Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a shame that old OpenID was killed in favour of OpenID Connect. With OpenID I was able to log in to livejournal using OpenID implementation running on my own domain. With OpenID Connect I can only log in with blessed set of providers. Centralization sucks.



OpenID supporting any provider would have been nice, but from my limited experience at implementing it suffered from the same issues as this blog post is describing - inconsistent implementations.

OIDC is basically an admission that supporting any arbitrary provider had failed, and you need to actually test with each specific implementation before marking it as being supported.


The standards for this experience exist with OIDC Discovery[1] and Dynamic Client Registration[2], unfortunately they aren't used but it's not because it isn't supported.

[1] https://openid.net/specs/openid-connect-discovery-1_0.html [2] https://openid.net/specs/openid-connect-registration-1_0.htm...


Do any big-name providers support this? For example trying the webfinger request described in the first link on gmail.com returns a 404.

As much as I love the ability to use my own server it is going to fall flat for the vast majority of users if you can't support at least one of Google/Facebook/Twitter/Microsoft.

OpenID was supported by Google, Yahoo, MySpace, Wordpress and a few other big names. Not ideal but enough that you could basically expect most users to be covered.




But that's not the point. The goal of the discovery spec is that the user can enter an email and sign in with an OpenID connect provider of their choice. If I need to do an MX lookup and guess what identity provider they are using it doesn't solve the problem of needing to maintain a list of supported providers.


True, the "well-known" path seems to be in a random location but maybe that's a problem with the spec, you might expect it to be off the root of the email domain.


No. Generally this is because it is not a technical capability problem, but a business problem.

Often, sites which use OpenID for authentication either have no automated account recovery, or do recovery based on a verified email claim. This means those relying parties do indeed rely on the reliability and service support promises of the OP, as well as the validity of attribute data shared.

If ISPs or Google had been interested in providing webfinger-based discovery, we might have been able to create a decent UX around an assumption that your identifier was an email address, and that a local authentication process (including potentially an emailed code or link) was an acceptable fall-back. But there was never really critical mass for this to happen.


Are you sure that wasn’t the point?

OIDC is the biggest monopoly play in the industry right now and it’s an absolute privacy nightmare. Almost nobody seems to even notice.

Of course history has shown that people will trade literally everything for convenience so it will probably succeed. In the future if you get your Google account locked you won’t be able to access your bank account or buy a plane ticket and Google will know everything you use at all times and be able to log into anything you use. But it’ll be convenient.


yes, it was always the point.

Microsoft was the main proponent and gave talks to every single government agency in the world in favour of it. never mentioning OIDC. while google was promoting it left and right to developers. also never mentioning OIDC. Only the open/decentralized parts.

it was the classical embrace, Extend, Extinguish play. By now a classical move of both Microsoft and Google.


I wonder if a nonprofit privacy-oriented identity provider could work. All it does is provide OIDC to to any apps that want to integrate. On the backend users can login with any social provider or email, but the social providers would only ever see a login from the nonprofit.


As someone who ran their own OpenID server for a couple of identities but has not touched this stuff for years, I have to ask:

Is there anything today that I can run (self-host) for a similar result?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: