[OpenID] Current state of OpenID & federated logins in general

Nat Sakimura sakimura at gmail.com
Fri Sep 13 00:37:27 UTC 2013 

Just a few notes. 

Google's "OAuth Login" actually is OpenID Connect. 

Salesforce recently announced the start of support for OpenID Connect. 

Paypal is now using OpenID Connect, so does bunch of others. Many of them are waiting for OpenID Connect to finalize. 

If you are using Amazon, you are using OpenID 2.0. 

Many of the use cases are within closed ecosystems, so it might feel that it is not a federation though technically it is. 

Proper federated login has not taken off. The de facto federation mechanism is password sharing, which is a threat to the internet's safety. 

OAuth 'federation' is becoming somewhat popular because the client can suck the personal data. Many implementations actually does not give much security that an SSO really requires because of that's not a priority for these sites. 

=nat via iPhone

Sep 13, 2013 0:30、Paul Johnston <paj at pajhome.org.uk> のメッセージ:

> Hi,
> 
> I'm looking for an informed view on the current state of OpenID and related technologies. What I've picked up is:
> 
> 1) Many major web presences (Google, Facebook, etc.) will be identity providers, but favor schemes based on OAuth 2.
> 2) Some web sites do allow federated login, but it's still a minority.
> 3) It is technically difficult to add federated login support to a website. Even where a good library exists (e.g. Spring Social) a lot of work is needed.
> 4) With OAuth systems, if my website wants to allow logins from a particular identity provider, I have to register my website with the identity provider in advance.
> 5) Use of OpenID is now rare.
> 
> This is just what I've picked up; I'd welcome a more informed view.
> 
> Personally, I am quite disheartened by the situation. I think we desperately need a better system of online identity, and OpenID would do the job. The requirement in OAuth for service provider to preregister with identity provider doesn't fit the open nature of OpenID. It's much more geared to a world where everyone uses one of the major providers; no chance of running your own OAuth provider on your own web server.
> 
> Thoughts welcome,
> 
> Paul
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list