OpenID announcement leads to Google kerfuffle
Google's announcement of testing on a new API for OpenID identity providers drew cheers from some quarters. But a few observers seethed at a perceived breach of orthodoxy.
The new API, announced Wednesday, would allow users to log in using their Google account information. Google based that choice on multiple studies indicating that users found it easiest to use information they already easily remembered, such as their e-mail address.
Google would require a site accepting OpenID login (the "relying party") to send an XML document request to Google's OpenID servers. Those servers would examine the request and, if accepted, will pass back a second XML document with an OpenID URI linked to the e-mail in question.
The problem is, according to the specifications that's not how you do OpenID. Instead, the relying site is supposed to go to the providing site -- in this case, Google -- and seek an XRDS (Extensible Resource Descriptor Sequence) file. Google's OpenID developers, who were according to their blog thinking mainly about new research describing the "human-facing" (user experience) aspects of the OpenID process, mentioned only briefly that the tests posted Wednesday were for limited access to the API.
But the crowd, by which one means a blogger with followers, went wild. Fuming that "basically, Google has rewritten OpenID," The NeoSmart Files blogger Mahmoud al-Qudsi accused the Google team of causing chaos, holding a "perverted vision of the OpenID standard," and failing to adhere to their famous no-evil ethos.
His readers picked it up, and within a few hours the buzz had morphed from Google's taking OpenID seriously! to Google's subverting OpenID! (A cynical observer might imagine Microsoft, which announced its own OpenID support initiative on Monday mainly to polite applause, watching the uproar with a sardonic air of been-there-done-that.)
In a follow-up on the Google Code Blog, Google security team member Eric Sachs posted essentially a very polite suggestion that everyone "read the fine manual," pointing out that the missing XRDS file wasn't part of some great conspiracy but an intermediate launch step. Sachs says the company is working to push that file live as quickly as possible.
Sachs also took some time to answer other, more relevant questions concerning Google's lassitude in becoming not just an OpenID provider but an OpenID relying party. According to Sachs' writing, the problem lies with the universe of rich-client apps that are hard-coded to request a username and password. Until that problem is overcome, federated login is apt to be a distant dream -- though Sachs invited anyone interested in working on the problem to dive into the discussion.