Remember OpenID? Yes, that's what it was for, OAuth wasn't never meant for signing in other websites who just want your mail or something... Of course, all these big tech corps quickly dropped OpenID, they don't want people to control their online credentials or identity...
OpenID hasn't died at all - it's just used in a different context. We implement this now for SSO in corporates to unify fragmented IAM scenarios.
Accepting any domain as an OpenID IdP is not likely to be a feature of publicly facing sites, as they still provide the ability to create / register / use these accounts for spam and other unwanted abusive purposes.
Really, I think OpenID died because it didn’t see significant enough adoption. I remember the user flows being a bit clunky, which certainly didn’t help.
With OpenID, basically everyone used a third party ID provider, and so you were just as dependent on that provider as with OAuth. Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world. If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
If OAuth was never meant for signing in, then putting Auth in the name was a funny choice. You add the qualifier “websites who just want your mail or something”, but I’ve never seen a single mailing list sign up that used OAuth.
> Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world.
You could pay someone to host it with reasonable guarantees they won't delete your account on a whim and no recourse.
Or you can use a free service that you somewhat trust with your own domain, so you can point the domain to another provider if you need to. Almost no technical knowledge required for that.
> If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
Same for email, which is what identity relies on instead of OpenID.
And self-hosting OpenID is much easier than email: you just need domain + LAMP (or equivalent), and don't have to deal with DKIM, SPF, being blacklisted from Gmail/Hotmail, ...
> You could pay someone to host it with reasonable guarantees they won't delete your account on a whim.
Each user having to find a hosting provider and pay them... it seems like a non-starter. Think about the non-technical people in your life. That solution would only help the very few people who both understand the details of OpenID, and care about the possibility of losing account access at a deep level. Most people have other important stuff going on in life, so good luck convincing them to adopt self-hosted OpenID at greater cost (and effort) to themselves.
This is even assuming that the hosting provider also acts as a domain registrar so each person doesn’t also have to figure out how to buy and own a domain name, to truly own their OpenID, because that would either make this solution much less meaningful in terms of control (with no custom domain), or make it that much harder.
> Same for email, which is what identity relies on instead of OpenID.
I’m not here to argue for self hosted email. There are many email hosting providers that make it relatively easy for you to bring your own domain name... but this is irrelevant. Signing in with an email and password continues to work even if the email account has been suspended. So, it’s not the existential threat that the article is concerned about.
I think the more realistic solution for users is the new FIDO2 standard that will hopefully see adoption soon.
I think Google has done a similar thing on Android, but Apple has for sure made every (up to date) iPhone, iPad, and Mac able to act as a FIDO2 Platform Authenticator.
Even if the user signs up via OAUTH, websites can give the user the choice to sign in via FIDO2 on each device. At that point, users could sign in from those devices even if their Google account were suspended, giving the website a chance to help the user migrate their account authentication.
The FIDO2 flows seem very user friendly, but... the standard is so new, broad adoption remains to be seen.
That is why basically every implementation provided a big "Log in with Google" button. It was basically no effort to implement (it just fills in the Google OpenID URL) and solves the problem of the people who don't have enough distrust in Google to self-host.
Has there been any retrospectives or published thoughts around why OpenID failed? Ideally a extensive, impartial report would be nice to read through.
While it's easy to blame big technology companies for the failure of open standards, there might be other reasons behind it (as well as companies trying to prevent it from succeeding)
OpenID failed because you had to sign up to an OpenID provider and then copy and paste some weird URL from there into websites you wanted to use.
Why would anyone bother with that hassle when you can just put in your email address (that you already have & know) and a password.
In contrast, OAuth succeeded because most people already have a Facebook / Gmail / Github account, which meant that sign up just becomes clicking a single button which is easier than email signup.
OpenID was more difficult than email signup, whereas OAuth is easier.
