
Your Gmail Account is Now An OpenID - jasonlbaptiste
http://www.techcrunch.com/2008/10/29/your-gmail-account-is-now-an-openid/
======
ComputerGuru
It's pretty BS... Software built around OpenID needs to be rewritten to detect
when <http://username@domain.tld/> is entered as a OpenID login and if it's
@gmail.com address, contact Google's OpenID servers.

From the comments on the original story at Blogspot:

 _This is because<http://username@domain.tld/> is a valid URL and can thus be
used as an OpenID._

The problem is that while that may very well be a valid URI, it's not a
_standard_ URI and OpenID software hasn't been written to use this kind of
mechanism.

To make matters even worse, there is no OpenID server set up at gmail.com -
servers need to put a special case for when the @tld.com matches gmail and
contact the appropriate OpenID servers in that case.. it's basically Google
demanding that you authenticate their users on their terms.

Test results for OpenID: [http://openidenabled.com/resources/openid-
test/diagnose-serv...](http://openidenabled.com/resources/openid-
test/diagnose-server/start?openid_url=http%3A%2F%2Fmail.google.com%2F)
[http://openidenabled.com/resources/openid-test/diagnose-
serv...](http://openidenabled.com/resources/openid-test/diagnose-
server/start?openid_url=http%3A%2F%2Fgmail.com%2F)

EDIT

Here's the link to the Google OpenID documentation for developers, it's even
more bloated than I thought:

<http://code.google.com/apis/accounts/docs/OpenID.html>

You need to ask Google to give you the URI to the OpenID endpoint for a given
account. Each account has a different OpenID endpoint, and different incoming
requests are routed to different endpoints....

And I quote:

 _3\. The web application sends a "discovery" request to Google to get
information on the Google authentication endpoint. This is a departure from
the process outlined in OpenID 1.0.

4\. Google returns an XRDS document, which contains endpoint address.

5\. The web application sends a login authentication request to the Google
endpoint address. This action redirects the user to a Google Federated Login
page._

They're being pretty damn cavalier about using an OpenID that's not really
OpenID in the first place.

~~~
gsiener
Seems like a compromise on Google's part would be implementing something like:
<http://openid.google.com/username>

Standard URI, and would forward you to google to login as normal.

~~~
axod
End users do _not_ equate a URI as being anything that identifies them. To
them, that is a website.

Why is openID hell bent on trying to spin the tables on everything that people
know and are used to? They _know_ email address = my identification/username.

~~~
michaelneale
yeah its confusing as all heck to users.

The ONLY possible upside I can see, is that it slightly reduces the risk that
they give the crown jewels (say, their Google User name and password) to some
malicious site mistaking it for an open ID log in.

In other words, the fact that the identity is the web site is a feature. It
may not be the right feature, but I think there is some design thought behind
it being a url. So users get used to not immediately providing a password, but
instead this URL, and THEN after some redirect shenanigans, they do their
password etc...

------
LogicHoleFlaw
It's great that the big three are now OpenID providers, but the platform is
still almost useless to me until they are also "relying parties."

Would it be possible to merge multiple accounts such that my Microsoft and
Yahoo accounts are consistent with my Google one? Can I migrate an account to
my own provider?

------
tlrobinson
I hate how all the big players (Yahoo, Microsoft, Google) are implementing the
OpenID _provider_ half of OpenID, but refuse to be _consumers_ of OpenIDs from
other providers. It really defeats the purpose of OpenID. I'd even call it
arrogant. Though I suppose it's better than a completely proprietary system
like Facebook Connect.

It's painfully obvious they just want to remain in complete control, while
reaping some of the benefits of OpenID. I'm really hoping this will backfire
on all of them, and OpenID becomes hugely popular to the point where users
demand they become _real_ OpenID consumers. It's going to take awhile though.

------
sh1mmer
Google are just testing an approach called "federated login" which they think
is the usability solution to the so called "URL problem" which is that Joe
Average doesn't know what a URL is or how it should be formatted let alone
what his or her URL is. Obviously MySpace users do, but there is also an
implication from Google that all users are comfortable using an email address.
Many of the younger demographic use FB messaging or YIM for communication and
only use their email for "official things".

There was a lot of discussion about all these issue at
[http://therealmccrea.com/2008/10/20/live-blogging-the-
openid...](http://therealmccrea.com/2008/10/20/live-blogging-the-openidoauth-
ux-summit/) and all the interested parties want to resolve this. I should know
I spent the day with them there.

------
MicahWedemeyer
Read the original article on Google's Blog

[http://google-code-updates.blogspot.com/2008/10/google-
moves...](http://google-code-updates.blogspot.com/2008/10/google-moves-
towards-single-sign-on.html)

They don't want to add just another OpenID to the mix. They want to leave
people with the same signup procedure they're used to (ie. enter your email).
However, if they enter an @gmail.com address, the server automagically figures
out how to log them in using OpenID.

It's a good idea in theory, but seems like it will require a fair amount of
rewrite on the OpenID library side. Not a big fan of that...

------
ComputerGuru
Actual link: [http://google-code-updates.blogspot.com/2008/10/google-
moves...](http://google-code-updates.blogspot.com/2008/10/google-moves-
towards-single-sign-on.html)

------
michaelneale
Actually this is terrible. This massively increases the chance of my mum
getting hit by a phishing attack. Not happy google - you should have thought
this one through.

------
ErrantX
:( sad day IMO. OpenID is a nice idea but fatally flawed in the grand scheme
of things. Unified accounts are GREAT. But OpenID just isn't the right way to
go about it...

I knew Google was moving towards this but I always hoped they would see sense
before actually going for it fully.

Disappointed in them for the first time in a LONG time!

------
jmatt
Great, now "all three" provide it and it's still a complete cluster $%^& to
use, manage, code against and maintain.

Previous discussion about confusion caused by openid can be found here
<http://news.ycombinator.com/item?id=334800>

[Edit: Added link]

------
markbao
I wish OpenID was more seamless on the end-user side. Then, there would be
absolutely no reason to not support it.

------
trevorturk
I'm having trouble finding the URL scheme to use... or does this only support
signing in with email@gmail.com?

~~~
tlrobinson
Apparently Google decided they were special, and requires every relying party
to implement custom crap for detecting gmail.com email addresses.

They claim that once it's stable they'll open it up so you'll be able to use
"gmail.com" as your identifier in any RP:

<http://openid.net/pipermail/general/2008-October/006169.html>

Embrace: kinda

Extend: you betcha

Extinguish: ...

~~~
jacobscott
Isn't this just temporary? I mean, shouldn't we wait like a month before
complaining?

