Monday, November 29, 2010

Google’s sample OpenID relying party site

More and more websites are enhancing their login systems to include buttons for identity providers such as Google, Yahoo, Facebook, Twitter, Microsoft, etc. Users generally prefer this approach because it makes it easier for them to sign up for a new site that they visit. However if a user already has an account at a website, and they are used to logging in with their email and password, then it is hard to get them to switch to using an identity provider.

Google has recently released a sample site that shows how a website can migrate users away from password based logins, and instead have them leverage an identity provider. This sample site incorporates many of the ideas of the Internet Identity community, as well as feedback from numerous websites who have been on the cutting edge of applying these techniques. The following video provides highlights of some elements of the user experience.

The sample site is at, but we suggest first reading this FAQ which describes the site and has links to additional videos of some of the features. We hope website developers will use these techniques to reduce the need for passwords on their site.


  1. Interesting UI/UX for OpenID. I like the fact that the UI doesn't say OpenID anywhere. Most users don't understand what OpenID is, and should not have to learn about it to use it.

    One suggestion: You should add the following to the list of providers on the Connect with any account tab:
    yahoo japan

    All of them support unbound discoverable URLs

  2. I would love, I mean LOVE, to move all my own and my clients WordPress blogs over to using OpenID or OAuth or whatever you guys are half-heartly pushing this week. The problem is that it's almost impossible.

    Google sends very confusing messages as to the support of OAuth or OpenID. And doesn't OpenID involve knowing some crazy identity URL? If you start looking, which I have many times, you don't get too far before you realize it's impossible.

    When you can write relying party authorization code in less that 50 lines of PHP and only a few concepts to understand, it will be a reality, but that's not the case today.

    I'll look at your new links, but I imagine that all this test site proves is that if you're a large company like Google with an entire team of highly paid developers you can barely get an OpenID relying party site working.

    For the rest of us who have one developer and a budget of less that $3,000,000, how does it work?

    Just so you know, I was a developer at Microsoft for 10 years developing UI APIs, so I'm not challenged on programming skills.

    I'm frustrated that when you look into doing this and you want a simple thing (people have a username and password for gmail, let's use that) you open up this complex can of worms and explosion of "standards" and concepts that's impossible to deal with.

    "Use OpenID, with a URL, no with an email address, no create the URL from the email address, no use OAuth, no don't version 1.0 is insecure, use OAuth 2.0, not don't it's not finished, no use OpenID!"

    Twitter's API is amazingly simple by comparison.

    When you can come up with less that 50 lines of PHP for flexible relying party OpenID or OAuth (not including some giant library I have to download and keep updated) call me. Or just post another post, I'm subscribed to your RSS feed.

  3. Facebook is an openid provider ??

  4. @Matt: Have you looked at the Federated Login feature in Google App Engine? With Federated Login, you can essentially add OpenID functionality with as few as 15 lines of code.

    @Simon: Nope, but they have Facebook Connect.

  5. It would be great to have federatedux demo open sourced. I would like to use the login box on my app engine app.

  6. @florian: The following page has all the necessary details for setting up Federated Identity for AppEngine apps:

    And a sample application created using the above docs:

  7. Great idea but Are you kidding? how obtuse could you guys set this up? I am trying to login to a site and need my open id; the instructions for using my google info are cryptic; the url does not work? when I click what is this "openid" on the site I get another cryptic unhelpful wiki article???