Stories
Slash Boxes
Comments

SoylentNews is people

posted by Blackmoore on Tuesday January 06 2015, @12:57AM   Printer-friendly
from the don't-make-me-alter-the-deal-again dept.

The shutdown timetable for Google's OpenID: completely gone by April 20, 2015, with some intermediary steps

Google+ sign-in implements OAuth2.0. The - maybe subtle - difference between OpenID and OAuth:

OpenID and OAuth are both authentication methods, but while OpenID is a way to use a single set of user credentials to access multiple sites, OAuth is more a way to allow one site to access and use information related to the user's account on another site.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by gallondr00nk on Tuesday January 06 2015, @01:03AM

    by gallondr00nk (392) on Tuesday January 06 2015, @01:03AM (#132045)

    I hope not, I use OpenID for posting to wordpress blogs. It's pretty damn useful to me, though I understand it's not exactly widespread.

  • (Score: 4, Interesting) by bryan on Tuesday January 06 2015, @01:56AM

    by bryan (29) <bryan@pipedot.org> on Tuesday January 06 2015, @01:56AM (#132063) Homepage Journal

    I've followed OpenID and OAuth since they launched and have written a good bit of code that uses them both. Although they started out with noble goals and a relatively clean first version, they both descended into a complex bureaucratic mess. Seriously, after version 1 they totally threw the KISS principle out the window and just kept making the spec uglier and harder to understand.

    The current spec is so complex, that the leader of the OAuth project famously resigned [hueniverse.com] a few years back. Here's a 30 minute video [vimeo.com] where he describes more of the reasons why it sucks so badly.

  • (Score: -1, Flamebait) by Anonymous Coward on Tuesday January 06 2015, @02:06AM

    by Anonymous Coward on Tuesday January 06 2015, @02:06AM (#132065)

    Get your stink out of my life!

    That's all I have to say.

  • (Score: -1, Flamebait) by Anonymous Coward on Tuesday January 06 2015, @02:14AM

    by Anonymous Coward on Tuesday January 06 2015, @02:14AM (#132073)

    A decade ago we rejected Microsoft's Passport for being a single-vendor system with no interoperability. This decade,Google embraces an open and interoperable standard in OpenID, extends it, then extinguishes it with a closed 'Google login only' replacement.

    Yet for some reason, Google gets away with it.

    Don't do evil, indeed.

    • (Score: 3, Informative) by Nerdfest on Tuesday January 06 2015, @02:46AM

      by Nerdfest (80) on Tuesday January 06 2015, @02:46AM (#132081)

      OAuth is an open standard. Other providers implement it as well.

      • (Score: 2, Interesting) by dltaylor on Tuesday January 06 2015, @02:58AM

        by dltaylor (4693) on Tuesday January 06 2015, @02:58AM (#132086)

        OAuth's main purpose is to facilitate cross-domain snooping^h^h^h^h^h^h^haccess, rather than just simplifying authentication.

        OpenID is adequate for that purpose.

      • (Score: 3, Interesting) by romlok on Tuesday January 06 2015, @09:35AM

        by romlok (1241) on Tuesday January 06 2015, @09:35AM (#132174)

        To use OAuth for login on a website requires adding explicit support for each OAuth provider. This means each website gets to, and has to, choose which identity providers they support. Big websites can thereby pick the winners and losers in the identity game.

        To use OpenID for login on a website requires adding OpenID support once. Then any identity provider - old, new, and not yet conceived - can be used to log in. Then it's the customers who pick the winners and losers in the identity game.

    • (Score: 2) by kaszz on Tuesday January 06 2015, @03:07AM

      by kaszz (4211) on Tuesday January 06 2015, @03:07AM (#132090) Journal

      Because Microsoft has a deep negative karma. Anything they do will be considered bad - regardless.

      Seems however OpenID and OAuth after version 1 went complex and to become a tool of faulty implementations. For the benefit of organizations with big ears.

  • (Score: 3, Interesting) by MichaelDavidCrawford on Tuesday January 06 2015, @08:14AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Tuesday January 06 2015, @08:14AM (#132155) Homepage Journal

    In general, I don't want anyone at all to know what other websites I frequent.

    It's not so much a personal concern - it's not like you can't look up my name in a search engine. It's that I don't want websites to know what other websites any of its users visit.

    Quite commonly I am presented with "Log in with Facebook" or "Log in with Google". If I can create an account on that specific website, I will, but if I am only given the option to use a login that I've got at some other website, then I won't log in at all.

    So far this only prevents me from commenting on certain blogs.

    Were I really _forced_ to use a single-signon, I'd find some way to create the original account with a throwaway email.

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 2) by mtrycz on Tuesday January 06 2015, @10:38AM

      by mtrycz (60) on Tuesday January 06 2015, @10:38AM (#132182)

      Fells like I'd write the parent's comment verbatim, had it not already been written.

      --
      In capitalist America, ads view YOU!
    • (Score: 2) by darkfeline on Tuesday January 06 2015, @11:54PM

      by darkfeline (1030) on Tuesday January 06 2015, @11:54PM (#132414) Homepage

      Host your own OpenID server?

      --
      Join the SDF Public Access UNIX System today!
  • (Score: 3, Insightful) by pgc on Tuesday January 06 2015, @12:12PM

    by pgc (1600) on Tuesday January 06 2015, @12:12PM (#132199)

    As I understand it, OAuth is more an authorization mechanism (and incorporates an authentication mechanism) while OpenID is an authentication mechanism.

    So much for me using my googleId as my login for several sites... these sites have no business in my Google data.

  • (Score: 2) by digitalaudiorock on Tuesday January 06 2015, @02:04PM

    by digitalaudiorock (688) on Tuesday January 06 2015, @02:04PM (#132227)

    Does anyone understand offhand if this affects updating Google Calendar via ClientLogin?

    I have backend server code that does that...that is, updating one specific calendar for which the server has the login information. I recall from when I coded that that OAuth just didn't appear to be even remotely suitable for replacing that.