
OpenID 2.0 for Google Accounts is going away - luu
https://support.google.com/accounts/answer/6135882
======
mikesname
I must say, having switched from Google OpenID 2.0 to Google OAuth2.0 for
authentication on our site I raised an eyebrow when I belatedly read on
Homakov's 2013 blog[1] that OAuth2.0 was never intended for authentication,
only authorization for certain discrete resources. At least with Stack
Exchange doing it I'm in good company, but - if Egor is correct - it raises
the question what's really a good choice for authentication nowadays.

[1]
[http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html](http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html)

~~~
scrollaway
Mozilla Persona is the right approach to authentication. Unfortunately,
Mozilla sucks more at marketing than Microsoft did in the late 90s and Persona
got near null interest from developers that weren't already concerned by the
very real dangers of OAuth and the uprise of Facebook/Twitter authentication.

Persona is still there. It's still maintained, despite getting no funding, but
that doesn't mean developers can't pick it up. If you are interested in
authentication, learn about it. Implement it. Support it. Convert people.

[https://www.mozilla.org/en-US/persona/](https://www.mozilla.org/en-
US/persona/) [https://developer.mozilla.org/en-
US/Persona](https://developer.mozilla.org/en-US/Persona)

~~~
fiatjaf
Plus, if you use Persona, your users get automatic Google OpenID Connect (and
others).

~~~
ForHackernews
Howso?

------
philbarr
OpenID, OAuth, and the like have just made things more confusing for both devs
and users alike, IMHO. Wasn't it supposed to "unify" things and make it easier
and safer for everyone?

For example:

\- a site might offer to login via Facebook, but I'm afraid to in case my
friends' Facebook news feeds get spammed.

\- I want to offer an easy login for my users, but which OAuth provider do I
pick? Which OAuth, OpenId _thing_ am I supposed to use? They all look the
same! But different!

------
mfjordvald
We used OpenID 2.0 for our internal auth system to provide SSO across domain
names and we just finished implementing OpenID Connect. I can't even begin to
describe how much of a difference there is between the two, OpenID Connect is
completely painless while OpenID 2.0 fought us every single week.

Can't wait to migrate everything over to Connect instead.

------
NeutronBoy
According to the page at
[https://developers.google.com/accounts/docs/OpenID#shutdown-...](https://developers.google.com/accounts/docs/OpenID#shutdown-
timetable), the first user-visible warnings appeared in November 2014 (unless
disabled by the site operator). 6 months is not an unreasonable timeline to
make some minor adjustments to your auth system to make it OpenID Connect
compatible (from a quick glance at the migration page, it basically required
adjusting the auth URL and adding a few extra params).

~~~
vertex-four
OpenID Connect is an entirely separate protocol from OpenID 2.0. Essentially,
it's an extension of OAuth2, which is difficult to implement correctly on your
own. Libraries are available for most languages for it, though.

~~~
abraham
OAuth 2 is not difficult to implement as a consumer.

~~~
Legogris
Have you read the specs? Getting it "working" is trivial, but to guarantee
security there are a lot of considerations and checks you must or should do
that are easily overlooked.

~~~
abraham
Pretty much all of the security considerations are factors for the provider
and not the consumer. Consumers should use validated TLS and encrypted
storage, but beyond that consumers have more to worry about keeping their own
application secure.

------
SCdF
So this seems to affect… a lot of services. I'm surprised it's not getting
more coverage. Unless this message appears when it doesn't need to, a massive
number of prominent services rely on this, such as StackOverflow (if you
attach it to a google account obv.).

~~~
ahsteele
Stack Overflow has already addressed this issue:
[http://meta.stackexchange.com/q/244367/61654](http://meta.stackexchange.com/q/244367/61654).

~~~
SCdF
Oh I see, it comes up for me because I specifically use OpenID through my
domain. That's just my problem then.

