
Stack Overflow: Support for OpenID Ends on July 1, 2018 - ingve
https://meta.stackexchange.com/q/307647
======
djsumdog
I am one of the 13k that is that little red guy. I just migrated my openid
provider to a docker container and changed the certificate to LetsEncrypt.

Slashdot removed support, as did shirt woot and deletionpedia. Freecode and
gitorious are gone. After this, the only things I'll have left on openid will
be pipy (which doesn't seem to work) and openstreetmaps.

I understand why and the technical debt involved, but this still makes me very
sad. We're moving in the wrong direction. We're going away from open,
federated, distributed standards and back to closed, wall-gardened,
proprietary, massive identity providers.

~~~
scrollaway
> _We 're moving in the wrong direction._

The thing is, too often do people lament the loss of federated/open systems
and quickly jump on a blame train spanning the users who "are making the wrong
choices by not using the 'obviously better, open systems' and the corporations
who 'push their evil walled gardens onto users'".

But few people actually think about what is actually causing these shifts.
Users don't usually care about open vs. closed, and seldom care about
ideology. They want their shit to work without hassle, to look good, to
achieve what they want.

I see so many people blaming users and companies for moving away from IRC,
onto systems like Discord and Slack. Why you gotta blame the consumers when
they are merely switching to obviously better alternatives? IRC is not a
suitable replacement for Discord today, and systems like XMPP and OpenID are
massive fucking messes. They don't get used because they're too hard to use.
_Usability is a feature_.

Honestly, I think proprietary solutions win so often because they value
pragmatism by nature, whereas open solutions tend to value ideology.
Sometimes, you have visionaries at the helm who _do_ value pragmatism and you
end up with the best of both worlds. Torvalds is an excellent example: He
produces pragmatic, open software and his way, although not "ideologically
pure", has done more to promote free software than Stallman ever has.

Not to point fingers; I definitely know there are Stallman-wannabees floating
around the site who are in it purely to feel superior to others, and be able
to wag their finger and make fun of those using "crass, proprietary software".
They don't try to understand why consumers use the proprietary solutions (they
can't try, because they refuse to use them). And at the end of the day, the
needle hasn't moved.

Anyway, all that to say, we're moving in the wrong direction because too many
people cling onto the systems that have obviously lost (openid and IRC)
without considering _why_ consumers use oauth2 and slack. It's armchair
lamenting.

~~~
mcguire
I have this strange feeling while reading your comment, as if you would
respond to the tragedy of the commons with, "Isn't it great! We should get rid
of all the commons!"\---even though the result would be materially worse.

Open, federated systems are possibly, arguably, better, both in terms of
ideology (or alternative, more specific terms like "privacy") and (maybe)
technology. But, as you say, users don't care about open/closed, they don't
care about ideology, they don't even care about technology. They care about
ease of use and appearance.

Open, federated systems will never be as simple as proprietary systems.
Further, they'll never attract the money necessary to get even as close as
possible in terms of ease of use and appearance. Non-proprietary systems will
usually lose out of the gate, not because they're dragging a 100lb anvil of
ideology but because the alternatives have a magic tailwind of simpler
requirements and more resources. (And that's as pragmatic as you can get,
right?)

Note: I'm not a Stallman-wannabe, I'm not wagging fingers (at the moment, on
this issue), and I use proprietary solutions all the time. But I also know
what I'm trading off.

~~~
orthecreedence
Serious question: Why is email so successful? Why hasn't Facebook messenger or
Slack or WhatsApp or any other siloed messaging service unseated it? Is it
just because it was there first and now it's entrenched?

Why can't other services work like email and Matrix and have success? A lot of
it just seems like success of marketing to me.

~~~
djsumdog
Another thing to consider is that e-mail is actually part of the DNS standard.
Of course with SRV records, you could add discovery for any new arbitrary
service via DNS, but the fact that it's part of that standard says something
to just how old it is.

I think part of it is just the ease of setting up services. You can install
new programs on your desktop win/macos and they'll update themselves and all
that, but servers are not so easy. There are things that are coming out that
make servers more pluggable/lego brick build-able like Sandstorm, and maybe
one of those will really take off and make hosted apps something more
individuals would be willing to pay for.

E-mail also has its huge share of problems. Setting up your own e-mail server
is also super unreliable because of over-aggressive spam filters, as I wrote
about here:

[http://penguindreams.org/blog/how-google-and-microsoft-
made-...](http://penguindreams.org/blog/how-google-and-microsoft-made-email-
unreliable/)

------
bambax
> _Of our 9,813,747 accounts around one-tenth of a percent are actively using
> OpenID_

I created an account on SO using an OpenID provider in 2009. In 2014, the
provider disappeared and with it, the ability to log into the account. I was
never warned about this and have never been able to access that account again.

Since then I only access SO via web searches (didn't create another account).
I wonder how many people are in the same situation.

~~~
WorldMaker
I've always delegated my address to a provider of choice, so as providers fall
I've been able to adjust my delegation. That ability to delegate any domain
you control (or even different pages on the same domain) to any provider you
wanted to use was one of the best features of OpenID, and something that is
lost in most of the "OpenID" Connect systems like FB/Google login where
provider is locked as soon as you click the button.

~~~
ams6110
OpenID Connect works for users though. "Sign in with Google" is something
people understand.

The original OpenID, where my identity was a URL that wasn't a website, and
wasn't my email address, was never easy to explain.

~~~
WorldMaker
OpenID was built for the world where everyone had a blog, so everyone had at
least one URL that _was_ a website that they controlled that was also their
OpenID. It was easy to explain in that world. That world barely existed, and
now is long gone, for better/worse.

------
lucideer
This isn't a big surprise, if anything it's surprising it lasted as long, but
some thoughts/comments:

> _The reality is OpenID support has created a ton of complexity in our
> codebase_

I don't doubt this is true but I do find it surprising. I would be interested
to see a breakdown of this from a technical perspective. I'm sure it adds
complexity, but in the context of the overall complexity of SO I would have
expected it to be relatively overshadowed.

> _Users have spoken with their actions. You prefer Google, Facebook and Stack
> Exchange (aka email /PW) based account auth._

No, they haven't. OpenId use in SO has declined for two reasons: (1) providers
shutting down and (2) Stack Overflow UI changes to hide the option from users
in the login form (making my logins require extra clicks).

> _around one-tenth of a percent are actively using OpenID (defined as having
> visited a site in the past 12 months). If you include all the inactive
> accounts it is still less than 2.9% of all accounts._

0.01 up to 2.9 is a massive jump and seems to indicate a high active user
turnover. I wonder what the user activity retention rates are on SO. What
percentage of currently active users are very recent joiners.

------
mrweasel
It's a little sad, but OpenID implementations ended up being rather one sided.
Everyone wanted to be an OpenID identity provider, but fewer wanted to be on
the consumer side. For OpenID to succeed that relationship needs to change.

There was simply no benefit for the larger sites to access OpenID as an
authentication mechanism. Perhaps the EUs General Data Protection Regulation
can change that to some extend for smaller sites that wish to store almost
nothing about the users, while still authenticating them.

~~~
sebazzz
As I see it, it has been replaced by OAuth, which is created for a different
purpose but works just as well for login and authentication.

~~~
willow9886
No, OpenID has been replaced by OpenID Connect, a profile of OAuth 2.0 written
to specifically address user sign in.

OAuth 2.0 is an authorization framework, not an authentication protocol. OAuth
2.0 can be used for a lot of cool tasks, one of which is person
authentication.

OpenID Connect is a “profile” of OAuth 2.0 specifically designed for attribute
release and authentication.

For more info, see our blog: OAuth vs SAML vs OpenID Connect. [1]

[1] [https://www.gluu.org/resources/documents/articles/oauth-
vs-s...](https://www.gluu.org/resources/documents/articles/oauth-vs-saml-vs-
openid-connect/)

~~~
snuxoll
OpenID Connect is still not in any way comparable with traditional OpenID.

~~~
willow9886
Nobody said it was...

> OpenID has been replaced by OpenID Connect

Replaced != compatible.

Also, "traditional OpenID" is very ambiguous phrasing... are you referring to
OpenID 1? OpenID 2? or OpenID Connect?

~~~
tedunangst
While we're playing inequality, comparable != compatible.

~~~
willow9886
oops! i've been staring at the screen too long!!

------
kstrauser
And they compensated by finally allowing users to add new email/password
authentications to their account. Woo-hoo! I'd originally signed in with
Google but I'd much rather have personal per-system logins, and now this is
possible.

------
DanHulton
Huh, I'm one-tenth of one percent.

AMA, I guess.

But yeah, this got me into trouble a couple times. I actually have a /openid
URL on my site that redirects to Google, but forgot. This, mixed with
accidentally having two accounts (back when Careers was it's own thing) meant
some poor SO rep had to do a whole bunch of untangling one day.

I'm glad they're consolidating systems into an easier-to-understand thing. If
it had just be email/password from day 1, I don't think I'd have had half the
troubles I did by trying to be "future-compliant".

------
milkmiruku
FWIW, I've used OpenID for login on my personal wiki [1] for a few years and
haven't had a spam issue [yet].

To forgo the bother of managing being provider or even relayer, I just use a
Dreamwidth (the LiveJournal fork) profile [2]. Always interesting using a url
as a login. For those who say that's confusing for the masses, there was a
method of mapping e-mail address to OpenID profiles. [3]

I was a bit confused as to why OpenID Connect turned out the way it did,
moving focus from federated to the closed "Login with
Facebook/Twitter/GitHub/Dropbox/Google" thing (if they is Oauth/OIDC based?).

I guess the above could be related - I get no spam because federated OpenID
didn't take off, and federated OpenID didn't take off because companies wished
to sidestep a future spam problem.

[1] [https://wiki.thingsandstuff.org](https://wiki.thingsandstuff.org)

[2] [https://www.dreamwidth.org/openid](https://www.dreamwidth.org/openid)

[3] [https://mashable.com/2008/09/30/openid-email-
addres](https://mashable.com/2008/09/30/openid-email-addres)

------
willow9886
It's a bit strange that nowhere in the post does SO mention OpenID Connect...

OpenID 1 & 2 have been dead and deprecated for some time...Google deprecated
support in 2016.

All domains should move to supporting the latest iteration, OpenID Connect,
which, by all indications, looks like it will be stable and relevant for many
years to come.

~~~
dfabulich
OpenID Connect is stable, sure. But relevant? I'm not aware of any major
identity provider _or_ consumer who uses OpenID Connect.

~~~
willow9886
Seriously? How about Google?

[https://developers.google.com/identity/protocols/OpenIDConne...](https://developers.google.com/identity/protocols/OpenIDConnect)

------
BrandoElFollito
Ah, Stack Exchange (and Overflow) Meta never stops to make me smile : they
used a post closed as 'non constructive' as a reference in an official
announcement.

------
bloudermilk
> Of our 9,813,747 accounts...

Stack Exchange has less than 10 million registered users? That’s surprisingly
low even for Stack Overflow alone. I wonder how many MAUs they get...

~~~
jfriend
~50 monthly visitors. The key here is you don't need an account to get the
value. [https://stackoverflow.com/company](https://stackoverflow.com/company)

------
ReverseCold
Tangentially related:

The openid.net website is blocked by some popular web filters as
"virus/malware".

Anyone know why?

~~~
tedivm
Which web filters? I can't see any reason why it would be blocked, as I
couldn't find any history of malware infection on it and they don't even have
ads (so no history of their ad network pushing exploits).

------
tannhaeuser
I don't get why OpenID was introduced in the first place then. The point of
using an open auth protocol is to not become dependent on monopolies, isn't
it? The figures being what they are isn't supportive of this decision when
using OpenID is considered a strategic decision. I thought you could use
Google at least (but not Fb) as OpenID Connect provider, so wouldn't it make
more sense to deprecate support for Google-proprietary login schemes instead?

Also, as remarked on the followup stackexchange discussions, this will make
stackexchange login (against Google, Fb) JavaScript-only, won't it?

Could somebody with more know-how clue me in about the state of affairs of
OpenID and web auth?

~~~
willow9886
> I don't get why OpenID was introduced in the first place then.

Because the Internet needs standards to work. If all domains implement
authentication differently, we do not have an interoperable network.

As is customary, standards must evolve to keep up with requirements. OpenID 1
and 2 weren't built with the idea that smart phones would be in every persons
pocket, or Internet connected devices in every home.

The latest iteration of OpenID--OpenID Connect--is essentially Google's
playbook for authentication. It's of huge value to the rest of the world.

To put it simply: having your own OpenID Provider at your domain (e.g.
idp.example.com) allows you to operate a similar authentication infrastructure
as Google.

What does that mean?

\- Single sign-on (SSO) across web and mobile applications

\- Ability to support a variety of strong authentication mechanisms (a.k.a
2FA), like U2F security keys and OTP mobile apps, in one place for many apps

If all apps and services were to align with OpenID Connect, we would have a
truly scalable and interoperable identity layer for the Internet.

~~~
icebraining
But what's the point of OpenID Connect being interoperable, if unlike in
OpenID, the providers are statically defined by the site and not dynamically
discovered from the user input? If you want to have your own provider for your
own sites, then you don't need it to be interoperable.

~~~
willow9886
OpenID Connect defines two important standards: Discovery [1] and Dynamic
Registration [2].

All OpenID Providers publish their details at a publicly discoverable (and
standard) domain: [https://{hostname}/.well-known/openid-
configuration](https://{hostname}/.well-known/openid-configuration).

For instance, you can see our OP meta data here [3].

This provides the foundation for using email as an identifier, i.e. in order
to access protected resource at autonomous site, input email at a domain with
an OP, and the RP can perform discovery to find where to send the user for
authentication, and dynamic registration to register their client (app) with
the OP to obtain user information ("claims").

[1] [https://openid.net/specs/openid-connect-
discovery-1_0.html](https://openid.net/specs/openid-connect-
discovery-1_0.html)

[2] [https://openid.net/specs/openid-connect-
registration-1_0.htm...](https://openid.net/specs/openid-connect-
registration-1_0.html)

[3] [https://idp.gluu.org/.well-known/openid-
configuration](https://idp.gluu.org/.well-known/openid-configuration)

~~~
Promarged
> For instance, you can see our OP meta data here [3].

Do you e-mails end with @idp.gluu.org? Or how would the RP discover that the
domain is not "gluu.org" but "idp.gluu.org"?

~~~
willow9886
no, but using my email adress @gluu.org, you can find the discovery endpoint
because its a standard address for domains. For instance, here's Google's OP
discovery endpoint:

[https://accounts.google.com/.well-known/openid-
configuration](https://accounts.google.com/.well-known/openid-configuration)

~~~
vertex-four
How do I find that discovery endpoint, given your email address @gluu.org?
[https://gluu.org/.well-known/openid-configuration](https://gluu.org/.well-
known/openid-configuration) doesn't exist. I don't even know that idp.gluu.org
is a thing from your email address.

