I really want to like OpenID, but the more I find out about it, the more I begin to hope it fails, so that something better can emerge.
The idea, as I originally came upon it, appealed: “you already have identities you can prove are yours, in the form of URLs – why not use them as a universal sign-on?” And obviously, the main URL I control is this one – https://rwec.co.uk – and OpenID allows me to use that identity without having to run my own identity server. This is called delegation, and lets you “delegate” your own URL to another identity (that is, another URL), on a server that’s set up to do the OpenID negotiation.
To me, delegation is the single most appealing feature of OpenID – if this is to be my “one identity to rule them all”, I don’t want it vulnerable to supplier lock-in, and the fact that https://rwec.co.uk is my property guarantees me continued control. But when I started looking into the details earlier, I was confused, then dismayed, at how much of a poor relation delegation has become in the OpenID world.
Now, the “get an OpenID” page boasts that lots of my existing accounts can be used as OpenID – including Yahoo!, Google, and LiveJournal. “Brilliant,”, I thought, “I’m always logged in to Yahoo!, to use Flickr, I can delegate to that.”
So, how do you implement delegation? “It’s simple,” I’m repeatedly told, “you just add 2 link tags to your HTML head!” The get an OpenID page gives a very brief mention of delegation, as a nice little side-line you might want to play with, and links to this ancient tutorial telling you what link types you need to add. There are two problems with this blog post:
- An immediate unanswered question is “what do you put in the value of those 2 tags?” – one is evidently the URL you are delegating to, but the other – no clues given.
- Less obvious, but even more serious, is that the post is out of date – it describes the tags for OpenID version 1.1, but most services now implement OpenID 2.0, which uses different tags (although the values, it turns out, are much the same).
Next, I found a nifty little site called Delegatid, which lets you enter an existing OpenID, and generates the HTML for delegating to it. Perfect! Except that when I entered my LiveJournal account, it generated a seemingly invalid http-equiv=”X-XRDS-Location” header, and only the OpenID 2.0 links, even though LiveJournal supports OpenID 1.1. Not sure why, not sure who to tell.
But here’s the real kicker, if I delegate to my Yahoo! ID, it doesn’t actually delegate – the headers work fine, I authenticate myself with Yahoo!, and then I’m logged into the site I’m trying to access (the “Relying Party” in the jargon). But I’m logged in with my Yahoo! ID, not my nice, permanent, lock-in proof URL. It turns out that in OpenID 2.0, Providers don’t have to support delegation – they accept the request, but return the ID they have for you, and the delegation acts as nothing more than a URL forwarding system. This is all tied up with the handy way you can enter “yahoo.com” in an OpenID login box, and it will authenticate you – obviously, you’re not claiming to own yahoo.com, just that they can negotiate an ID for you.
So it turns out that both my Yahoo! and Google IDs support OpenID 2.0 only (sorry, early adopters, no logins for you!), and don’t support delegation; I have to sign up for an account with a random OpenID provider. Of which there are, um, lots, around – I can’t find any kind of matrix with even such basic details as “supports OpenID 1.1, supports OpenID 2.0, supports delegation”; there’s an OpenID Directory, but it feels more like an SEO exercise than an actual resource to help me choose. The Spread OpenID Provider Comparison would be promising, but it was formally abandoned in January. Nor will the Delegatid tool give me any warning that the delegation I’m setting up is no more use than a 302 redirect – I guess the auto-discovery protocol doesn’t handle this either.
And of course, I won’t be able to use it instead of my Google account, or my Yahoo! account – they don’t accept OpenID, they just provide it, with no delegation, so for them it’s just another way of taking over your online life. No thanks.