Re: Continuing to Not Quite Get It at Google…

David: taking a quick look at Google’s documentation, it sure looks like OpenID to me.  The main items of note are:

  1. It documents the use of OpenID 2.0’s directed identity mode.  Yes this is “a departure from the process outlined in OpenID 1.0″, but that could be considered true of all new features found in 2.0.  Google certainly isn’t the first to implement this feature:
    • Yahoo’s OpenID page recommends users enter “yahoo.com” in the identity box on web sites, which will initiate a directed identity authentication request.
    • We’ve been using directed identity with Launchpad to implement single sign on for various Canonical/Ubuntu sites.

    Given that Google account holders identify themselves by email address, users aren’t likely to know a URL to enter, so this kind of makes sense.

  2. The identity URLs returned by the OpenID provider do not directly reveal information about the user, containing a long random string to differentiate between users.  If the relying party wants any user details, they must request them via the standard OpenID Attribute Exchange protocol.
  3. They are performing access control based on the OpenID realm of the relying party.  I can understand doing this in the short term, as it gives them a way to handle a migration should they make an incompatible change during the beta.  If they continue to restrict access after the beta, you might have a valid concern.

It looks like there would be no problem talking to their provider using existing off the shelf OpenID libraries (like the ones from JanRain).

If you have an existing site using OpenID for login, chances are that after registering the realm with Google you’d be able to log in by entering Google’s OP server URL.  At that point, it’d be fairly trivial to add another button to the login page – sites seem pretty happy to plaster provider-specific radio buttons and entry boxes all over the page already …

4 Comments

  1. Posted 30 October, 2008 at 4:48 pm | Permalink

    Yeah, looks like it’s (mostly) ((but not quite, yet)) OpenID, so it seems I might have jumped the gun a little.

    If I did, it’s mainly because Google does indeed have this habit of not really engaging with the community at large all that well. I got very tired over the past year of listening to folks like Eric Chu spout FUD like “existing open source projects don’t ship on schedule” (in spite of the fact that GNOME ships every six months, like clockwork), that “existing open source projects are too desktop-oriented” (which is simply arrant nonsense), and the like, as justifications for reinventing wheels all over the place–rather than actually working with the community–with Android…

  2. Posted 30 October, 2008 at 5:02 pm | Permalink

    Oh, and for what it’s worth, I’d say the necessity to “plaster another provider-specific radio buttons and entry boxes onto the login page” pretty much defeats the purpose of OpenID, but maybe that’s just me…

  3. Posted 30 October, 2008 at 5:18 pm | Permalink

    As I said, the protocol examples they give look like correct OpenID messages (no “mostly” about it).

    Once the OpenID realm white listing is out of the way (either by registering a realm or when Google removes the white list), you’d be able to log in using “https://www.google.com/accounts/o8/id” as an identity URL – no special buttons required. If they wanted it’d be pretty easy to make “google.com” provide the same discovery information, similar to what Yahoo has done. Of course, this isn’t a big deal while the white list is in place since such sites will probably be set up with a button.

  4. Posted 31 October, 2008 at 3:03 am | Permalink

    While there is a XRDS document published on google.com, my understanding after the OpenID UX Summit last week is that the consumer side would actually be gmail.com (google.com is for google employees). But yes, it does sound like that is the plan.