[OpenID] "Nightmare" article on OpenID

Nat sakimura at gmail.com
Fri Nov 19 01:01:23 UTC 2010 

I agree. 

I suppose we have to make sure that we will have a clear conformance section for the next rev of the spec. 

=nat @ Tokyo via iPhone

On 2010/11/19, at 9:11, Shane B Weeden <sweeden at au1.ibm.com> wrote:

> Possibly, but of equal concern is the inconsistent support of attributes
> and other extensions. Some sites support SREG (only), others AX (only),
> others both, others none. Supported attributes vary by OP, and attribute
> sharing is at it's core optional. Some RP's would like PAPE support but
> only a few OP's support it. Facebook chose not to become an OpenID
> provider, requiring a different API (which quite frankly is a lot easier to
> use than OpenID, but requires registration). Twitter uses OAuth 1.0a
> (harder) and won't allow a user to share their email address at all?!
> 
> Lack of widespread RP adoption has been often mentioned on this list. I
> found Rob's article candid and insightful and in part helps to explain why
> RP adoption is non-trivial. It won't change my enthusiasm for the work on
> the OpenID, OAuth and Connect standards, but it will make me think about
> customer solution design patterns to avoid the worst of the issues he
> quotes.
> 
> Another example of further work being done in this area (as most of us
> know) is Google's http://www.openidsamplestore.com. Take a look at their
> login request - it uses both AX and SREG in optional mode to try and be
> flexible about email retrieval. Behaviour post-authentication is quite
> different if your OP chooses not to send an email address compared to if it
> does. Try expanding that example to allow facebook and twitter users... I
> can see where Rob is coming from, even if I would have chosen different
> vocabulary to express some of it :)
> 
> Cheers,
> Shane.
> 
> 
> 
> 
> 
> 
> 
> 
> From:    Nat Sakimura <sakimura at gmail.com>
> To:    nathan at webr3.org
> Cc:    Luke Shepard <lshepard at fb.com>, List OpenID
>            <general at openid.net>, Carsten Pötter
>            <carsten.poetter at gmail.com>
> Date:    19-11-10 09:50 AM
> Subject:    Re: [OpenID] "Nightmare" article on OpenID
> Sent by:    openid-general-bounces at lists.openid.net
> 
> 
> 
> I am kind of interested in Google OpenID not working but MyOpenID working
> part.
> Perhaps it is OpenID 2.0 only verses OpenID 1&2 provider?
> 
> =nat
> 
> On Fri, Nov 19, 2010 at 8:38 AM, Nathan <nathan at webr3.org> wrote:
>> No, a web scale open identification protocol should not be that easy to
>> screw up that badly, it wasn't all his fault.
>> 
>> OpenID still needs a lot of work on the "open" part, the "id" part, and
> the
>> "protocol" part, that's not me talking OpenID or talking badly of your
> hard
>> work thus far, it's just recognizing that things like this shouldn't be
>> happening.
>> 
>> ps: last time I tried to use an openid, my google one, it failed
> miserably
>> so had to use myopenid - in fact every time I've had anything to do
> openid
>> either as a developer or a user, myopenid has been the only one that
> worked
>> properly. But even then, most consumers don't support the personal
> details
>> so it's a bit of a pointless addition in many cases, saves approx zero
> work.
>> 
>> Best,
>> 
>> Nathan
>> 
>> Nat Sakimura wrote:
>>> 
>>> I think we should make it clear that it is not Google but HE screwed it
> up
>>> by
>>> changing his realm, by which OpenID Auth 2.0 Protocol identifies the
> site.
>>> 
>>> =nat
>>> 
>>> On Fri, Nov 19, 2010 at 7:10 AM, Carsten Pötter
>>> <carsten.poetter at gmail.com> wrote:
>>>> 
>>>> OK, I missed that part. I also acknowledge that OpenID could be
>>>> easier, especially for RPs. But if there is no such thing as matching
>>>> users in the protocol, a developer has to do something about it.
>>>> 
>>>> On Thu, Nov 18, 2010 at 10:48 PM, Luke Shepard <lshepard at fb.com> wrote:
>>>>> 
>>>>> Saying "he should have used Simple Reg or AX" misses his point. He did
>>>>> try
>>>>> that, but he found (as I and many others also have) that there is
> little
>>>>> consistency among providers as far as which attributes are returned or
>>>>> when.
>>>> 
>>>> 
>>>> --
>>>> Carsten Pötter | notsorelevant.com/ | cpoetter.tumblr.com |
>>>> twitter.com/carstenpoetter | +49 173 31 03 815
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 
> 
> 
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
> 
>

More information about the general mailing list