OpenID Connect [LWN.net]

By Jake Edge
June 2, 2010

When last we looked in on OpenID, it was close to finalizing the OpenID 2.0 specification. That was in 2007; since that time, various other identity management solutions have come about and have been more widely adopted, OAuth in particular. One of the architects of OpenID, David Recordon, has put out a idea (or "strawman" as he calls it) for a new API that combines the best of OpenID and OAuth into "OpenID Connect".

There are a number of shortcomings of OpenID that Recordon and others would like to see addressed. In the three years since the last revision, the internet has not stood still, but OpenID has. OpenID works reasonably well for web sites, but is much more difficult to use for things like desktop widgets or mobile applications. A bigger problem is that OpenID's user-centric nature has made those users less "valuable" to web sites, which results in fewer sites adopting OpenID.

OpenID is structured such that users need only share a limited amount of data (typically just a URL) with a site in order to register with it. That is good from a privacy perspective, but doesn't give site owners information that they want, like name, email address, photo, and so on. According to Chris Messina—who originated the OpenID Connect concept and name—that makes OpenID users into second-class citizens: "Because OpenID users share less information with third parties, they are perceived as being 'less valuable' than email-based registrants or users that connect to their Facebook or Twitter accounts."

More and more sites are farming out their identity management to big sites like Facebook and Twitter using OAuth. Messina and Recordon's idea is to reimplement OpenID atop OAuth 2.0, which would leverage that existing—widely adopted—API for identity management. It would also allow OpenID to become simpler for web site operators to implement. Recordon pointed out some of the problems he has heard about:

I've heard story after story from developers implementing OpenID 2.0 who don't understand why it is so complex and inevitably forgot to do something. With OpenID Connect, discovery no longer takes over 3,000 lines of PHP to implement correctly. Because it's built on top of OAuth 2.0, the whole spec is fairly short and technology easy to understand. Building on OAuth provides amazing side benefits such as potentially being the first version of OpenID to work natively with desktop applications and even on mobile phones.

Based on that, one might wonder why OpenID doesn't just adopt OAuth, rather than build atop it, but there is an important distinction between the two. OpenID Connect would still decentralize the storage of user information and allow the user-centric nature of OpenID to survive. Users would be able to choose their provider or run their own that stored their personal information. That way, users would get to choose whom to trust or to only trust their own server.

Another problem that OpenID Connect hopes to solve is to simplify things for users. Right now, users have to remember and type in a URL that corresponds to their OpenID provider, or click on multiple buttons for popular providers (which leads to the so-called NASCAR problem where there are multiple logos as buttons). OpenID Connect would allow for simpler URLs or even email addresses as identifiers.

It is important to recognize that this proposal is being driven by the fact that OpenID adoption has largely stalled. That has happened because the sites that folks want to use want a little—or a lot—more information about those who are signing up for or using their services. There is a trade off, clearly, as it is not unreasonable for site owners to require more information as a kind of payment, as long as they are up front about it. But the privacy conscious are likely to still be marginalized as the demands for information increase.

While there currently is a lot of noise being made about privacy concerns for sites like Facebook, there appears to be little actual action about it by most users. Privacy just does not seem to be something that is high on most users' priority lists, or, perhaps, Scott McNealy was right: "You have zero privacy anyway ... Get over it." OpenID Connect seems like a reasonable idea, overall, but as long as the majority are happy with the current OAuth-based systems, it is a little hard to see it making any headway. Yes, it may be used by a small minority of internet users, but it is likely to require just enough effort that most will not take advantage of it. It would seem that many are already "over it".

(Log in to post comments)

OpenID Connect

Posted Jun 3, 2010 18:54 UTC (Thu) by Simetrical (guest, #53439) [Link]

"It is important to recognize that this proposal is being driven by the fact that OpenID adoption has largely stalled. That has happened because the sites that folks want to use want a littleor a lotmore information about those who are signing up for or using their services."

Beware of assuming that the problem people are working on is the only problem, or even the most important one. Wikipedia has never required any info at registration except username and password -- even an e-mail address is optional. But it doesn't support OpenID, as either a provider or a consumer. Why? It just never seemed worth the effort to implement, given all the other things to do. There's a MediaWiki extension for it, but sysadmins haven't looked it over to check whether it's suitable for Wikimedia sites (e.g., scalable enough). They have other things to do.

When people have suggested that the popular proprietary forum system vBulletin use OpenID, and when anyone employed by its developer commented, the reaction was similar: something in the vein of "I don't see the point." vBulletin, too, doesn't collect a particularly large amount of personal data.

To me (as a web developer), apathy and poor cost/benefit sound like much more compelling reasons than privacy to not support OpenID. Even if you wanted to farm lots of info out of users, you could just ask them for that on signup, no? Just let them use OpenID instead of asking for a password, and ask for everything else like normal.

Mozilla's Account Manager sounds like a much better direction to head in than OpenID. A central identity store layered on top of an in-browser UI has the advantages of being more resistant to phishing, and not having to prompt the user separately for every site on what central store to use (because the browser can remember between sites).

A built-in browser method can also provide far superior security guarantees when you do use simple passwords, like to log into your central identity provider. There are schemes that will authenticate client to server *and* server to client by using the password as a shared secret, without disclosing any information to eavesdroppers, and without disclosing any information about the password to either party if the passwords don't match. These cannot be done without browser UI support -- if a site implements it in JavaScript, you have no way to tell if it's actually implementing the algorithm or just stealing the password.