Google Clarifies Its OpenID Implementation
Update: We've been contacted by members of the OpenID community who argue that we've mischaracterized the controversy in this post. Additional complications not discussed here include the now-ceased process of whitelisting domains that could use Google OpenID.
After we wrote about Google becoming an OpenID provider yesterday, a number of reports suggested that Google was not following the OpenID guidelines closely and that it was basically forking OpenID to suit its own agenda.
Confusion
Normally, when you use your email address as your OpenID credential, the OpenID enabled site (the 'relying party') goes back to your OpenID provider and looks for a specific file (XRDS) on the server. However, Google chose not to implement this part of the OpenID ecosystem when it launched its OpenID implementation yesterday and made developers rely on Google's own API instead.
Now, however, Google has announced that it will start publishing XRDS files 'as quickly as possible.' For the time being, you can use 'https://www.google.com/accounts/o8/id' to sign up for OpenID enabled sites.
Why Google Doesn't Accept OpenID Itself
One other issue many people raised yesterday was that Google itself did not accept OpenID for letting users sign in to its own properties. According to today's blog post, the reason for this is purely technical, as "all Google rich-client apps would break if we supported federated login for our consumer users." Google, however, is looking at possible solutions for these problems and is enlisting the help of the OpenID community.
It is good to see Google acknowledge these issues head-on. Despite these growning pains, we still think that Google's support for OpenID will drive its widespread acceptance, especially once Gmail users can just use their accounts to effortlessly create accounts and log into third-party services.
Note: Yesterday's espiode of TheSocialWeb.tv has some more in-depth detail about the development of Google's OpenID implementation and features an interview with the developers.
Share
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
As the linked comment, I feel obliged to comment again.
It is nice to see Google clarifying its position, and so quickly after people kicked up a brouhaha. If only they had been as transparent from the start.
As the presenter in the socialwebtv video says, we're in a transition period. The proof will be in the pudding. When I can get a Google Calendar by pointing them at "craigloftus.net", I will be happy. I have a feeling I won't be happy for a long time ;)
"Now, Google has published a blog post its its Google Code Blog that explains why Google chose "
should be
"Now, Google has published a blog post on its Google Code Blog that explains why Google chose"
You've been gooseGraded ;)
Keep up the great work.
None of the big players accept OpenID. They continue to battle over "owning user accounts" while they tell developers to move authentication to the cloud. That's shady.
we are providing limited access to an API for an OpenID identity provider that is based on the user experience research of the OpenID community
Google moves towards single sign-on with OpenID !!