Remember just three weeks ago I was ranting about how MDN assumes you use GitHub and forces you to use it to log in without providing any alternatives? Remember I mentioned “the venerable OpenID”?
Turns out it wasn’t so venerable after all. OpenID 2.0 was superseded by OpenID Connect (which is based on OAuth 2.0, a different kind of “auth”) some years ago, and providers have slowly been removing support for OpenID 2.0 over the last couple of years. Yesterday Stack Exchange was the latest to announce that they were dropping OpenID 2.0 support:
Stack Overflow was an early and strong supporter of OpenID. We built our sign up/log in flow around it. We were idealistic and had high hopes, but these hopes weren’t realized. Over the years people have wondered if OpenID is dead. We’ve had to remove support as OpenID providers pulled support or shut down.
The time has come to part ways. The reality is OpenID support has created a ton of complexity in our codebase and the number of users actively using OpenID simply don’t justify that cost. Users have spoken with their actions. You prefer Google, Facebook and Stack Exchange (aka email/PW) based account auth.
To be fair, even I don’t use OpenID to authenticate with Stack Exchange anymore. But that’s because several years ago, I switched from using my WordPress.com OpenID to authenticate with Stack Exchange, to using Stack Exchange as my primary OpenID provider. So, in a weird twist of irony, I’m impacted not in my access to Stack Exchange, but in my access to other sites via Stack Exchange OpenID.
Note that my change of provider had nothing to do with OpenID 2.0’s already ongoing demise; it was just a matter of moving to a provider I felt was more appropriate for my needs, since I’d stopped actively blogging @ WordPress.com. I would continue using Stack Exchange OpenID for as long as OpenID 2.0 remained around, because Stack Exchange stated they’d continue supporting it for as long as they remained in existence as a company.
Of course, things are different now. With the OpenID 2.0 protocol being made obsolete by the OpenID Foundation itself, there really is no obligation for Stack Exchange to continue supporting their OpenID service. So I’m not going to accord them any blame. It’s entirely my fault for somehow completely missing the memo on this whole thing. Perhaps Stack Exchange’s decision to drop OpenID was the wake-up call I needed after all.
Good thing I’ll have the next quarter to work on migrating my accounts on sites where I’m using Stack Exchange OpenID to authenticate. I know that I can just switch back to WordPress.com OpenID, but let’s face it, it’s only a matter of time before Automattic follows suit.
Before I go, let me be clear on my views of all this:
I don’t have anything against OAuth 2.0. I think it’s a great protocol and you’re cool for implementing it. OpenID Connect itself is based on OAuth 2.0. But it’s an authorization protocol, not an authentication protocol. A site has you log in to a third-party site (authentication), and give it permission to use your existing credentials (authorization) to identify yourself and/or light up integrated features that wouldn’t work (as richly or at all) without an account on the third-party site. You still actually need the third-party account, otherwise you won’t be able to use those features, or the entire site in the case of sites that completely rely on your identity with that particular third-party site…
… which was exactly the problem OpenID was trying to solve, and why I still strongly disagree with tying accounts on one site to only one other site via OAuth 2.0. There are hundreds of email providers out there, and no independent site I’m aware of requires you to use exactly one or even two known email providers (obviously Google has every reason to restrict any of its services to Google Accounts, Microsoft to Microsoft accounts, and Apple to Apple IDs, as they see fit), so I don’t see why decentralized identities and authorization is such a big ask. I’m not asking for hundreds of sites — even two providers would be a good start. But I feel that only one arbitrary provider is too restrictive, no matter how much you think that everybody should have an identity on that site already.