[OpenID] "Nightmare" article on OpenID

Shane B Weeden sweeden at au1.ibm.com
Fri Nov 19 00:11:43 UTC 2010 

Possibly, but of equal concern is the inconsistent support of attributes
and other extensions. Some sites support SREG (only), others AX (only),
others both, others none. Supported attributes vary by OP, and attribute
sharing is at it's core optional. Some RP's would like PAPE support but
only a few OP's support it. Facebook chose not to become an OpenID
provider, requiring a different API (which quite frankly is a lot easier to
use than OpenID, but requires registration). Twitter uses OAuth 1.0a
(harder) and won't allow a user to share their email address at all?!

Lack of widespread RP adoption has been often mentioned on this list. I
found Rob's article candid and insightful and in part helps to explain why
RP adoption is non-trivial. It won't change my enthusiasm for the work on
the OpenID, OAuth and Connect standards, but it will make me think about
customer solution design patterns to avoid the worst of the issues he
quotes.

Another example of further work being done in this area (as most of us
know) is Google's http://www.openidsamplestore.com. Take a look at their
login request - it uses both AX and SREG in optional mode to try and be
flexible about email retrieval. Behaviour post-authentication is quite
different if your OP chooses not to send an email address compared to if it
does. Try expanding that example to allow facebook and twitter users... I
can see where Rob is coming from, even if I would have chosen different
vocabulary to express some of it :)

Cheers,
Shane.








From:	Nat Sakimura <sakimura at gmail.com>
To:	nathan at webr3.org
Cc:	Luke Shepard <lshepard at fb.com>, List OpenID
            <general at openid.net>, Carsten Pötter
            <carsten.poetter at gmail.com>
Date:	19-11-10 09:50 AM
Subject:	Re: [OpenID] "Nightmare" article on OpenID
Sent by:	openid-general-bounces at lists.openid.net



I am kind of interested in Google OpenID not working but MyOpenID working
part.
Perhaps it is OpenID 2.0 only verses OpenID 1&2 provider?

=nat

On Fri, Nov 19, 2010 at 8:38 AM, Nathan <nathan at webr3.org> wrote:
> No, a web scale open identification protocol should not be that easy to
> screw up that badly, it wasn't all his fault.
>
> OpenID still needs a lot of work on the "open" part, the "id" part, and
the
> "protocol" part, that's not me talking OpenID or talking badly of your
hard
> work thus far, it's just recognizing that things like this shouldn't be
> happening.
>
> ps: last time I tried to use an openid, my google one, it failed
miserably
> so had to use myopenid - in fact every time I've had anything to do
openid
> either as a developer or a user, myopenid has been the only one that
worked
> properly. But even then, most consumers don't support the personal
details
> so it's a bit of a pointless addition in many cases, saves approx zero
work.
>
> Best,
>
> Nathan
>
> Nat Sakimura wrote:
>>
>> I think we should make it clear that it is not Google but HE screwed it
up
>> by
>> changing his realm, by which OpenID Auth 2.0 Protocol identifies the
site.
>>
>> =nat
>>
>> On Fri, Nov 19, 2010 at 7:10 AM, Carsten Pötter
>> <carsten.poetter at gmail.com> wrote:
>>>
>>> OK, I missed that part. I also acknowledge that OpenID could be
>>> easier, especially for RPs. But if there is no such thing as matching
>>> users in the protocol, a developer has to do something about it.
>>>
>>> On Thu, Nov 18, 2010 at 10:48 PM, Luke Shepard <lshepard at fb.com> wrote:
>>>>
>>>> Saying "he should have used Simple Reg or AX" misses his point. He did
>>>> try
>>>> that, but he found (as I and many others also have) that there is
little
>>>> consistency among providers as far as which attributes are returned or
>>>> when.
>>>
>>>
>>> --
>>> Carsten Pötter | notsorelevant.com/ | cpoetter.tumblr.com |
>>> twitter.com/carstenpoetter | +49 173 31 03 815
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>
>>
>>
>
>



--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list