The other day I had a look at the wiki page of the forthcoming OpenID 2.1 specification. While I am not a developer I was curious to see what is planned for the next version and which problems will be targeted by it. So besides correcting errata
maintaining backwards compatibility with OpenID Authentication 2.0 to the greatest degree possible
is an aim of the specification as well. I think that’s a good intention, though I’d like the next specification to be clear that both Relying Parties and OpenID Providers have to support OpenID 2.0 as well.
Compatibility to OpenID 1.1 was not required by the OpenID 2.0 specification:
OpenID Authentication 2.0 implementations SHOULD support OpenID Authentication 1.1 compatibility, unless security considerations make it undesirable
So currently, users encounter two versions of OpenID in the wild, which is confusing to a lot of them. They try to log in to a Relying Party with their Yahoo! account but actually can’t, because the Relying Party is only supporting OpenID 1.1 while Yahoo! is only supporting OpenID 2.0. People give in, write angry blog posts about OpenID being complicated, being just for geeks,… I guess, you all know those stories.
When it was clear that Yahoo! (and later Google as well) was only supporting OpenID 2.0, I thought older implementations were quickly updated because websites wouldn’t pass the opportunity to be attractive to users of those big vendors as well. But it seems I was wrong. There are still countless websites that only support OpenID 1.1. By the way, it was interesting to know their reasons for not updating. This way some useful information could be obtained for future specifications. Anyway, it was a really bad idea, if there was a third specification around which didn’t require compatibility to its predecessor, OpenID 2.0.
I am aware that, e.g. Yahoo! wasn’t supporting OpenID yet, if it had to comply with OpenID 1.1 as well (if I remember correctly, of course). So maybe the wording in the OpenID 2.0 specification was a compromise. I don’t know, but it shouldn’t happen again, I think.
Tags: Compatibility, Google, OpenID, Relying Party, Specification, User Experience, Yahoo
