It's pretty BS... Software built around OpenID needs to be rewritten to detect when http://username@domain.tld/ is entered as a OpenID login and if it's @gmail.com address, contact Google's OpenID servers.
From the comments on the original story at Blogspot:
The problem is that while that may very well be a valid URI, it's not a standard URI and OpenID software hasn't been written to use this kind of mechanism.
To make matters even worse, there is no OpenID server set up at gmail.com - servers need to put a special case for when the @tld.com matches gmail and contact the appropriate OpenID servers in that case.. it's basically Google demanding that you authenticate their users on their terms.
You need to ask Google to give you the URI to the OpenID endpoint for a given account. Each account has a different OpenID endpoint, and different incoming requests are routed to different endpoints....
And I quote:
3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0.
4. Google returns an XRDS document, which contains endpoint address.
5. The web application sends a login authentication request to the Google endpoint address.
This action redirects the user to a Google Federated Login page.
They're being pretty damn cavalier about using an OpenID that's not really OpenID in the first place.
Did you miss the part where they say "Google supports the OpenID 2.0 Directed Identity protocol, and provides authentication support as an OpenID provider"?
They're supporting 2.0 which supports discovery requests...
End users do not equate a URI as being anything that identifies them. To them, that is a website.
Why is openID hell bent on trying to spin the tables on everything that people know and are used to? They know email address = my identification/username.
The ONLY possible upside I can see, is that it slightly reduces the risk that they give the crown jewels (say, their Google User name and password) to some malicious site mistaking it for an open ID log in.
In other words, the fact that the identity is the web site is a feature. It may not be the right feature, but I think there is some design thought behind it being a url. So users get used to not immediately providing a password, but instead this URL, and THEN after some redirect shenanigans, they do their password etc...
It seems like the OpenID guys should have included the ability to use an email address as an OpenID in the first place. But this does increase the chances of uninformed users falling prey to phishing.
It's great that the big three are now OpenID providers, but the platform is still almost useless to me until they are also "relying parties."
Would it be possible to merge multiple accounts such that my Microsoft and Yahoo accounts are consistent with my Google one? Can I migrate an account to my own provider?
I hate how all the big players (Yahoo, Microsoft, Google) are implementing the OpenID provider half of OpenID, but refuse to be consumers of OpenIDs from other providers. It really defeats the purpose of OpenID. I'd even call it arrogant. Though I suppose it's better than a completely proprietary system like Facebook Connect.
It's painfully obvious they just want to remain in complete control, while reaping some of the benefits of OpenID. I'm really hoping this will backfire on all of them, and OpenID becomes hugely popular to the point where users demand they become real OpenID consumers. It's going to take awhile though.
Actually this is terrible. This massively increases the chance of my mum getting hit by a phishing attack. Not happy google - you should have thought this one through.
Google are just testing an approach called "federated login" which they think is the usability solution to the so called "URL problem" which is that Joe Average doesn't know what a URL is or how it should be formatted let alone what his or her URL is. Obviously MySpace users do, but there is also an implication from Google that all users are comfortable using an email address. Many of the younger demographic use FB messaging or YIM for communication and only use their email for "official things".
They don't want to add just another OpenID to the mix. They want to leave people with the same signup procedure they're used to (ie. enter your email). However, if they enter an @gmail.com address, the server automagically figures out how to log them in using OpenID.
It's a good idea in theory, but seems like it will require a fair amount of rewrite on the OpenID library side. Not a big fan of that...
:( sad day IMO.
OpenID is a nice idea but fatally flawed in the grand scheme of things. Unified accounts are GREAT. But OpenID just isn't the right way to go about it...
I knew Google was moving towards this but I always hoped they would see sense before actually going for it fully.
Disappointed in them for the first time in a LONG time!
