The end of OpenID?

Posted Feb 3, 2011 9:19 UTC (Thu) by spaetz (guest, #32870)
In reply to: The end of OpenID? by ekj
Parent article: The end of OpenID?

> In what way is bar@example.com less of a pseudonym than http://example.com/bar?

Because I know my email address very well while I always have to look up my openid url (https://me.yahoo.com/spaetz) :-)?

Fortunately and that is too little known, it is very easy to insert a redirect header in any webpage you control and use that URL as openid url. Which makes it very conventient to use as I know the URL of my private homepage by heart...

Logins via openid can ask the openid provider for a email address and get it prefilled *if the user consents*.

The end of OpenID?

Posted Feb 3, 2011 22:09 UTC (Thu) by bangert (subscriber, #28342) [Link]

having driven websites with thousands of signups a day, i can tell you that people do NOT generally know their email -- or the spelling thereof...

...even if you ask the user to input the email twice!

The end of OpenID?

Posted Feb 5, 2011 21:11 UTC (Sat) by madhatter (subscriber, #4665) [Link] (3 responses)

Spaetz makes a very good point there. Being a fan of OpenID myself, and having read both the 37signals and the webmonkey articles, I was struck by the extent to which people seem to be misusing OpenID.

If you're trying to remember an OpenID URL of the format http://OddSubdomain.OpenIDProvider.tld/WeirdAccountName, you're doing it wrong. The right way to use it is to have your OpenID as http://my.vanity.domain/ , perhaps appending /openid or some simple string, and from that domain, which you control, nominating your OpenID provider _du jour_, which can - and probably should - change regularly.

This gets rid of the "I forgot my account details with my provider so I got locked out" problem, which seem to be many of the problems in both the articles mentioned above. I have in fact locked myself out of my provider twice, and each time, I found a new provider and switched in minutes, because the OpenID URL I had registered was on a domain under *my* control, not some third party's.

I'm a big fan of OpenID and I'm sorry it won't catch on with most sites, and I'm fairly sure the reason why it won't is, as has been said here already, the benefits are all to me, not to the site owner. I look forward to being able to use it on LWN soon.

The end of OpenID?

Posted Feb 7, 2011 13:24 UTC (Mon) by spaetz (guest, #32870) [Link] (2 responses)

yep, that's how I do it too. There is not even a need to append /openid to the url.

These 2 lines in index.html is all I need to be able to use http://sspaeth.de as my openid url.

The end of OpenID?

Posted Feb 8, 2011 12:40 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

And unless you're an OpenID geek there's no way you'll realise that. I've got an OpenID identity that I can never remember because I can never remember the URL. Would I have thought of the trick you propose? Not in a million years.

The end of OpenID?

Posted Feb 8, 2011 12:47 UTC (Tue) by madhatter (subscriber, #4665) [Link]

I rather agree with you, but I still think it's due to the way that OpenID is being mis-sold (as it were). None of us comes into the world fully versed in the protocol, so we all have to learn about it from somewhere or someone. I was lucky that I caught it early on, and read the protocols, and saw how it was supposed to be used - it's not a trick, it's clearly what's intended by the authors.

But there's no reason why those providing OpenID authentication servers couldn't do a better job of telling people how it's supposed to be used. Except, presumably, that they, too, don't want to help their user community free themselves from linkage to their providers.

I despair, really I do.

The end of OpenID?

Posted Feb 8, 2011 14:53 UTC (Tue) by jamesh (guest, #1159) [Link]

If you are using Yahoo as your provider, you should be able to enter "yahoo.com" as your identifier for most sites.

This will trigger an Identifier Select authentication request, where the actual OpenID identifier is only determined when the response is sent to the relying party. This way, all users of an identity provider can use the same starting URL.