Better Practices in OpenID

Yahoo published some best practices on OpenID, but I have one they forgot.

Imran and I were talking at OpenCoffee Leeds the other day and we independently and together came up with this realization:

OpenID providers should be required to be OpenID consumers first.

Why? Well, the problem OpenID is trying to solve is “too many usernames”, which really equates to “too many authentication providers”. That means that the last thing we need is more stinkin’ authentication providers. OpenID providers who are not also OpenID consumers, are just making the problem worse.

Don’t believe me? Don’t understand me? Let’s try an example. User J controls his own domain name. For sake of example, call it “”. He wants to be his own authentication provider, and take back total, final control of his name online — he is tired of being jeff.allen here, jeff.r.allen there and jra99 in a third place. He just wants to be forever, or at least for as long as he can afford to pay for the domain name. He’s also lazy, so he uses delegation, and at least that seems to work right (but read on).

He starts looking for places to use his shiny new OpenID. He can use it on his blog, because it is WordPress, and WordPress is an OpenID consumer. He can use it at SourceForge. Nifty. But that’s where it ends. He tries to use it to log in to Yahoo, but because Yahoo is an OpenID provider, he can’t associate his OpenID with his Yahoo account. He continues searching and continues finding the same thing — he’s already got 10 OpenIDs he doesn’t want, and can’t use the OpenID he does want!

Imran made the observation that the “before you generate, accept” rule is like the GPL: recursive in order to focus effort on building instead of competing. It occurs to me as I write this that it’s also like the Robustness Principle (which I prefer to remeber as Postel’s Law in order to commemorate a great man): Be conservative in what you do; be liberal in what you accept from others.

Blogger is a special case. First, Blogger authentication is the Google Account, so if Google was an OpenID consumer, then Blogger would be too. But they aren’t. Except they are, kind of, because one of the options in Blogger when leaving a comment is to login with OpenID. Which according to lots of people, works. For it doesn’t work, and it seems to have something to do with delegation, because with my undelegated OpenID, it works. Memo to Blogger: stop adding buggy features to your site and hop the train down to Mountain View to visit the GooglePlex to help the Google Accounts team become OpenID consumers. That would fix your problem better and fix all the other Google properties as well.

Which brings me to my second proposed best practice: Test delegation, in every conceivable configuration!

Delegation is super-major-cool-magic, and if your site can’t do it right, then you are not doing OpenID right and pissing off the power users who should be complementing you.

PS: This is a common complaint, so hopefully OpenID consumers are listening and will get off their ass and implement the actually useful side of the protocol. It’s not so hard… take WordPress as an example. When a new OpenID arrives, it creates an anonymous account, ties the OpenID to it, and lets the user login. Later, if they care enough, they finish setting up their account.


Leave a Reply

Your email address will not be published. Required fields are marked *