
Google is shutting down OpenID 2.0 - lisper
https://developers.google.com/accounts/docs/OpenID#shutdown-timetable
======
teh
OpenID has been on its way out for a while. It's being replaced by OpenID
Connect [1] so this is not bad news, but a good reminder in any case!

[1] [http://openid.net/connect/](http://openid.net/connect/)

~~~
nailer
Practically, openID is being replaced by oauth. A decade ago authentication
and authorisation were quite separate concepts. This has been replaced with a
realisation that 'being authorised to use a particular account' (Google
Account, Twitter, FB, etc) is sufficient to prove ownership of that account
and therefore identity.

~~~
nly
This gives me the creeps. Authorisation and identification are _not_ the same.
If you use 'Login with X' you're giving X access to all your accounts. That's
not just third party attestation of your identity. It's kind of like saying a
passport is what gives you access to your home country... in reality your
status as a citizen is what gives you that right, the passport is merely a
convenience.

~~~
nailer
Edit: see reply below, I think I misunderstood the parent post.

> If you use 'Login with X' you're giving X access to all your accounts.

That's definitely not correct. You are giving X to access only whatever scopes
you allowed, on a single account.

Here's an example of just 'userinfo'. Click this and see what it asks for:
[https://accounts.google.com/AccountChooser?service=lso&conti...](https://accounts.google.com/AccountChooser?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fscope%3Dhttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%26response_type%3Dcode%26access_type%3Doffline%26redirect_uri%3Dhttps%3A%2F%2Fdevelopers.google.com%2Foauthplayground%26approval_prompt%3Dforce%26client_id%3D407408718192.apps.googleusercontent.com%26hl%3Den%26from_login%3D1%26as%3D-6660997c12ed44e0&btmpl=authsub&hl=en)

Per the screen, it only allows:

" \- View your full name, profile picture and profile URL"

" \- View any publicly available information on your Google+ profile (if you
have one or create one in the future)"

It can't see your photos, see your contacts, read your email, post G+
messages, or anything else you didn't authorise.

~~~
hueving
I think you are misunderstanding what he is saying. If you use Google to prove
your identity to every website you use, you are giving Google access to all of
those websites.

~~~
nailer
Yeah you're right, see my other reply.

------
StavrosK
Mozilla Persona was the best of the authentication protocols :(

~~~
nickbauman
Mozilla Persona _should_ have been the successor to OpenID. It solves almost
all of the problems with OpenID, which were:

1) The NASCAR problem. Arrive at a page for a site you signed up for with
OpenID and be totes confused: which "openId" did I use for this site?

2) The privacy leak: If you used your Google OpenID, now Google knows that you
logged into someotherplace.com with your "openid"

3) The ID problem. Wait, what? Yeah, like, how does someone keep track of
which "openid" ID is "me".

The final problem is that not many people will write a full implementation of
it other than the big players like mozilla itself or Google or Microsoft. And
the latter two don't have a ton of incentive to do so.

~~~
SwellJoe
So, how to do we revive Persona? I mean, it's still around, but it's been kind
of back-burnered by Mozilla.

The odd thing is that I didn't even know it existed until this whole
conversation about Google dropping OpenID came up...and I use Firefox as my
browser across all my devices, I use sync, I use Thunderbird, I follow the
Firefox OS development with interest, and yet, I had no idea Persona was a
thing.

I've always been uncomfortable with Google and Facebook being my "identity"
provider, and I've been equally uncomfortable with the fact that they would
happily provide those authentication services but won't accept them (i.e. I
can login to thousands of services using my Google or Facebook account, but I
can't login to Google or Facebook with any other service account). I simply
don't like Google and Facebook owning my online life, but the convenience of
it often trumps the ethical and privacy implications. I have, thus far,
avoided integrating Google or Facebook logins on my sites because of the
ethical implications, but I hate making my users keep up with passwords and
usernames.

Why aren't more websites supporting Persona?

For my part, I plan to integrate Persona into the next version of my company
website launching early this year, as well as our wiki and blogs. I may even
try to figure out how to fit it into our products, somehow.

I found the following, seemingly maintained, extensions for Persona support in
the apps I use for the websites I maintain:

[https://www.drupal.org/project/persona](https://www.drupal.org/project/persona)

[https://wordpress.org/plugins/browserid/](https://wordpress.org/plugins/browserid/)

[https://www.mediawiki.org/wiki/Extension:Persona](https://www.mediawiki.org/wiki/Extension:Persona)

~~~
nickbauman
I wrote an Mozilla Persona integration in Clojure with Tom Marble (of the
OpenJDK evangelist fame at Sun) and friends at the Clojure.MN meetup a few
years ago, here:

[https://github.com/tmarble/nongrata](https://github.com/tmarble/nongrata).

It was actually a snap to implement. I did most of the coding at it took me
maybe a few hours total and I NO idea what I was doing at the time. So if you
want to USE Persona or integrate with Mozilla's implementation, there's
nothing stopping you.

Writing the full stack of a Persona implementation is a many week to several
month job for a half a dozen member team not only for development but from an
infosec point of view.

~~~
StavrosK
On the provider site of the equation, I wrote an "identity provider as a
service" app that you can just drop in to your existing domain by adding a
single file:

[https://persowna.net/](https://persowna.net/)

It allows all your users to log in to Persona-supporting sites with their
@yourdomain.com address, bypassing the bridge, and supports various nifty
features like catch-alls, two-factor auth, etc.

------
fintler
Previous discussion at
[https://news.ycombinator.com/item?id=8346355](https://news.ycombinator.com/item?id=8346355)

------
jay_kyburz
I'm going to use this opportunity to transition my users off social loggins
altogether.

I used Google and Facebook when first building the webapp because I simply
didn't want to do the work of building an authentication system. It's lots of
work to get right.

About a year ago I had a lot of users complain my site _only_ had social
logins so I had to implement my own anyhow.

Now I have it, I don't see a lot of value in keeping the social logins around.

I just need to ask users to add a password to their account and they can login
using email/password combo.

~~~
dyoo1979
I don't know your audience, so perhaps this makes sense.

I don't want to remember or keep track of yet another password for a random
web site. If the web site requires login and doesn't support
Facebook/Twitter/G+ login, then I'll likely give up and avoid the page.

~~~
jay_kyburz
I think there are a lot of users who feel the other way around, they can't
trust "some random website" with their facebook / G+ identity. They would
rather just make a throw away account with some easy to remember password.

~~~
dyoo1979
I would agree that this is a major flaw, if the "scope" were unrestricted. But
most of these systems support a capability-style model where you can say: "I
give you permission to let me log in as myself, for this particular web site.
But you have no other authority to do anything else as me." For example,
"email" scope:
[https://developers.google.com/+/api/oauth#email](https://developers.google.com/+/api/oauth#email),
or the Permissions in Facebook login:
[https://developers.facebook.com/docs/facebook-
login/permissi...](https://developers.facebook.com/docs/facebook-
login/permissions/v2.2)

Another reason why I don't feel happy about forcing people to make passwords
for random web sites: most people are really bad at understanding risky
computer behavior. Do you have a parent or relative who uses the same password
for everything? I do. Despite my best efforts to warn them, they are not
convinced that this is a dangerous thing to do. I don't think they're alone in
this. Education is not enough.

------
ComputerGuru
Called it back in 2008: [https://neosmart.net/blog/2008/google-doesnt-use-
openid/](https://neosmart.net/blog/2008/google-doesnt-use-openid/)

OpenID 2.0 screamed "embrace, extend, and extinguish" loud and clear. It's 8
years later, probably not as evil (TM) as I had prophesied (more likely
attributable to the death of OpenID rather than malice), but, yeah...

EDIT: Yes, 6, not 8. I got the 8 from 2008 stuck in my head, apparently. Oops!

~~~
taytus
You "called it" 6 years ago :/

------
PythonicAlpha
What me frightens a little with this move (OK, I acknowledge that OpenID2.0 is
deprecated and should be updated to something new), is that Google talks only
about "Google+ Signin". And OK, as I read in previous discussion, Google will
also in the future support logins from people with normal eMail account.

Still, I am worried, since Google does not clearly communicate these facts,
but when you look at their communications, you read only about "Google+
Signin" and you have to search to find that you do not need Google+ but just
the new protocol OpenID connect.

I don't like to see such communications from a company, that once claimed
(long, long time ago!! Do you remember Google?) "Don't be evil".

It is OK, when they move away from an old protocol, but it is not OK, when
they (and it very much looks that way to me!) use it as vehicle to market
their products. Google has troubled people enough with forcing G+ on them --
so I even find it more troublesome, how they do it now (as it seems to me
currently).

I fear, Google is still hunting after Facebook and is by the way inheriting
its bad habits.

As I see now, they also want that a new button is used -- something with G+ on
it. I see, they really lay the pressure on the people -- many people will
think, that they need a Google+ account to use this feature (even if not
required). I would say, Google you are going to hurt yourself!

I myself, was thinking about using a "Login with Google" button in my
application ... but now, with things changed, I will think twice, before I do
such a move!

~~~
7952
Google have never properly supported federated login. You should be able to
login to Google services with an external account and not need to sign up with
Google at all. Their Authentication and Authorization APIs have always been
about pushing Google Services.

~~~
PythonicAlpha
That is right. But till now, I could use a simple Google acount (not G+) to
login for example at Stackoverflow.com.

In future the button will change from "G"-Login to "G+"-Login. As somebody
else stated, Google said, that a normal Google account will suffice in the
future, but alone the wording and the new button will alienate people.

------
kordless
There's no mention in here about the Python Users API that Google provides for
managing users in your Python AppEngine application. Google hasn't updated the
Python Users page (other than mentioning there are changes coming) and haven't
indicated if they will or will not update the Users API methods to support the
new auth methods.

Given I chose AppEngine in part because of the Users API, it would be nice if
there was some clarification by Google on what they plan to do with the Users
call and how provide some suggestions (or, heaven forbid, sample code) to show
us how to do it ourselves.

~~~
kordless
Just a small update, because there's basically nowhere else anyone is going to
read this given Google suspended Google groups for AppEngine and doesn't
answer StackOverflow questions. I tried using the sample code from the User
API pages and built this:
[http://kordtester2.appspot.com/](http://kordtester2.appspot.com/). The app is
using standard Google authentication, not the federated auth. The docs say it
should work, but it's clearly broken.

------
higherpurpose
Time to replace it with SQRL?

[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

(I think the final spec will launch in a week or two.

~~~
nly
SQRL doesn't solve any of the hard problems.

See my post here
[https://news.ycombinator.com/item?id=8790768](https://news.ycombinator.com/item?id=8790768)

------
knocte
Sorry if this is a stupid question but, does this mean that Google accounts
will no longer be OpenID accounts?

------
lowlevel
Just wait until they shut down gmail.

------
mahouse
> ...is disabled for a small number of requests on an intermittent basis, some
> users will be forced to re-consent

Very inconsiderate.

~~~
fryguy
Actually, it's considerate. Given the choice of having all of your users
suddenly shut off, or a small portion of them, the latter is better. Suppose
that the number is 1% of people that get shown this page. This means only 1%
of the people are going to email you to remind you to fix it, instead of
everyone at once. By gradually ramping this number up, you get the most
notification with the least number of users inconvenienced.

