It documents the use of OpenID 2.0's directed identity mode. Yes
this is "a departure from the process outlined in OpenID 1.0", but
that could be considered true of all new features found in 2.0.
Google certainly isn't the first to implement this feature:
Yahoo's OpenID page recommends
users enter "yahoo.com" in the identity box on web sites,
which will initiate a directed identity authentication request.
We've been using directed identity with
Launchpad to implement single sign on
for various Canonical/Ubuntu sites.
Given that Google account holders identify themselves by email
address, users aren't likely to know a URL to enter, so this kind
of makes sense.
The identity URLs returned by the OpenID provider do not directly
reveal information about the user, containing a long random string
to differentiate between users. If the relying party wants any user
details, they must request them via the standard OpenID Attribute
They are performing access control based on the OpenID realm of the
relying party. I can understand doing this in the short term, as it
gives them a way to handle a migration should they make an
incompatible change during the beta. If they continue to restrict
access after the beta, you might have a valid concern.
It looks like there would be no problem talking to their provider using
existing off the shelf OpenID libraries (like the ones from JanRain).
If you have an existing site using OpenID for login, chances are that
after registering the realm with Google you'd be able to log in by
entering Google's OP server URL. At that point, it'd be fairly
trivial to add another button to the login page – sites seem pretty
happy to plaster provider-specific radio buttons and entry boxes all
over the page already ...
Yeah, looks like it's (mostly) ((but not quite, yet)) OpenID, so it
seems I might have jumped the gun a little.
If I did, it's mainly because Google does indeed have this habit of not
really engaging with the community at large all that well. I got very
tired over the past year of listening to folks like Eric Chu spout FUD
like "existing open source projects don't ship on schedule" (in spite
of the fact that GNOME ships every six months, like clockwork), that
"existing open source projects are too desktop-oriented" (which is
simply arrant nonsense), and the like, as justifications for reinventing
wheels all over the place--rather than actually working with the
Oh, and for what it's worth, I'd say the necessity to "plaster
another provider-specific radio buttons and entry boxes onto the login
page" pretty much defeats the purpose of OpenID, but maybe that's just
James Henstridge -
As I said, the protocol examples they give look like correct OpenID
messages (no "mostly" about it).
Once the OpenID realm white listing is out of the way (either by
registering a realm or when Google removes the white list), you'd be
able to log in using "https://www.google.com/accounts/o8/id" as an
identity URL – no special buttons required. If they wanted it'd be
pretty easy to make "google.com" provide the same discovery
information, similar to what Yahoo has done. Of course, this isn't a
big deal while the white list is in place since such sites will probably
be set up with a button.
While there is a XRDS document published on
google.com, my understanding after
the OpenID UX Summit last week is that the consumer side would actually
be gmail.com (google.com is for google employees). But yes, it does
sound like that is the plan.