Google OpenID is now live
Brad Fitzpatrick
brad at danga.com
Thu Apr 10 13:52:44 UTC 2008
On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <james at jamesh.id.au>
wrote:
> On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> > I think that kind of misses the point. The *namespace* that google
> manages
> > is now open for business as an OpenID provider. It's an unanticipated
> > side-effect of the APIs.
> >
> > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > from an engineering perspective and how it can spread in unexpected
> ways. If
> > only login were so easy.
>
> This service seems pretty much equivalent to Simon Willison's
> idproxy.net service for Yahoo accounts.
>
> The big difference between this sort of service and actial OpenID
> Provider support from Google/Yahoo is a matter of trust.
>
> With an OP run by Google, the user needs to trust Google. With this
> OP, the user needs to trust whoever is running the OP not to
> impersonate them. Given the lack of contact information, I'd be
> hesitant to use identities managed by that service and would not
> recommend others rely on it.
James,
openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
who also did most the work (including all the initial work) on Blogger's
OpenID support:
References:
http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
http://snarfed.org/space/2008-04-07_google_app_engine_launched
http://snarfed.org/space/2007-12-02_openid_comments_in_blogger
Further, App Engine apps don't process user credentials directly. They go
through an OpenID-like auth process with Google, who actually processes the
email/password and tells the App Engine app that somebody logged in, at what
email. You can verify this yourself by looking at the form targets and HTTP
traffic. See:
http://code.google.com/appengine/docs/users/
So I'd say you can pretty much trust an openid-provider.a.com assertion that
the person has a Google account. But like others have said, it's not an
official Google product.
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080410/188f08ff/attachment-0002.htm>
More information about the specs
mailing list