OpenID – Can you feel the love?
10/29/2008 9:46 PM
It seems that everyone is jumping on the OpenID bandwagon - kinda. First came WordPress. Then Yahoo, AOL, Microsoft and now Google. It seems that all the major internet players now officially support OpenID in one fashion or another. In almost every case, the major players have really just stuck their toe in the water by becoming OpenID providers. This means that your accounts on all of these services have now become valid OpenID tokens. This is great news but it is not enough.
For most users, getting an OpenID account has never been a problem. Anyone who wanted to use OpenID could easily have signed up with MyOpenID, MyID, ClaimID, Verisign or many other OpenID providers. The real challenge for most users has been finding a site that accepts OpenID. The list (also another one here) of sites that accepts OpenID is growing. However, if you peruse those lists you will notice something missing. Namely, what you won’t find is WordPress, or Yahoo, or AOL or Microsoft or Google on the list of sites accepting OpenID.
John Timner on ArsTechnica refers to this as the Balkanization of OpenID. Each of these major players wants to be seen as being open and playing nice, but they have not really left their walled gardens. They all want to own you and your identity. It is much easier for Google to convince you to use Gmail instead of Hotmail if you already have a Google account, or to try out Picasa instead of Flickr.
Google is probably the worst offender in this group. Beyond just becoming an OpenID provider, Google has actually forked the OpenID standard. With Microsoft, Yahoo, AOL, WordPress and the other major providers, I can take their OpenID token and use it to login to ANY OpenID enabled website. All I need is my custom URL provided by the OpenID provider and I am good to go.
Google has decided that they can “improve” on the standard and now want sites to just accept your Google email address as the OpenID token. The site would then have to know a special Google URL and use that to determine the final authentication endpoint for the user. While this approach makes it easier for users to remember their token, it ensures that almost no site on the web will support using your Google id to authenticate with. Those that do support it will have to “hardcode” the special Google URL into their applications. As any programmer will tell you – hard coding values is seldom a good thing. Imagine if every vendor followed Google’s approach. I would need to hard code URLs for every OpenID provider that existed, and would need to constantly update my application every time some new OpenID provider was created. Clearly this does not scale. For a company that claims to “do no evil”, this looks pretty malevolent.
Hopefully, these vendors are working on becoming on OpenID relying parties. That is, that they will open up their sites to allow anyone with an OpenID to login. Given the history of these companies and the value of retaining ownership of these customers, I don’t see them changing anytime soon.
So, what does all this mean for you? It means that if you have a WordPress, Yahoo, AOL, Microsoft, or Google (kinda) account that you can take advantage of a growing number of sites and platforms that accept OpenID. Many bloggers like Scott Hanselman and Jon Galloway have OpenID enabled their blogs as well as their blogging platforms (DasBlog and SubText respectively). Some popular sites like StackOverflow only accept OpenID and have no other authentication method. You will also find support for OpenID built into your favorite web platforms like DotNetNuke (seriously did you think that I would get through this whole post without mentioning that DotNetNuke has supported OpenID for over the past year?). So I encourage you to give OpenID a try. Heck, if you have been on the web for more than a day then you already have an OpenID account. And while you are busy getting comfortable with OpenID provide a gentle reminder to the AOL, Microsoft, Google and Yahoos of the world to FULLY support OpenID.
EDIT: I think Kevin Pang has an awesome post on this topic that is worth reading, especially the SlashDot comments.