In 2015, Google will shutter the OpenID 2.0 functionality that allows third parties to authenticate their users by having them log in with their Google accounts.
Over the next three months, Google will progressively turn off certain features associated with OpenID 2.0, with the first being auto-approval. Because use of OpenID 2.0 does not require developers to register their applications, Google is using the disabling of auto-approval as an attempt to alert developers.
Currently, developers have the ability to avoid this user-facing warning by passing in a parameter that indicates their acknowledgment of the pending shut-down. By late March, auto-approval will be disabled for all applications, including those passing in the parameter. Following OpenID 2.0’s retirement on April 20, 2015, all OpenID 2.0 requests will return an error page.
In OpenID 2.0’s place, Google has implemented OAuth 2.0, based on the OpenID Connect specification. To ease the transition for developers who want to offer their users the ability to “Sign-in with Google,” Google has created Google+ Sign-In, a client library that implements the OAuth 2.0 and OpenID Connect specifications Google is relying on going forward. According to Google’s documentation, the library “supports over-the-air installs, social features, and a sign-in widget on top of standardized OpenID Connect sign-in flows. Google+ Sign-In works for all users with a Google account, whether or not they have upgraded to Google+.”
OpenID Connect was ratified by the members of the OpenID Foundation in February 2014. At the time, Google praised the new standard. “Google is betting big on OpenID Connect because it’s simple for developers to understand and it makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” Eric Sachs, Google’s Group Product Manager for Identity, explained. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”
Little more than a year later, developers find themselves having to migrate to Google’s OpenID Connect-based solution. Unlike other Google changes and retirements, however, which often spark controversy if not outrage, developer reaction to OpenID 2.0’s shuttering has been muted. On Hacker News, one commenter pointed out that “OpenID Connect takes the best ideas from preceding identity protocols and incorporates them into OAuth flows, giving the best of both worlds” while another lamented the fact that Mozilla Persona “should have been the successor to OpenID” because it “solves almost all of the problems with OpenID.”
Interestingly, one developer revealed that he was using the OpenID 2.0 retirement as an opportunity to ditch social logins altogether, explaining:
I used Google and Facebook when first building the webapp because I simply didn’t want to do the work of building an authentication system. It’s lots of work to get right.
About a year ago I had a lot of users complain my site _only_ had social logins so I had to implement my own anyhow.
Now [that] I have it, I don't see a lot of value in keeping the social logins around.
While such a response may be in the minority, it does serve as a reminder that these migrations do carry attrition risk and should be accompanied by a marketing effort that highlights the added benefits of the solution developers are being asked to migrate to.