OpenID

From IndieWeb


OpenID was a protocol for using a web address as an identity to sign-in to websites; it is losing support, is effectively dead (versions 1 & 2 are both deprecated, sites are dropping support), and has been replaced on the IndieWeb with web-sign-in and IndieAuth.

The OpenID Foundation has obsoleted OpenID and OpenID 2.0 in favour of OpenID Connect which unfortunately does not serve the same goal as OpenID did.

Setup

⚠️ The indieauth.com service is deprecated, so you may not want to use this. Read more on the indieauth.com page

To use indieauth.com as an OpenID delegate for the OpenID identifier of your site, add the following two link tags to the HTML (inside the <head> element) of your website, replacing "aaronparecki.com" with your domain of course.

<link rel="openid.delegate" href="http://aaronparecki.com/" />
<link rel="openid.server" href="https://openid.indieauth.com/openid" />

IndieWeb Examples

Examples of IndieWeb sites which act as their own OpenID provider, without relying on delegation to another provider

Examples of IndieWeb sites which consume (allow login via) OpenID in particular (beyond using IndieAuth or any silo logins like Twitter, Facebook, Google+).

Additional Examples

Additional examples of sites either natively providing OpenID or consuming it, maintained by IndieWeb participants:

Consuming Sites

List of websites that still consume OpenID:

Problematic consuming sites (if problems continue, and if no one can verify OpenID consuming actually works, these should be moved to Shutdowns above, with reason noted "neglect").

FAQ

Why does indieauth.com not consume OpenID?

Why doesn't indieauth.com support OpenID as an authentication mechanism?

IndieAuth.com used to support OpenID, but there were a lot of problems with getting really weird errors back from OpenID providers inconsistently, and there seemed to be some issue with the omniauth OpenID plugin.

IndieAuth.com can now be used as an OpenID provider (and thus delegate), however.

You can use indieauth-openid if you want to sign in to IndieAuth sites with OpenID.

Shutdowns

AKA Abandonment. The following sites used to provide or accept (consume) OpenID as an identifier to log-in but no longer do. Most recent first:

2018

  • 2018-03-06 Stackoverflow announced that OpenID support will be shut down on July 1, 2018. On 2018-05-29 the shutdown date was postponed until 2018-08-15.

2015

Sometime in 2015:

Precise date unknown, verified 2015-07-19:

  • SixApart's Vox.com old OpenID signup URL: www.vox.com/signup stopped working likely when Vox Media publishing site repurposed the vox.com domain, but implemented their own OpenID sign-in (see Consuming Sites).
  • Gitorious
    • "Gitorious is being acquired by GitLab and gitorious.org will shut down end of May." Aaron Parecki 21:33, 31 May 2015 (PDT)
    • 2015-07-19 OpenID login URL no longer has any UI: gitorious.org/login?method=openid Tantek 18:42, 19 July 2015 (PDT)

2014

  • 2014-06 Typepad dropped support for logging in with OpenID (consumer) but Typepad blogs and profiles can still be used to log in elsewhere (provider). This was not announced but is evident from the signin page.
    • The OpenID support was dropped temporarily as part of mitigating a DDoS attack, but this then got caught up in the sale of the site to another company and so it was never restored; the fact that it's no longer working is actually essentially an accident of history, which is why it was never announced anywhere. Several of the login providers supported on that login page are actually still implemented using OpenID behind the scenes, and I strongly suspect it's mainly just the same code that was implemented back in 2009 apart from the hasty disabling of the generic OpenID login. I don't have real numbers but I can tell you that the total number of OpenID-using users (including the sites featured in the dropdown) was a drop in the bucket compared to the number logging in with Facebook and Twitter OAuth the last time I saw these stats, so nobody really cared about the OpenID consumer support for a long time. User:Martin.atkins.me.uk

Sometime in 2014:

2013

  • 2013-12 ClaimID.com shut down.
  • 2013-10-29 SourceForge.net is considering phasing out OpenID login
    • Also removed the OpenID option from their default login (you have to know and use the "?openid" URL parameter to get it).[2]
    • 2015-07-19 no longer true, SourceForge OpenID URL from cweiske now 404s. Tantek 18:42, 19 July 2015 (PDT)

2012

  • 2012-08-23 Disqus help said: "OpenID is no longer supported in Disqus 2012, although it's still available with Disqus Classic"[3]
  • ...

2011

2010

Criticism

Poor Usability In Practice

See:

and articles it links to. Explores many of the apparent usability problems with OpenID deployments (perhaps dark patterns at work). This doesn't mean that OpenID must have poor usability, just that no good examples have been deployed in practice (or end up descending into a NASCAR nightmare).

Consumption Complexity

Contrast easy Twitter/PuSH/OAuth APIs + examples with huge/complex OpenID PHP libraries.

The barrier to entry for OpenID support is far too high for independent developers.

- Tantek, 2010-02-01

OpenID also has a lot of unnecessary bloat as a spec: i-names (XRI-based), Yadis and LID. Ignoring all this cruft could create a much simpler OpenID that just uses URLs on the web, thus making it simpler to implement ("ReallyOpenID").

Neglected Libraries and Plugins

As of 2015-05-16:

  • All Ruby gems obsolete[4]
  • WordPress OpenID plugin "is no longer supported and incompatible with the current version of WordPress."[5]
  • Only one working PHP library, "and all they offer is an example server 'to give you an idea of how to write your own implementation.'"

Hard to debug

Aaron Parecki as a developer of an OpenID provider (indieauth.com) has noted that OpenID is hard to debug. (#indieweb-dev 2017-10-29)


Articles

See Also