Wednesday, October 29, 2008

Google moves towards single sign-on with OpenID



Currently users are required to create individual passwords for many websites they visit, but users would prefer to avoid this step so they could visits websites more easily. Similarly, many websites on the Internet have asked for a way to enable users to log into their sites without forcing them to create another password. If users could log into sites without needing another password, it would allow websites to provide a more personalized experience to their users.

In September we announced some research that we shared as part of an effort by the OpenID community to evaluate the user experience of federated login. Other companies like Yahoo have also published their user research. Starting today, we are providing limited access to an API for an OpenID identity provider that is based on the user experience research of the OpenID community. Websites can now allow Google Account users to login to their website by using the OpenID protocol. We hope the continued evolution of both the technical features of OpenID, as well as the improvements in user experience. will lead to a solution that can be widely deployed for federated login. One of the companies using this new service is www.zoho.com. Raju Vegesna at ZoHo says that "We now offer all our users the ability to login to ZoHo using their Google Account to avoid the need to create yet another login and password."

The initial version of the API will use the OpenID 2.0 protocol to enable websites to validate the identity of a Google Account user, including the optional ability to request the user's e-mail address. Below is an example of the flow that a user might see if he or she starts at a website that uses this new feature:

The website could use a modified login box that looks like the one below. If the user enters a Gmail address and indicates that he or she does not have a password for this site, then the site can redirect him or her to Google.



The user would then be taken to the Google website and asked to confirm whether he or she wants to sign in to KidMallPics.



Finally, the user would be redirected back to KidMallPics, where he or she would be immediately signed in.



More information about this new API can be found on the Open ID page in Google Code. To request access to the limited trial, please visit our Google Federated Login discussion group and register using the online registration form.

Google is also working with the open source community on ways to combine the OAuth and OpenID protocol in the future. That way a website can not only request the user's identity and e-mail address, but can also request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs. In the future, this should allow a website to immediately provide a much more streamlined, personalized and socially relevant experience for users when they log in to trusted websites.

88 comments:

  1. Great work guys! This is a huge win for OpenID!

    ReplyDelete
  2. Allen, huge win, how so?

    The user enters an email address, not OpenID's vigorously promoted xri/http uri. (There are email-to-URI extensions, but they are not finished and optional.)

    Technically this sign-on may use OpenID, but note the end-user is unaware, and sees nothing of it.

    I'd rather think this could be a loss for OpenID as a whole. Out of sight, out of mind, you know. Curious what you think.

    (BTW, I have no idea why Blogger mangles my nick name like that. It's not in my provider attributes.)

    ReplyDelete
  3. Are there any plans to accept OpenID from other providers? AT the moment I'll still need a Google OpenID for Google websites, a Yahoo! OpenID for Yahoo! websites, ad infinitum.

    Until the big players start accepting 3rd party OpenID, as well as their own, I still need multiple usernames and passwords.

    ReplyDelete
  4. it should be http://gmail.com/u/hongxiaowan
    for openid like hongxiaowan@gmail.com, need to update protocol for OpenID.

    Good work, but not enough. Remember compatibility...

    ReplyDelete
  5. If Google starts accepting OpenID's for logging into their various services, that would be great.

    ReplyDelete
  6. So what's the name of my Gmail OpenID? I don't understand that. My Gmail address has the form of an email address, but my OpenID is an URL.

    ReplyDelete
  7. This is great news - congratulations and many thanks to the Google team working on this project.

    Just like to point out though - OpenID is absolutely useless if each site just works as an authentication server but doesn't accept logins from other OpenID providers..... we're back where we started with a million different logins for a million different sites unless someone bites the bullet and lets users log in with accounts initially registered on a different OpenID server!

    Google, the ball is squarely in your field!

    ReplyDelete
  8. @nick
    Just about every popular and publicly-accepted technology is "out of sight". That is a sign of human-ready technology.


    The end-user being unaware of OpenID is fine, as long as they are USING it.

    @davidowens

    Google's blogger accepts OpenID from any Provider. I don't think Yahoo has any sites that accept OpenID from ANYONE, yet. I believe you're confusing the concepts of "Provider" and "Relying Party".

    @hongxiaowan

    Yes, the power of OpenID is in the URL. It is important that a single URL is resolved to as the final destination of an OpenID. But using an e-mail identifier as a delegator to that URL drives adoption. The reason OpenID has so much momentum around it is because the true test of a federated login IS adoption, and the OpenID community is innovating in this area like no other federated solution has before it.

    ReplyDelete
  9. @nick No extensions needed. All RPs already accept Yahoo email addresses as OpenIDs, for example.

    This is because http://username@domain.tld/ is a valid URL and can thus be used as an OpenID.

    ReplyDelete
  10. Oh gee, goodie, another OpenID provider. How about one of you big boys realizing that we don't want more providers, we want consumers. Let me loging to all my Google properties (not just blogger comments, then only thing I can tell Google allows external providers for) with my already existing, well established OpenID of choice.

    ReplyDelete
  11. One more useless OpenID provider.

    ReplyDelete
  12. No IDisposable and Stas, it's you two who don't understand. We DO need more OpenID providers! As a website developer, I want as many people to use my website as possible. Signing up for an account on my website - or any new website for that matter - is a hassle and people generally want to avoid that. A lot of people have a Google account, and if they can sign in with that then it's a huge win. Don't care whether I can sign in to Google with OpenID, I just want my users to be able to sign in with their Google account. Most users don't even know what OpenID is.

    It's all about usability. Grasp that, please!

    ReplyDelete
  13. URL format will equal to email format, just need to convert email to url, short code needed:

    1. OpenID provider give API, return the OpenID URL template:

    for example:  we can get the template from http://openid_url_api.zuosa.com,

    Then this API will return the template like this:

    http://###openid_domain###/###openid_id###

    We finally need this OpenID URL:

    http://openid.zuosa.com/hongxiaowan

    2. Convert email format to URL format, a PHP sample:

    <?php

    echo openid_convert_email_to_url("hongxiaowan@zuosa.com");

    function openid_convert_email_to_url($openid_email)
      {
       $openid_pieces = explode("@", $openid_email);
       $openid_url_format=file_get_contents("http://openid_url_api.".$openid_pieces[1]);
       $openid_url=str_replace("###openid_domain###",$openid_pieces[1],$openid_url_format);
       $openid_url=str_replace("###openid_id###",$openid_pieces[0],$openid_url);
       return $openid_url;
      }
    ?>

    ReplyDelete
  14. Sorry, the template should be:

    http://openid.###openid_domain###/###openid_id###

    ReplyDelete
  15. E-mail is not valid OpenID URI.
    Yahoo resolve this problem very easy - users must just enter http://yahoo.com
    Why Google can't do the same?

    ReplyDelete
  16. It is fantastic, I hope it will work in a streamline fashion across all sites instead of having multiple OpenIDs

    ReplyDelete
  17. Great job! I wish we can use our Google ID to every web service out there :D

    ---
    Michael Aulia
    http://www.michaelaulia.com/blogs

    ReplyDelete
  18. In my opinion, this looks like basically just another closed, tied-to-one-vendor authentication scheme that just happens to use OpenID internally.

    I note that you expect anyone taking part not just to get your permission to use the service, but that they also ahve to hard-code a Google-specific URL and logic into their authentication code. That's hardly open or scalable.

    ReplyDelete
  19. If I went to that website, I would have no idea that I could log in with my OpenID account (which is NOT my e-mail address). Also, why would I give my e-mail address to a random website that I don't trust not to spam me.

    This is not OpenID, it's a proprietary Google API that resembles OpenID in some of the implementation details, and is in fact pulling users away from a truly open system where they can have ANY identity server they like.

    No doubt other e-mail address providers could also implement this system, but not all of them would, since it's not part of SMTP.

    ReplyDelete
  20. hey guys it works
    http://kidmallpics.com

    ReplyDelete
  21. The big problem from my end as someone who runs a website is that I want to confirm that REAL people are joining the site, not just an email address. At the moment we have a large number of people joining from XYZ123@32784683246.cn, who are invariably spam merchants. Whilst I respect Google's efforts, and like the idea of OpenID, I'm still not going to accept a webmail address as proof of a "real" person.

    I've found a great many sites where I've wanted to leave a comment, but didn't because of sign-up hassles....but I can' t remember which ones. Probably a sign that I didn't really need to that much. There's a balance between ease of sign-up and accountability, and at the moment the sheer hassle of an individual login seems to solve that perfectly. If you can't be bothered, you don't deserve to.

    ReplyDelete
  22. Welcome to buy gsm TV dual sim cards bluetooth mobile phones directly from China,http://www.iselling.cc

    ReplyDelete
  23. I would prefer to use a URI than a email. email is for email not auth.

    ReplyDelete
  24. This is NOT OpenID - it goes against the whole OpenID principal of having 1 username able to login to multiple sites. Where is the single sign on?

    ReplyDelete
  25. Hi :-)
    open ID solution sounds good, but what about security threat over here. Can I enter somebody else's google id and login? How we are addressing such issues? If user enters authentication details ( username & password) then how much its safe?

    I can think of one solution. Tell how it could be if user can enter password which is visible ( normal text box rather than password box) , but still others can't login? :-)
    Do u like this solution ? :-)

    ReplyDelete
  26. Or What if there is no terminology "Password" in login, still its secured!!!!!! Does this sound good?

    ReplyDelete
  27. Good Job! I prefer Gmail account as my OpenID.

    ReplyDelete
  28. This is not the OpenID standard. Please see http://neosmart.net/blog/2008/google-doesnt-use-openid/

    ReplyDelete
  29. Except it's not OpenID, is it? It's GopenID, or GoogleID, or Andro-ID, or some other pointless fork of an existing and well-established standard.

    What is it with you guys that your idea of getting in line with a standard is to rewrite your own, incompatible version of it.

    Come and actually work with the rest of the community for a change. We don't bite. Much.

    Mostly when big companies that ought to be smart enough to have a clue consistently demonstrate that, for whatever reasons, they actually don't.

    Even Microsoft managed to get it righter than this? What's your difficulty?

    ReplyDelete
  30. C'est une belle avancée, c'est très pratique.
    Par contre j'ai déjà un OpenId avec mon Blog en utilisant l'adresse url de mon blog, et j'ai du mal à comprendre que maintenant j'en possède 2 avec mon compte Gmail...laquelle utiliser finalement ?
    D'ailleusr l'OpenId de mon compte Google ne fonctionne pas ici par exemple... j'ai été obligé de mettre celle de mon blog. Je ne pige pas les subtilités, mais ça va venir sans doute...

    ReplyDelete
  31. Nice guys, but please allow reciprocity by allowing other open ID providers to sign us in for some google services (I can understand if gmail is a big no :). That'd be a great step towards unified login!

    ReplyDelete
  32. Sad that he could not support openid url (example smith.gmail.com )

    ReplyDelete
  33. How does this work for people on hosted apps?

    PS: Even in blogger as I am leaving this comment, I tried to just enter my email as an OpenID and it gave an error of : OpenID url is missing.

    ReplyDelete
  34. Completely useless, since this is just opening up your GMail account as a way to authenticate yourself on a third-party website.

    Far from OpenID thus.

    ReplyDelete
  35. Yep, another OpenID provider, but not consumer... Not so useful!

    The point of OpenID is (among others) to forget about all the 1213234684 passwords you have to remember by reusing your OpenID identity. At the moment, you can create more and more OpenID, but not use them because so few services accept openid from other providers...

    And Google is another example of this phenomenon! See the Ars article on this subject:
    http://arstechnica.com/news.ars/post/20081029-openid-being-balkanized-even-as-google-microsoft-sign-on.html

    ReplyDelete
  36. some sites already started to misuse the fecility and using these popular sites for authentication makes the users think that they have been recongnized by these standard sites. For example a site wants to sign up using gmail account, actually they are creating a newuser for their site and they can steal the address book of the person who is registering and misuse for tasks such as sending invitations. Recently i saw a site which even i dont select any of my friends for invitation in the wizard page, they sent it. beaware of so called 'facility' of using a singlew login

    ReplyDelete
  37. So when can I log into my google account with an existing OpenID?

    ReplyDelete
  38. Google can allow a user to use signins from another provider. A common misconception is that google would have to allow registration-less signins. Google however could still require a user to create a registration and username with google and then allow users to link their openids to that registration, allowing them to login to the google account they register with the openid.

    ReplyDelete
  39. A proper step in the right direction... a long way to go yet though!

    ReplyDelete
  40. Nice work Google, but I'll stick to my own.

    ReplyDelete
  41. Good work. Look forward to seeing more.

    ReplyDelete
  42. Well, this is something that we should expected - Google become more and more monopolist, at start they respected standarts, but now, in full power, they can an will drop any "that pesky recommendations".
    Now Microsoft, lol

    ReplyDelete
  43. Nice blog design...what's it called and where can I get some?!

    ReplyDelete
  44. geoff, if you want unique identity, you use a URI, if you want humanness, you use a CAPTCHA.

    ReplyDelete
  45. What happens with the example site if the user enters "user@yahoo.com" instead of "user@gmail.com"? Does the site need to know that yahoo also provides OpenID functionality? What if the user enters "user@someotherdomain.com"? Which might well be an OpenID provider but obviously for the sake of this example the site doesn't have prior knowledge of that functionality.

    Is google proposing a standard way to convert any email address into a format suitable for OpenID? If I wanted to support this, would I convert user@gmail.com into http://user@gmail.com/ and similarly user@someotherdomain.com into http://user@someotherdomain.com/?

    ReplyDelete
  46. Is it possible to add OpenID URLs to the list of people who can administer/post to the blog?

    (Or)

    Is it possible to link our Google account with an OpenID URL?

    Both would be totally awesome.

    ReplyDelete
  47. What I don't like about this solution is that Google teaches people to leave our gmail-address at every other site. And the fact that there is a password field there aswell, chances are that people will easily be fooled to enter their gmail-password as well. If this is a spoof site, it now has total access to your gmail-account...:/

    ReplyDelete
  48. tell me how can i get my own blogging site?

    ReplyDelete
  49. What if I have a preexistent openid account (I.E. Claimid)?

    ReplyDelete
  50. This is a great development for OpenID, and more importantly for the websites and end users that can benefit from faster and easier registrations and logins using existing accounts with Google, Yahoo, AOL, and many other OpenID providers.

    JanRain's RPX (http://www.janrain.com/products/rpx) OpenID website enabling service has already integrated and deployed support for Google's OpenID service. You can see a demo at www.velog.com.

    You can also see some case studies of successful OpenID deployments with measurable benefits at: http://www.janrain.com/openid/casestudies

    ReplyDelete
  51. I love Google API!
    I know a very good site tha uses this. Its a real estate search engine called Imobilien.

    ReplyDelete
  52. Google is EVIL
    another dangerous product of google.
    They are going to get all information of users like search habits,social,personal,mail and now passwords.

    stay safe!

    ReplyDelete
  53. I don't see why this OpenID business is helping me from Google's perspective. If all I only wanted to _USE_ was _ONE_ OpenID, who's OpenID would I use (Google, Microsoft's or My own)?

    ReplyDelete
  54. I was already working something similar to this by using the GAuth for desktop application for my website rather than the recommended GAuth for website so i can get the email address X_X

    http://corruptedpartition.blogspot.com/2007/09/google-account-authentication-for.html

    Anyway i think its also important to allow OpenID providers to sync data between each other like i can register to Google's OpenID using MSN's OpenID and all my info at MSN gets synced on Google then i can just use Google OpenID but if i change an info on Google OpenID, Google must sync back that info to MSN. It must be give and take auto-magically; of course it must available as an option to set it on and off like "tick here to autocast login spell" ^_^

    ReplyDelete
  55. I already have an OpenID thanks. Why would I want to use Google's?

    Can I use mine on Google's services? Well, yes, on blogger I suppose.

    What else?

    ReplyDelete
  56. Pues ya lo probe con GMail y con Hotmail y no pude publicar...

    ReplyDelete
  57. This is cool, and I can't wait to see this snugging up with the actual standard.

    Implementation of new things is hard, and if it's easier to get a foot in the door this way, then I'm all for it. This is provided that big G take the steps for full implementation.

    ReplyDelete
  58. Ok, so now how do I migrate my existing accounts to use my OpenID? For example, I already have accounts at Amazon, LinkedIn, Facebook, etc. I don't want to lose all my historic data just to use OpenID.

    ReplyDelete
  59. Just a comment to let people know that it's really easy to setup it's own OpenID identity server. This way, you control your own credentials... See my post about it: login everywhere using your own identity server

    ReplyDelete
  60. There are going to be problems with this. Primarily what will I login with if I go to a site that shows OpenID and Google Account Logins. I have used OpenID from Blogger to go to a site that only supports OpenID (not google account). Other sites only support Google Account (not OpenID). Now I found a site that I can login with my OpenID (from Blogger) or my Google Account. What am I supposed to do?? Google should just have figured out a way to implement the OpenID Blogger has and give it to users that don't have blogs. Maybe give them a blogspot page without necessarily having a blog. This would have been better for OpenID and for users.

    ReplyDelete
  61. This "walled garden disguised as openness" approach is the wrong way to go, Google, you know it is!

    ReplyDelete
  62. This is not an open ID. Period. Move on, people. No PR points for Google here.

    ReplyDelete
  63. Like many have already stated, this does not conform to OpenID standards because the ID should be a URL string, not email. I've already tried to add my Gmail "openID" to many sites that support openID but they all fail with an error stating that my email address is not a valid openID. It should not be the responsibility of each and every service provider to modify their apps because Google did not conform to specs. Unfortunately, most providers will adapt just because there are so many Gmail users but I'm disappointed about this implementation.

    ReplyDelete
  64. trying to post with this open id and getting a cant verify error! any help available?

    ReplyDelete
  65. Thanks for this thread. I have been asked to implement OpenID on a number of services. Google's screwing with the standards confused the hell out of me as to what an OpenID actually was! Now I know that I am not alone in not knowing what my Google OpenID is (not). I am most disappointed in this Google and it confirms my the hate side of my relationship with you it just confirms that I need to be taking my and my clients services away from your servers.

    Thanks for the thread.

    ReplyDelete
  66. Hmm, I can't see anything openid here. Seems like protocol is somehow similar but a pure openid implementation can't handle it.
    I see that the URI for all users is https://www.google.com/accounts/o8/id
    But then that can't be used as identificator, because everybody with a google acc can login with it.
    So authentication module of the consumer/relay needs to have special logic to handle google auth.

    ReplyDelete
  67. I lol that you can't comment here using the OpenID url: https://www.google.com/accounts/o8/id

    aka Google fails at properly implementing it as they should be able to see on their own google product: Blogger

    ReplyDelete
  68. Could any of you please explain to me how come people who signed up as followers with yahoo email accounts cannot post a comment on the blog???? PLEASE HELP IF YOU CAN

    ReplyDelete
  69. any one tell me how to operate openID with gamil

    ReplyDelete