OpenID

This article is a stub. You can help the IndieWeb wiki by expanding it.

OpenID was a protocol for using a web address as an identity to sign-in to websites; it is losing support, is effectively dead (versions 1 & 2 are both deprecated, sites are dropping support), and has been replaced on the IndieWeb with web-sign-in and IndieAuth.

The OpenID Foundation has obsoleted OpenID and OpenID 2.0 in favour of OpenID Connect which unfortunately does not serve the same goal as OpenID did.

Setup

To use indieauth.com as an OpenID delegate for the OpenID identifier of your site, add the following two link tags to the HTML (inside the <head> element) of your website, replacing "aaronparecki.com" with your domain of course.

<link rel="openid.delegate" href="http://aaronparecki.com/" />
<link rel="openid.server" href="https://openid.indieauth.com/openid" />

IndieWeb Examples

Examples of IndieWeb sites which act as their own OpenID provider, without relying on delegation to another provider

• cweiske.de on http://cweiske.de/
• ... add yourself

Examples of IndieWeb sites which consume (allow login via) OpenID in particular (beyond using IndieAuth or any silo logins like Twitter, Facebook, Google+).

• http://p.cweiske.de/
• http://indieauth.id.cweiske.de/ via indieauth-openid
• ... add yourself

Additional Examples

Additional examples of sites either natively providing OpenID or consuming it, maintained by IndieWeb participants:

• User:cweiske.de uses OpenID as backend login method for several TYPO3 instances
• One of the last open, public OpenID servers on the Internet
• ...

Consuming Sites

List of websites that still consume OpenID:

• Dreamwidth
  • 2015-08-03 verified. Kylewm.com 08:26, 3 August 2015 (PDT)
  • Works sporadically with indieauth bridge. Sometimes returns "Can't verify OpenID: naive_verify_failed_return: Direct contact invalidated ID provider response."
• Open Source Bridge
  • 2015-07-19 verified. Tantek 18:54, 19 July 2015 (PDT)
• OpenStreetMap (1.0, 2.0)
  • 2017-04-24 verified to work with indieauth.com OpenID-1.0 and OpenID-2.0. Strk.kbt.io 13:55, 24 April 2017 (PDT)
  • 2015-07-19 verified. Tantek 18:54, 19 July 2015 (PDT)
  • 2019-01-10 not working `Refused to send form data to 'https://openid.indieauth.com/' because it violates the following Content Security Policy directive: "form-action 'self'".` Ed Johnson-Williams 12:41 10 Jan 2019 (GMT)
• Stack overflow
  • 2015-07-~~ WordPress OpenID plugin verified to work per Ryan Barrett in IRC.
  • Note: issues likely due to IndieAuth OpenID provider vs Stack Overflow OpenID consumer
    • Seems to have intermittent errors Aaron Parecki 21:21, 31 May 2015 (PDT)
    • 2015-07-19 failed with "Message signature was incorrect." Tantek 18:54, 19 July 2015 (PDT)
  • Note: Others are also "Unable to login with my personal OpenID server (“Message signature was incorrect.”)" (uses "SimpleID" OpenID provider software)
• Blogger comments still allow OpenID, and work with the IndieAuth bridge
• Puppetlabs Q&A
  • 2015-07-20 verified Christian Weiske
• http://vox.com/
  • 2015-07-20 verified Christian Weiske
  • 2015-07-19 failed with "Sorry, there was a problem authenticating you with OpenId. Error: invalid_credentials" (maybe an IndieAuth provider issue?) Tantek 23:15, 19 July 2015 (PDT)
• http://try.gitea.io (OpenID 2.0 only)
  • 2017-04-24 verified Strk.kbt.io 13:57, 24 April 2017 (PDT)
• ... any other OpenID consuming sites still functioning?

Problematic consuming sites (if problems continue, and if no one can verify OpenID consuming actually works, these should be moved to Shutdowns above, with reason noted "neglect").

• CUFP (Commercial Users of Functional Programming)
  • 2015-07-19 has no OpenID login UI or any login UI for that matter. Tantek 18:54, 19 July 2015 (PDT)
• No Starch Press
  • 2015-07-19 Failed with "OpenID sign-in failed." Tantek 18:54, 19 July 2015 (PDT)

FAQ

Why does indieauth.com not consume OpenID?

Why doesn't indieauth.com support OpenID as an authentication mechanism?

IndieAuth.com used to support OpenID, but there were a lot of problems with getting really weird errors back from OpenID providers inconsistently, and there seemed to be some issue with the omniauth OpenID plugin.

IndieAuth.com can now be used as an OpenID provider (and thus delegate), however.

You can use indieauth-openid if you want to sign in to IndieAuth sites with OpenID.

Shutdowns

AKA Abandonment. The following sites used to provide or accept (consume) OpenID as an identifier to log-in but no longer do. Most recent first:

2018

• 2018-03-06 Stackoverflow announced that OpenID support will be shut down on July 1, 2018. On 2018-05-29 the shutdown date was postponed until 2018-08-15.

2015

• 2015-04-20 Google OpenID 2.0 shut down. See the Google OpenID Shutdown Timetable.

Sometime in 2015:

• Status.net
  • Redirects to e14n.com, no OpenID available Aaron Parecki 21:33, 31 May 2015 (PDT)

Precise date unknown, verified 2015-07-19:

• SixApart's Vox.com old OpenID signup URL: www.vox.com/signup stopped working likely when Vox Media publishing site repurposed the vox.com domain, but implemented their own OpenID sign-in (see Consuming Sites).
• Gitorious
  • "Gitorious is being acquired by GitLab and gitorious.org will shut down end of May." Aaron Parecki 21:33, 31 May 2015 (PDT)
  • 2015-07-19 OpenID login URL no longer has any UI: gitorious.org/login?method=openid Tantek 18:42, 19 July 2015 (PDT)

2014

• 2014-06 Typepad dropped support for logging in with OpenID (consumer) but Typepad blogs and profiles can still be used to log in elsewhere (provider). This was not announced but is evident from the signin page.
  • The OpenID support was dropped temporarily as part of mitigating a DDoS attack, but this then got caught up in the sale of the site to another company and so it was never restored; the fact that it's no longer working is actually essentially an accident of history, which is why it was never announced anywhere. Several of the login providers supported on that login page are actually still implemented using OpenID behind the scenes, and I strongly suspect it's mainly just the same code that was implemented back in 2009 apart from the hasty disabling of the generic OpenID login. I don't have real numbers but I can tell you that the total number of OpenID-using users (including the sites featured in the dropdown) was a drop in the bucket compared to the number logging in with Facebook and Twitter OAuth the last time I saw these stats, so nobody really cared about the OpenID consumer support for a long time. User:Martin.atkins.me.uk

• 2014-02-01 myOpenID OpenID provider shutting down, site already doesn’t load as of 2013-09-04. No public notification yet, email quoted here and here in full
  • 2013-07-25 http://meta.stackoverflow.com/questions/190442/myopenid-no-longer-supported-add-alternative-login-method-to-your-account
• 2014-01-07 Disqus OpenID consumer "no longer supports Open ID"[1]

Sometime in 2014:

• Slashdot
  • Seems to have been removed - Aaron Parecki 16:22, 31 May 2014 (PDT)
• HootSuite
  • "HootSuite will remove support for OpenID in 2014"

2013

• 2013-12 ClaimID.com shut down.

• 2013-10-29 SourceForge.net is considering phasing out OpenID login
  • Also removed the OpenID option from their default login (you have to know and use the "?openid" URL parameter to get it).[2]
  • 2015-07-19 no longer true, SourceForge OpenID URL from cweiske now 404s. Tantek 18:42, 19 July 2015 (PDT)

2012

• 2012-08-23 Disqus help said: "OpenID is no longer supported in Disqus 2012, although it's still available with Disqus Classic"[3]
• ...

2011

2010

• 2010-09-27 PBWorks dropped OpenID consuming support
  • https://www.pingidentity.com/blogs/pingtalk/2010/09/Another-one-bites-the-OpenID-dust.html
• ...

Criticism

Poor Usability In Practice

See:

• 2009-04-06 Template:chrismessina Does OpenID need to be hard?

and articles it links to. Explores many of the apparent usability problems with OpenID deployments (perhaps dark patterns at work). This doesn't mean that OpenID must have poor usability, just that no good examples have been deployed in practice (or end up descending into a NASCAR nightmare).

Consumption Complexity

Contrast easy Twitter/PuSH/OAuth APIs + examples with huge/complex OpenID PHP libraries.

• Over a dozen classes with dozens of methods total in http://openidenabled.com/php-openid/
  • That's the 1.x libs (nevermind 2.x) and samples just for consuming OpenIDs.

The barrier to entry for OpenID support is far too high for independent developers.

- Tantek, 2010-02-01

OpenID also has a lot of unnecessary bloat as a spec: i-names (XRI-based), Yadis and LID. Ignoring all this cruft could create a much simpler OpenID that just uses URLs on the web, thus making it simpler to implement ("ReallyOpenID").

Neglected Libraries and Plugins

As of 2015-05-16:

• All Ruby gems obsolete[4]
• WordPress OpenID plugin "is no longer supported and incompatible with the current version of WordPress."[5]
• Only one working PHP library, "and all they offer is an example server 'to give you an idea of how to write your own implementation.'"

Hard to debug

Aaron Parecki as a developer of an OpenID provider (indieauth.com) has noted that OpenID is hard to debug. (#indieweb-dev 2017-10-29)

Articles

• 2018-10-11 The Decline of OpenID

See Also

• RelMeAuth
• IndieAuth
• How to set up OpenID on your own domain
• Why not OpenID
• OpenID Foundation Specifications
• 2018-03-20 Criticism: https://twitter.com/elforesto/status/976177015958261762
  • "OpenID is the epitome of F/LOSS. Designed and documented in such a way that only the people who wrote it can reliably use it." @elforesto March 20, 2018
• 2018-07-06 Openid.net itself 404s their get an openid page: http://openid.net/get-an-openid/
• https://penguindreams.org/blog/the-decline-of-openid/