current work done.
>
>
> Breno de Medeiros wrote:
>>
>> Actually, the better link is:
>> http://www.abstractioneer.org/2009/04/personal-web-discovery.html
>>
>> and the linked posts in hueniverse.org
>>
>> On Fri, Jul 10, 2009 at 11:20 AM, Breno de Medeiros
>> <breno at google.com>wrote:
>>
>>> There is already a proposal for this called webfinger:
>>> http://www.abstractioneer.org/
>>>
>>> It leverages the LRDD proposal to provide a generic mechanism for email
>>> addresses, xmpp addresses, etc.
>>>
>>>
>>> On Fri, Jul 10, 2009 at 11:16 AM, Santosh Rajan
>>> <santrajan at gmail.com>wrote:
>>>
>>>>
>>>> It could be the gmail username, and google profile usernames they dont
>>>> clash.
>>>> Problem is only for Google employees who have google.com email
>>>> addresses.
>>>> :)
>>>>
>>>> Eric Sachs wrote:
>>>> >
>>>> > Only a subset of GoogleProfile users register a username, but yes, for
>>>> > those
>>>> > users that is the common request we get.
>>>> >
>>>> > On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan <santrajan at gmail.com>
>>>> > wrote:
>>>> >
>>>> >>
>>>> >> Actually why dont you do discovery on
>>>> >> http://google.com/username
>>>> >> You can do that without clashing with your google.com namespace by
>>>> only
>>>> >> responding to "Accept" header request with "application/XRD". That
>>>> would
>>>> >> really make a killer OpenID.
>>>> >>
>>>> >>
>>>> >> Eric Sachs wrote:
>>>> >> >
>>>> >> > The feature in this area that we get more requests for is to
>>>> support
>>>> >> > OpenID
>>>> >> > validation for the relatively new Google Profiles service, i.e.
>>>> >> > profiles.google.com, which is also a more memorable endpoint for
>>>> users
>>>> >> to
>>>> >> > type :-). That support is not yet available, but its definitely on
>>>> the
>>>> >> > list.
>>>> >> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams
>>>> >> > <pwilliams at rapattoni.com>wrote:
>>>> >> >
>>>> >> >> Lets hope it prompts google to do much better: http://op.
>>>> google.com:
>>>> >> >> forming the eminently typable "op.google.com".
>>>> >> >>
>>>> >> >> They might even have that redirect to http://google.com/op which
>>>> they
>>>> >> >> might make an xri mount point to the I-brokered authority that
>>>> serves
>>>> >> the
>>>> >> >> op
>>>> >> >> xrd/s. If their op is a real xri-labelled authority, a ref field
>>>> in
>>>> >> the
>>>> >> >> sep
>>>> >> >> can even properly provide for delgated authorization of xrd files
>>>> by
>>>> >> user
>>>> >> >> authorities (which openid auth hacks up as openid delegation, when
>>>> >> >> abusing
>>>> >> >> the semantics of the op local id field per jonny bufu's recent
>>>> >> message).
>>>> >> >>
>>>> >> >> I dont think its hard to meet professional security engineering
>>>> >> standards
>>>> >> >> within openid: just be complete about xri semantics (even when
>>>> using
>>>> >> http
>>>> >> >> identifiers). We dont need custom extensions for discovery,
>>>> >> particularly
>>>> >> >> if
>>>> >> >> they project idp-centric vs user centric identity models.
>>>> >> >>
>>>> >> >> But lets wait and see how they are signing the xrd files (the way
>>>> the
>>>> >> >> openxri server does it (per the standard), or "otherwise"). The
>>>> >> validity
>>>> >> >> logic for verifying that signature will tell us what class of
>>>> trust
>>>> >> >> semantics they are working towards: google as ttp for attribute
>>>> >> sharing,
>>>> >> >> or
>>>> >> >> uci.
>>>> >> >>
>>>> >> >> ________________________________
>>>> >> >> From: Andrew Arnott <andrewarnott at gmail.com>
>>>> >> >> Sent: Thursday, July 09, 2009 8:30 PM
>>>> >> >> To: Peter Williams <pwilliams at rapattoni.com>
>>>> >> >> Cc: Eric Sachs <esachs at google.com>; general at openid.net
>>>> >> >> <general at openid.net>;
>>>> >> >> Paul Johnston <paj at pajhome.org.uk>
>>>> >> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>>>> >> >>
>>>> >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p
>>>> >> >>
>>>> >> >> --
>>>> >> >> Andrew Arnott
>>>> >> >> "I [may] not agree with what you have to say, but I'll defend to
>>>> the
>>>> >> >> death
>>>> >> >> your right to say it." - S. G. Tallentyre
>>>> >> >>
>>>> >> >>
>>>> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams
>>>> >> <pwilliams at rapattoni.com
>>>> >> >> <mailto:pwilliams at rapattoni.com>> wrote:
>>>> >> >> come on google, it takes you 10s to have a redirector URL
>>>> >> >> (op.google.com<
>>>> >> >> http://op.google.com>, perhaps?) redirect to the
>>>> >> >> https://www.google.com/accounts/o8/id. Conforming RPs are require
>>>> to
>>>> >> >> follow the redirect, before detecting that the XRD at that address
>>>> is
>>>> >> an
>>>> >> >> law#4-capable OP, vs a user.
>>>> >> >>
>>>> >> >>
>>>> >> >> http://tinyurl.com/googop now produces
>>>> >> >> <?xml version="1.0" encoding="UTF-8" ?>
>>>> >> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#>
>>>> >> <xrds:XRDS
>>>> >> >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>>>> >> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#>
>>>> <XRD>
>>>> >> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#>
>>>> >> <Service
>>>> >> >> priority="0">
>>>> >> >> <Type>http://specs.openid.net/auth/2.0/server</Type>
>>>> >> >> <Type>http://openid.net/srv/ax/1.0</Type>
>>>> >> >> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
>>>> >> >> <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
>>>> >> >> <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>>>> >> >> <URI>https://www.google.com/accounts/o8/ud</URI>
>>>> >> >> </Service>
>>>> >> >> </XRD>
>>>> >> >>
>>>> >> >> im sure google can do better than tinyurl.com<http://tinyurl.com>!
>>>> >> >>
>>>> >> >> How about op.google.com<http://op.google.com>?!
>>>> >> >>
>>>> >> >> ________________________________
>>>> >> >> From:
>>>> general-bounces at openid.net<mailto:general-bounces at openid.net>
>>>> [
>>>> >> >> general-bounces at openid.net<mailto:general-bounces at openid.net>] On
>>>> >> Behalf
>>>> >> >> Of Andrew Arnott [andrewarnott at gmail.com<mailto:
>>>> andrewarnott at gmail.com
>>>> >> >]
>>>> >> >> Sent: Thursday, July 09, 2009 7:16 PM
>>>> >> >> To: Eric Sachs
>>>> >> >> Cc: general at openid.net<mailto:general at openid.net>; Paul Johnston
>>>> >> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>>>> >> >>
>>>> >> >> Note that using your Blogger blog URL is not equivalent to using
>>>> >> >> https://www.google.com/accounts/o8/id. Besides the user interface
>>>> of
>>>> >> the
>>>> >> >> login experience being completely different, Blogger's Provider is
>>>> >> only
>>>> >> >> an
>>>> >> >> OpenID 1.1 provider, whereas Google's
>>>> >> >> https://www.google.com/accounts/o8/id OpenID Provider is a more
>>>> secure
>>>> >> >> OpenID 2.0 provider.
>>>> >> >>
>>>> >> >> --
>>>> >> >> Andrew Arnott
>>>> >> >> "I [may] not agree with what you have to say, but I'll defend to
>>>> the
>>>> >> >> death
>>>> >> >> your right to say it." - S. G. Tallentyre
>>>> >> >>
>>>> >> >>
>>>> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com
>>>> <mailto:
>>>> >> >>
>>>> >> esachs at google.com><mailto:esachs at google.com<mailto:esachs at google.com
>>>> >>>
>>>> >> >> wrote:
>>>> >> >> If you create a blog on Google's blogger service, then you can
>>>> type
>>>> >> the
>>>> >> >> name of that blog into OpenID login boxes.
>>>> >> >>
>>>> >> >> If you are willing to be really geeky, type in
>>>> >> >> https://www.google.com/accounts/o8/id. That points to the generic
>>>> >> Google
>>>> >> >> identity provider, and you will be redirected back with an opaque
>>>> >> >> identifier. But we don't actually expect anyone to know to do
>>>> that
>>>> >> which
>>>> >> >> is
>>>> >> >> why a lot of OpenID relying parties are supporting other user
>>>> >> interfaces
>>>> >> >> with buttons for Google. For example, see
>>>> >> >> http://uservoice.com/session/new
>>>> >> >>
>>>> >> >> Similarly a lot of blogs allow you to comment and identify you
>>>> with
>>>> an
>>>> >> >> OpenID URL, and while you can try one of the tricks above, many of
>>>> the
>>>> >> >> blog
>>>> >> >> commenting interfaces also include buttons (or the NASCAR style UI
>>>> as
>>>> >> the
>>>> >> >> community likes to call it) to help users navigate their way
>>>> through.
>>>> >> >>
>>>> >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston
>>>> >> >> <paj at pajhome.org.uk<mailto:
>>>> >> >>
>>>> >> paj at pajhome.org.uk><mailto:paj at pajhome.org.uk<mailto:
>>>> paj at pajhome.org.uk
>>>> >> >>>
>>>> >> >> wrote:
>>>> >> >> Hi,
>>>> >> >>
>>>> >> >> I'm sorry for asking such an obvious question, but after
>>>> considerable
>>>> >> >> time spent searching for this I am unable to figure this out.
>>>> >> >>
>>>> >> >> My google account name is paul.paj. I would like to login to
>>>> >> >> bitbucket.org<http://bitbucket.org><http://bitbucket.org> using
>>>> >> OpenID.
>>>> >> >> How do I do it?
>>>> >> >>
>>>> >> >> Paul
>>>> >> >> _______________________________________________
>>>> >> >> general mailing list
>>>> >> >>
>>>> >> general at openid.net<mailto:general at openid.net><mailto:
>>>> general at openid.net
>>>> >> >> <mailto:general at openid.net>>
>>>> >> >> http://openid.net/mailman/listinfo/general
>>>> >> >>
>>>> >> >>
>>>> >> >> _______________________________________________
>>>> >> >> general mailing list
>>>> >> >>
>>>> >> general at openid.net<mailto:general at openid.net><mailto:
>>>> general at openid.net
>>>> >> >> <mailto:general at openid.net>>
>>>> >> >> http://openid.net/mailman/listinfo/general
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> _______________________________________________
>>>> >> >> general mailing list
>>>> >> >> general at openid.net
>>>> >> >> http://openid.net/mailman/listinfo/general
>>>> >> >>
>>>> >> >
>>>> >> > _______________________________________________
>>>> >> > general mailing list
>>>> >> > general at openid.net
>>>> >> > http://openid.net/mailman/listinfo/general
>>>> >> >
>>>> >> >
>>>> >>
>>>> >>
>>>> >> -----
>>>> >>
>>>> >> Santosh Rajan
>>>> >> http://santrajan.blogspot.com http://santrajan.blogspot.com
>>>> >> --
>>>> >> View this message in context:
>>>> >>
>>>> http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html
>>>> >> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>> >>
>>>> >> _______________________________________________
>>>> >> general mailing list
>>>> >> general at openid.net
>>>> >> http://openid.net/mailman/listinfo/general
>>>> >>
>>>> >
>>>> > _______________________________________________
>>>> > general mailing list
>>>> > general at openid.net
>>>> > http://openid.net/mailman/listinfo/general
>>>> >
>>>> >
>>>>
>>>>
>>>> -----
>>>>
>>>> Santosh Rajan
>>>> http://santrajan.blogspot.com http://santrajan.blogspot.com
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Google-custom-discovery-tp24431509p24432348.html
>>>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>
>>>
>>>
>>> --
>>> --Breno
>>>
>>> +1 (650) 214-1007 desk
>>> +1 (408) 212-0135 (Grand Central)
>>> MTV-41-3 : 383-A
>>> PST (GMT-8) / PDT(GMT-7)
>>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> -----
>
> Santosh Rajan
> http://santrajan.blogspot.com http://santrajan.blogspot.com
> --
> View this message in context: http://www.nabble.com/Google-custom-discovery-tp24431509p24436735.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list