[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"sanity-ABU04cDsBhgB3tjkt0mBd0qpKLtVdQtWtxdZNM_ilro":3,"sanity-NnKuZStDKQ6OwgcIzyjr1173ALwxPMdFCvfV2-zcmK8":659},{"data":4,"sourceMap":-1},{"latestPodcast":5,"latestReleases":14,"post":39,"recent":634},[6],{"_id":7,"publishedAt":8,"slug":9,"sponsored":12,"title":13},"d53f9358-3bb2-4f69-aebe-d31d19522cd4","2026-07-10T07:40:00.000Z",{"_type":10,"current":11},"slug","building-more-than-just-an-agent-harness",null,"Building more than just an agent harness",[15,21,27,33],{"_id":16,"publishedAt":17,"slug":18,"title":20},"eb5b66eb-9410-4329-83bb-22bbff39402a","2026-04-28T13:00:00.000Z",{"_type":10,"current":19},"turn-scattered-knowledge-into-trusted-intelligence","Turning scattered knowledge into trusted intelligence: Stack Internal 2026.3",{"_id":22,"publishedAt":23,"slug":24,"title":26},"369c2401-b62e-4a37-8ff8-bf603023ecad","2026-03-02T15:03:00.988Z",{"_type":10,"current":25},"what-s-new-at-stack-overflow-march-2026","What’s new at Stack Overflow: March 2026",{"_id":28,"publishedAt":29,"slug":30,"title":32},"5e9053a4-07ea-447c-91ea-29e0b6228537","2026-02-02T15:00:00.000Z",{"_type":10,"current":31},"what-s-new-at-stack-overflow-february-2026","What’s new at Stack Overflow: February 2026",{"_id":34,"publishedAt":35,"slug":36,"title":38},"a1b538eb-a8a6-46d0-80a1-ac70ec9bb935","2026-01-05T10:00:00.000-05:00",{"_type":10,"current":37},"what-s-new-at-stack-overflow-january-2026","What’s new at Stack Overflow: January 2026",{"_createdAt":40,"_id":41,"_rev":42,"_type":43,"_updatedAt":44,"author":45,"body":59,"comments":611,"dateUrl":612,"excerpt":132,"legacyBody":613,"product":12,"publishedAt":616,"slug":617,"sponsored":12,"tags":619,"title":633,"visible":611},"2023-05-25T09:36:59Z","wp-post-3719","9HpbCsT2tq0xwozQfkfa75","blogPost","2023-07-13T14:54:32Z",[46],{"_createdAt":47,"_id":48,"_rev":49,"_type":50,"_updatedAt":51,"avatar":52,"employee":54,"name":55,"role":56,"slug":57},"2023-05-23T16:27:18Z","wp-author-114","07ZbrKPSUrjrV4wQ6fam8u","blogAuthor","2023-08-29T11:49:01Z",{"_type":53},"image","former","Jeff Atwood","Co-founder",{"current":58},"jeffatwood",[60,71,85,96,107,126,134,139,158,177,195,220,228,255,285,293,312,320,336,344,363,412,438,446,495,507,523,531,548,564,579,595,603],{"_key":61,"_type":62,"children":63,"markDefs":69,"style":70},"26df3a6b65fa","block",[64],{"_key":65,"_type":66,"marks":67,"text":68},"26df3a6b65fa0","span",[],"We made a few key technology bets when we created Stack Overflow:",[],"normal",{"_key":72,"_type":62,"children":73,"level":79,"listItem":80,"markDefs":81,"style":70},"f7c65f13ceee",[74],{"_key":75,"_type":66,"marks":76,"text":78},"f7c65f13ceee0",[77],"2db4d2916a68","OpenID",1,"bullet",[82],{"_key":77,"_type":83,"href":84,"reference":12},"link","http:\u002F\u002Fopenid.net\u002F",{"_key":86,"_type":62,"children":87,"level":79,"listItem":80,"markDefs":93,"style":70},"9ba8be5b818d",[88],{"_key":89,"_type":66,"marks":90,"text":92},"9ba8be5b818d0",[91],"dd9cb80b8116","Markdown",[94],{"_key":91,"_type":83,"href":95,"reference":12},"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMarkdown",{"_key":97,"_type":62,"children":98,"level":79,"listItem":80,"markDefs":104,"style":70},"26bbda826929",[99],{"_key":100,"_type":66,"marks":101,"text":103},"26bbda8269290",[102],"b2a1ab23765e","ASP.NET MVC",[105],{"_key":102,"_type":83,"href":106,"reference":12},"http:\u002F\u002Fwww.asp.net\u002Fmvc\u002F",{"_key":108,"_type":62,"children":109,"markDefs":123,"style":70},"5b66b6fd8491",[110,114,119],{"_key":111,"_type":66,"marks":112,"text":113},"5b66b6fd84910",[],"I covered ",{"_key":115,"_type":66,"marks":116,"text":118},"5b66b6fd84911",[117],"a63d673a3a73","Markdown, One Year Later",{"_key":120,"_type":66,"marks":121,"text":122},"5b66b6fd84912",[]," in an earlier post, and now I'd like to turn my attention to the first item in the list: OpenID.",[124],{"_key":117,"_type":83,"href":125,"reference":12},"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F10\u002Fmarkdown-one-year-later\u002F",{"_key":127,"_type":62,"children":128,"markDefs":133,"style":70},"1f43d2281af0",[129],{"_key":130,"_type":66,"marks":131,"text":132},"1f43d2281af00",[],"",[],{"_key":135,"_type":53,"alt":12,"asset":136,"markDefs":12},"5f51df855602",{"_ref":137,"_type":138},"image-84621e27ac52aceff4d7ad600e8cb036ed918121-333x106-png","reference",{"_key":140,"_type":62,"children":141,"markDefs":155,"style":70},"33a910fade7f",[142,146,151],{"_key":143,"_type":66,"marks":144,"text":145},"33a910fade7f0",[],"After spending nearly two years with OpenID as our ",{"_key":147,"_type":66,"marks":148,"text":150},"33a910fade7f1",[149],"44b31db848d3","decentralized, open login mechanism",{"_key":152,"_type":66,"marks":153,"text":154},"33a910fade7f2",[],", I have some thoughts based on my experience I'd like to share.",[156],{"_key":149,"_type":83,"href":157,"reference":12},"http:\u002F\u002Fopenid.net\u002Fget-an-openid\u002Fwhat-is-openid\u002F",{"_key":159,"_type":62,"children":160,"markDefs":174,"style":70},"bd4af4a4d529",[161,165,170],{"_key":162,"_type":66,"marks":163,"text":164},"bd4af4a4d5290",[],"First, to understand our position on OpenID, please read ",{"_key":166,"_type":66,"marks":167,"text":169},"bd4af4a4d5291",[168],"f5efe96804ea","Does The World Really Need Yet Another Username and Password",{"_key":171,"_type":66,"marks":172,"text":173},"bd4af4a4d5292",[],". If you don't have time, I'll quote the most relevant paragraph:",[175],{"_key":168,"_type":83,"href":176,"reference":12},"http:\u002F\u002Fwww.codinghorror.com\u002Fblog\u002F2008\u002F05\u002Fopenid-does-the-world-really-need-yet-another-username-and-password.html",{"_key":178,"_type":62,"children":179,"markDefs":193,"style":194},"da5b1c600e97",[180,184,189],{"_key":181,"_type":66,"marks":182,"text":183},"da5b1c600e970",[],"I realize that OpenID is far from an ideal solution. But ",{"_key":185,"_type":66,"marks":186,"text":188},"da5b1c600e971",[187],"strong","right now, the one-login-per-website problem is so bad that I am willing to accept these tradeoffs for a partial worse is better solution",{"_key":190,"_type":66,"marks":191,"text":192},"da5b1c600e972",[],". There's absolutely no way I'd put my banking credentials behind an OpenID. But there are also dozens of sites that I don't need anything remotely approaching banking-grade security for, and I use these sites far more often than my bank. The collective pain of remembering all these logins -- and the way my email inbox becomes a de-facto collecting point and security gateway for all of them -- is substantial.",[],"blockquote",{"_key":196,"_type":62,"children":197,"markDefs":219,"style":70},"b1bdbbdb2bbf",[198,202,206,210,215],{"_key":199,"_type":66,"marks":200,"text":201},"b1bdbbdb2bbf0",[],"So if we are evangelizing OpenID to some degree, it is because ",{"_key":203,"_type":66,"marks":204,"text":205},"b1bdbbdb2bbf1",[187],"I would rather be part of the solution than yet another brick in the wall of the problem.",{"_key":207,"_type":66,"marks":208,"text":209},"b1bdbbdb2bbf2",[]," Even ",{"_key":211,"_type":66,"marks":212,"text":214},"b1bdbbdb2bbf3",[213],"em","if",{"_key":216,"_type":66,"marks":217,"text":218},"b1bdbbdb2bbf4",[]," it involves a tiny bit of short-term friction. Be the change you want to see, right?",[],{"_key":221,"_type":62,"children":222,"markDefs":227,"style":70},"f22359f402a6",[223],{"_key":224,"_type":66,"marks":225,"text":226},"f22359f402a60",[],"In the almost two years since we began using OpenID, that tiny bit of friction has gotten progressively smaller:",[],{"_key":229,"_type":62,"children":230,"level":79,"listItem":80,"markDefs":252,"style":70},"8fbcf2fb9420",[231,235,239,243,248],{"_key":232,"_type":66,"marks":233,"text":234},"8fbcf2fb94200",[],"Google began fully supporting OpenID. This was (and is) ",{"_key":236,"_type":66,"marks":237,"text":238},"8fbcf2fb94201",[213],"huge",{"_key":240,"_type":66,"marks":241,"text":242},"8fbcf2fb94202",[],". As you can see from ",{"_key":244,"_type":66,"marks":245,"text":247},"8fbcf2fb94203",[246],"421d13be1a9d","these meta stats",{"_key":249,"_type":66,"marks":250,"text":251},"8fbcf2fb94204",[],", Google is by far our largest OpenID provider at 61% of all registered accounts.",[253],{"_key":246,"_type":83,"href":254,"reference":12},"http:\u002F\u002Fmeta.stackoverflow.com\u002Fquestions\u002F31021\u002Fwhat-openid-providers-should-we-feature-on-the-login-page",{"_key":256,"_type":62,"children":257,"level":79,"listItem":80,"markDefs":280,"style":70},"8a692aaf398d",[258,262,267,271,276],{"_key":259,"_type":66,"marks":260,"text":261},"8a692aaf398d0",[],"Microsoft ",{"_key":263,"_type":66,"marks":264,"text":266},"8a692aaf398d1",[265],"9eedfdd684b1","announced OpenID support",{"_key":268,"_type":66,"marks":269,"text":270},"8a692aaf398d2",[],". Although there was a beta, and beta live.com OpenIDs were used on our website -- the current state of their OpenID support is in limbo. Still, being Microsoft, their official (though technically nonexistent, and I'm sure trapped in ",{"_key":272,"_type":66,"marks":273,"text":275},"8a692aaf398d3",[274],"9d33e1d7aa88","strategy tax hell",{"_key":277,"_type":66,"marks":278,"text":279},"8a692aaf398d4",[],") support legitimizes OpenID as a standard.",[281,283],{"_key":265,"_type":83,"href":282,"reference":12},"http:\u002F\u002Fblogs.verisign.com\u002Finfrablog\u002F2007\u002F02\u002Fverisign_microsoft_partners_to_1.php",{"_key":274,"_type":83,"href":284,"reference":12},"http:\u002F\u002Farchive.scripting.com\u002F2001\u002F04\u002F29#strategyTax",{"_key":286,"_type":62,"children":287,"level":79,"listItem":80,"markDefs":292,"style":70},"97767455dc09",[288],{"_key":289,"_type":66,"marks":290,"text":291},"97767455dc090",[],"Most client implementations of OpenID have switched from \"enter your OpenID URL\" to \"click the logo of the company that provides your identity\". OpenID was frequently criticized for being too URL-centric when the user identity world is email-centric, so this is a significant usability improvement.",[],{"_key":294,"_type":62,"children":295,"level":79,"listItem":80,"markDefs":309,"style":70},"39137bb8dcde",[296,300,305],{"_key":297,"_type":66,"marks":298,"text":299},"39137bb8dcde0",[],"We implemented ",{"_key":301,"_type":66,"marks":302,"text":304},"39137bb8dcde1",[303],"285b38638ee5","support for up to two OpenID providers per user",{"_key":306,"_type":66,"marks":307,"text":308},"39137bb8dcde2",[],". This flexibility turns out to be important, so you can switch out or change the OpenID identities in your virtual wallet as you see fit. It's handy to have a backup form of identity \"on you\", just like in real life.",[310],{"_key":303,"_type":83,"href":311,"reference":12},"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F01\u002Fwe-now-support-multiple-openids\u002F",{"_key":313,"_type":62,"children":314,"markDefs":319,"style":70},"ded110194c6a",[315],{"_key":316,"_type":66,"marks":317,"text":318},"ded110194c6a0",[],"The trend is certainly encouraging.",[],{"_key":321,"_type":62,"children":322,"markDefs":335,"style":70},"44e7c34ca015",[323,327,331],{"_key":324,"_type":66,"marks":325,"text":326},"44e7c34ca0150",[],"However, there have also been a few things that happened which illustrate the ",{"_key":328,"_type":66,"marks":329,"text":330},"44e7c34ca0151",[213],"risks",{"_key":332,"_type":66,"marks":333,"text":334},"44e7c34ca0152",[]," of OpenID, too:",[],{"_key":337,"_type":62,"children":338,"level":79,"listItem":80,"markDefs":343,"style":70},"8ba6fb4db05e",[339],{"_key":340,"_type":66,"marks":341,"text":342},"8ba6fb4db05e0",[],"Several lesser providers (Technorati, Vidoop, Mozilla Weave) went belly-up, leaving their users stranded with no way to authenticate.",[],{"_key":345,"_type":62,"children":346,"level":79,"listItem":80,"markDefs":360,"style":70},"5b77f3ea654f",[347,351,356],{"_key":348,"_type":66,"marks":349,"text":350},"5b77f3ea654f0",[],"Occasionally OpenID providers will have bugs or service outages -- even big ones like Yahoo. Fortunately this is quite rare, but it does happen, and ",{"_key":352,"_type":66,"marks":353,"text":355},"5b77f3ea654f1",[354],"6eec21a866c7","troubleshooting it",{"_key":357,"_type":66,"marks":358,"text":359},"5b77f3ea654f2",[]," can be a pain precisely because it's open and decentralized, and there are three parties involved -- the website, the user, and the OpenID provider.",[361],{"_key":354,"_type":83,"href":362,"reference":12},"http:\u002F\u002Fmeta.stackoverflow.com\u002Fquestions\u002F1774\u002Fi-cant-log-in-with-my-openid-troubleshooting-tips",{"_key":364,"_type":62,"children":365,"level":79,"listItem":80,"markDefs":405,"style":70},"980a165e432f",[366,370,375,379,384,388,393,397,401],{"_key":367,"_type":66,"marks":368,"text":369},"980a165e432f0",[],"The OpenID protocol itself can be implemented in unusual or incomplete ways by different providers. This leads to challenges for us, but fortunately we have an excellent dialog with ",{"_key":371,"_type":66,"marks":372,"text":374},"980a165e432f1",[373],"86867f5dea15","Andrew Arnott",{"_key":376,"_type":66,"marks":377,"text":378},"980a165e432f2",[],", the primary author of the open source ",{"_key":380,"_type":66,"marks":381,"text":383},"980a165e432f3",[382],"8a35ffefebb5","DotNetOpenAuth",{"_key":385,"_type":66,"marks":386,"text":387},"980a165e432f4",[]," library we use. We ",{"_key":389,"_type":66,"marks":390,"text":392},"980a165e432f5",[391],"5a56d89b1a0f","support the project financially",{"_key":394,"_type":66,"marks":395,"text":396},"980a165e432f6",[]," and also try to contribute as many bugfixes as possible, so OpenID can get better for ",{"_key":398,"_type":66,"marks":399,"text":400},"980a165e432f7",[213],"everyone",{"_key":402,"_type":66,"marks":403,"text":404},"980a165e432f8",[],".",[406,408,410],{"_key":373,"_type":83,"href":407,"reference":12},"http:\u002F\u002Fstackoverflow.com\u002Fusers\u002F46926\u002Fandrew-arnott",{"_key":382,"_type":83,"href":409,"reference":12},"http:\u002F\u002Fwww.dotnetopenauth.net\u002F",{"_key":391,"_type":83,"href":411,"reference":12},"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F12\u002Fstack-overflow-gives-back\u002F",{"_key":413,"_type":62,"children":414,"markDefs":435,"style":70},"960afd815c0d",[415,419,424,428,432],{"_key":416,"_type":66,"marks":417,"text":418},"960afd815c0d0",[],"There are certainly challenges, and although I am open to alternative login mechanisms, particularly for ",{"_key":420,"_type":66,"marks":421,"text":423},"960afd815c0d1",[422],"77d387e4f734","Stack Exchange",{"_key":425,"_type":66,"marks":426,"text":427},"960afd815c0d2",[],", I'm still bullish on OpenID. We have to keep move forward on fixing the login explosion problem, because the status quo ",{"_key":429,"_type":66,"marks":430,"text":431},"960afd815c0d3",[213],"sucks",{"_key":433,"_type":66,"marks":434,"text":404},"960afd815c0d4",[],[436],{"_key":422,"_type":83,"href":437,"reference":12},"http:\u002F\u002Fstackexchange.com\u002F",{"_key":439,"_type":62,"children":440,"markDefs":445,"style":70},"9898984e52dc",[441],{"_key":442,"_type":66,"marks":443,"text":444},"9898984e52dc0",[],"To that end, we're continuing to refine our implementation.",[],{"_key":447,"_type":62,"children":448,"markDefs":488,"style":70},"40e8bd2237be",[449,453,458,462,467,471,475,479,484],{"_key":450,"_type":66,"marks":451,"text":452},"40e8bd2237be0",[],"Although I listed Google supporting OpenID as my #1 improvement since we began using OpenID, their support also contains a bit of a poison pill -- ",{"_key":454,"_type":66,"marks":455,"text":457},"40e8bd2237be1",[456],"d37823d766b6","Google GMail OpenIDs are specific to the domain you create them on",{"_key":459,"_type":66,"marks":460,"text":461},"40e8bd2237be2",[],". In other words, the same GMail OpenID used on stackoverflow.com, serverfault.com, and superuser.com results in three different OpenID URLs being created. This is ",{"_key":463,"_type":66,"marks":464,"text":466},"40e8bd2237be3",[465],"4d408e39c3bd","completely by design",{"_key":468,"_type":66,"marks":469,"text":470},"40e8bd2237be4",[],", but I should note that ",{"_key":472,"_type":66,"marks":473,"text":474},"40e8bd2237be5",[213],"no other OpenID provider to date has done this except Google",{"_key":476,"_type":66,"marks":477,"text":478},"40e8bd2237be6",[],". To their credit, they do offer proper named OpenIDs now in the form of ",{"_key":480,"_type":66,"marks":481,"text":483},"40e8bd2237be7",[482],"38cb84d5a546","Google Profile OpenIDs",{"_key":485,"_type":66,"marks":486,"text":487},"40e8bd2237be8",[],", but this does nothing to fix the status quo for GMail OpenIDs.",[489,491,493],{"_key":456,"_type":83,"href":490,"reference":12},"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F04\u002Fgoogles-openids-are-unique-per-domain\u002F",{"_key":465,"_type":83,"href":492,"reference":12},"http:\u002F\u002Fgroups.google.com\u002Fgroup\u002Fgoogle-federated-login-api\u002Fweb\u002Fthe-most-important-technical-issue-in-using-the-google-accounts-api?pli=1",{"_key":482,"_type":83,"href":494,"reference":12},"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F11\u002Fgoogle-offers-named-openids\u002F",{"_key":496,"_type":62,"children":497,"markDefs":506,"style":70},"57dab346eb61",[498,502],{"_key":499,"_type":66,"marks":500,"text":501},"57dab346eb610",[],"That's a major bummer for site networks like us with multiple domains. We use the OpenID string as your user \"fingerprint\", so if your \"fingerprint\" changes, we can't tell who you are any more. It's a frustrating problem, but we think we've finally come up with a fix: ",{"_key":503,"_type":66,"marks":504,"text":505},"57dab346eb611",[187],"we demand email from Google GMail OpenIDs!",[],{"_key":508,"_type":62,"children":509,"markDefs":522,"style":70},"642b54e6de65",[510,514,518],{"_key":511,"_type":66,"marks":512,"text":513},"642b54e6de650",[],"If we have an email address from a verified OpenID email provider (that is, an OpenID from a large email service we trust, like Google or Yahoo), then it's guaranteed to be a globally unique string. We treat this as part of the identifying user token, attached ",{"_key":515,"_type":66,"marks":516,"text":517},"642b54e6de651",[213],"only",{"_key":519,"_type":66,"marks":520,"text":521},"642b54e6de652",[]," at login time, that is not editable by the user.",[],{"_key":524,"_type":62,"children":525,"markDefs":530,"style":70},"ce41f9537adc",[526],{"_key":527,"_type":66,"marks":528,"text":529},"ce41f9537adc0",[],"So our cross-site user account matching now works this way:",[],{"_key":532,"_type":62,"children":533,"level":79,"listItem":546,"markDefs":547,"style":70},"8a05407bf1b8",[534,538,542],{"_key":535,"_type":66,"marks":536,"text":537},"8a05407bf1b80",[],"Match by ",{"_key":539,"_type":66,"marks":540,"text":541},"8a05407bf1b81",[187],"GUID",{"_key":543,"_type":66,"marks":544,"text":545},"8a05407bf1b82",[],". This is something we generate and assign during account association, so it's a perfect fingerprint.","number",[],{"_key":549,"_type":62,"children":550,"level":79,"listItem":546,"markDefs":563,"style":70},"88b11bf8b807",[551,555,559],{"_key":552,"_type":66,"marks":553,"text":554},"88b11bf8b8070",[],"match by ",{"_key":556,"_type":66,"marks":557,"text":558},"88b11bf8b8071",[187],"OpenID URL",{"_key":560,"_type":66,"marks":561,"text":562},"88b11bf8b8072",[],". This works for the vast majority of OpenID providers.",[],{"_key":565,"_type":62,"children":566,"level":79,"listItem":546,"markDefs":578,"style":70},"a0602b532f47",[567,570,574],{"_key":568,"_type":66,"marks":569,"text":554},"a0602b532f470",[],{"_key":571,"_type":66,"marks":572,"text":573},"a0602b532f471",[187],"OpenID provided email address",{"_key":575,"_type":66,"marks":576,"text":577},"a0602b532f472",[]," ... if you are on our trust whitelist. This works for those rare OpenID providers (currently, only Google GMail) who generate domain-specific identifiers.",[],{"_key":580,"_type":62,"children":581,"markDefs":594,"style":70},"71c315b70245",[582,586,590],{"_key":583,"_type":66,"marks":584,"text":585},"71c315b702450",[],"This satisfies all known OpenID providers, so ",{"_key":587,"_type":66,"marks":588,"text":589},"71c315b702451",[187],"we can now potentially associate your accounts, across all of our websites, automatically",{"_key":591,"_type":66,"marks":592,"text":593},"71c315b702452",[],". You'll still have to log in, of course, but the login itself could trigger account association for every site in the network.",[],{"_key":596,"_type":62,"children":597,"markDefs":602,"style":70},"a89dfea18997",[598],{"_key":599,"_type":66,"marks":600,"text":601},"a89dfea189970",[],"There is one, and only one downside: we must demand email from Google OpenIDs. Email is not usually required to use our sites, but you can't log in via Google if you refuse to provide email to us. You can always switch OpenID providers, of course, but we regretfully must make the email demand mandatory in the case of Google.",[],{"_key":604,"_type":62,"children":605,"markDefs":610,"style":70},"689d63badaba",[606],{"_key":607,"_type":66,"marks":608,"text":609},"689d63badaba0",[],"Still, given the overwhelming dominance of Google OpenIDs, we think that's a major improvement, and only a minor tradeoff.",[],true,"2010\u002F04\u002F13",{"code":614,"language":615},"\u003Cp>We made a few key technology bets when we created Stack Overflow:\u003C\u002Fp>\n\u003Cul>\u003Cli>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fopenid.net\u002F\">OpenID\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMarkdown\">Markdown\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwww.asp.net\u002Fmvc\u002F\">ASP.NET MVC\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\u003Cp>I covered \u003Ca href=\"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F10\u002Fmarkdown-one-year-later\u002F\">Markdown, One Year Later\u003C\u002Fa> in an earlier post, and now I'd like to turn my attention to the first item in the list: OpenID.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fopenid.net\u002F\">\u003Cimg src=\"http:\u002F\u002Fstackoverflow.blog\u002Fwp-content\u002Fuploads\u002F2017\u002F02\u002F6C2aN.png\" alt=\"\">\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>After spending nearly two years with OpenID as our \u003Ca href=\"http:\u002F\u002Fopenid.net\u002Fget-an-openid\u002Fwhat-is-openid\u002F\">decentralized, open login mechanism\u003C\u002Fa>, I have some thoughts based on my experience I'd like to share.\u003C\u002Fp>\n\u003Cp>First, to understand our position on OpenID, please read \u003Ca href=\"http:\u002F\u002Fwww.codinghorror.com\u002Fblog\u002F2008\u002F05\u002Fopenid-does-the-world-really-need-yet-another-username-and-password.html\">Does The World Really Need Yet Another Username and Password\u003C\u002Fa>. If you don't have time, I'll quote the most relevant paragraph:\u003C\u002Fp>\n\u003Cblockquote>\nI realize that OpenID is far from an ideal solution. But \u003Cstrong>right now, the one-login-per-website problem is so bad that I am willing to accept these tradeoffs for a partial worse is better solution\u003C\u002Fstrong>. There's absolutely no way I'd put my banking credentials behind an OpenID. But there are also dozens of sites that I don't need anything remotely approaching banking-grade security for, and I use these sites far more often than my bank. The collective pain of remembering all these logins -- and the way my email inbox becomes a de-facto collecting point and security gateway for all of them -- is substantial.\n\u003C\u002Fblockquote>\n\u003Cp>So if we are evangelizing OpenID to some degree, it is because \u003Cstrong>I would rather be part of the solution than yet another brick in the wall of the problem.\u003C\u002Fstrong> Even \u003Cem>if\u003C\u002Fem> it involves a tiny bit of short-term friction. Be the change you want to see, right?\u003C\u002Fp>\n\u003Cp>In the almost two years since we began using OpenID, that tiny bit of friction has gotten progressively smaller:\u003C\u002Fp>\n\u003Cul>\u003Cli>\n\u003Cp>Google began fully supporting OpenID. This was (and is) \u003Cem>huge\u003C\u002Fem>. As you can see from \u003Ca href=\"http:\u002F\u002Fmeta.stackoverflow.com\u002Fquestions\u002F31021\u002Fwhat-openid-providers-should-we-feature-on-the-login-page\">these meta stats\u003C\u002Fa>, Google is by far our largest OpenID provider at 61% of all registered accounts.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Microsoft \u003Ca href=\"http:\u002F\u002Fblogs.verisign.com\u002Finfrablog\u002F2007\u002F02\u002Fverisign_microsoft_partners_to_1.php\">announced OpenID support\u003C\u002Fa>. Although there was a beta, and beta live.com OpenIDs were used on our website -- the current state of their OpenID support is in limbo. Still, being Microsoft, their official (though technically nonexistent, and I'm sure trapped in \u003Ca href=\"http:\u002F\u002Farchive.scripting.com\u002F2001\u002F04\u002F29#strategyTax\">strategy tax hell\u003C\u002Fa>) support legitimizes OpenID as a standard.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Most client implementations of OpenID have switched from \"enter your OpenID URL\" to \"click the logo of the company that provides your identity\". OpenID was frequently criticized for being too URL-centric when the user identity world is email-centric, so this is a significant usability improvement.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>We implemented \u003Ca href=\"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F01\u002Fwe-now-support-multiple-openids\u002F\">support for up to two OpenID providers per user\u003C\u002Fa>. This flexibility turns out to be important, so you can switch out or change the OpenID identities in your virtual wallet as you see fit. It's handy to have a backup form of identity \"on you\", just like in real life.\u003C\u002Fli>\n\u003C\u002Ful>\u003Cp>The trend is certainly encouraging. \u003C\u002Fp>\n\u003Cp>However, there have also been a few things that happened which illustrate the \u003Cem>risks\u003C\u002Fem> of OpenID, too:\u003C\u002Fp>\n\u003Cul>\u003Cli>\n\u003Cp>Several lesser providers (Technorati, Vidoop, Mozilla Weave) went belly-up, leaving their users stranded with no way to authenticate.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Occasionally OpenID providers will have bugs or service outages -- even big ones like Yahoo. Fortunately this is quite rare, but it does happen, and \u003Ca href=\"http:\u002F\u002Fmeta.stackoverflow.com\u002Fquestions\u002F1774\u002Fi-cant-log-in-with-my-openid-troubleshooting-tips\">troubleshooting it\u003C\u002Fa> can be a pain precisely because it's open and decentralized, and there are three parties involved -- the website, the user, and the OpenID provider.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>The OpenID protocol itself can be implemented in unusual or incomplete ways by different providers. This leads to challenges for us, but fortunately we have an excellent dialog with \u003Ca href=\"http:\u002F\u002Fstackoverflow.com\u002Fusers\u002F46926\u002Fandrew-arnott\">Andrew Arnott\u003C\u002Fa>, the primary author of the open source \u003Ca href=\"http:\u002F\u002Fwww.dotnetopenauth.net\u002F\">DotNetOpenAuth\u003C\u002Fa> library we use. We \u003Ca href=\"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F12\u002Fstack-overflow-gives-back\u002F\">support the project financially\u003C\u002Fa> and also try to contribute as many bugfixes as possible, so OpenID can get better for \u003Cem>everyone\u003C\u002Fem>.\u003C\u002Fli>\n\u003C\u002Ful>\u003Cp>There are certainly challenges, and although I am open to alternative login mechanisms, particularly for \u003Ca href=\"http:\u002F\u002Fstackexchange.com\u002F\">Stack Exchange\u003C\u002Fa>, I'm still bullish on OpenID. We have to keep move forward on fixing the login explosion problem, because the status quo \u003Cem>sucks\u003C\u002Fem>.\u003C\u002Fp>\n\u003Cp>To that end, we're continuing to refine our implementation. \u003C\u002Fp>\n\u003Cp>Although I listed Google supporting OpenID as my #1 improvement since we began using OpenID, their support also contains a bit of a poison pill --  \u003Ca href=\"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F04\u002Fgoogles-openids-are-unique-per-domain\u002F\">Google GMail OpenIDs are specific to the domain you create them on\u003C\u002Fa>. In other words, the same GMail OpenID used on stackoverflow.com, serverfault.com, and superuser.com results in three different OpenID URLs being created. This is \u003Ca href=\"http:\u002F\u002Fgroups.google.com\u002Fgroup\u002Fgoogle-federated-login-api\u002Fweb\u002Fthe-most-important-technical-issue-in-using-the-google-accounts-api?pli=1\">completely by design\u003C\u002Fa>, but I should note that \u003Cem>no other OpenID provider to date has done this except Google\u003C\u002Fem>. To their credit, they do offer proper named OpenIDs now in the form of \u003Ca href=\"http:\u002F\u002Fblog.stackoverflow.com\u002F2009\u002F11\u002Fgoogle-offers-named-openids\u002F\">Google Profile OpenIDs\u003C\u002Fa>, but this does nothing to fix the status quo for GMail OpenIDs.\u003C\u002Fp>\n\u003Cp>That's a major bummer for site networks like us with multiple domains. We use the OpenID string as your user \"fingerprint\", so if your \"fingerprint\" changes, we can't tell who you are any more. It's a frustrating problem, but we think we've finally come up with a fix: \u003Cstrong>we demand email from Google GMail OpenIDs!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>If we have an email address from a verified OpenID email provider (that is, an OpenID from a large email service we trust, like Google or Yahoo), then it's guaranteed to be a globally unique string. We treat this as part of the identifying user token, attached \u003Cem>only\u003C\u002Fem> at login time, that is not editable by the user.\u003C\u002Fp>\n\u003Cp>So our cross-site user account matching now works this way:\u003C\u002Fp>\n\u003Col>\u003Cli>\n\u003Cp>Match by \u003Cstrong>GUID\u003C\u002Fstrong>. This is something we generate and assign during account association, so it's a perfect fingerprint.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>match by \u003Cstrong>OpenID URL\u003C\u002Fstrong>. This works for the vast majority of OpenID providers.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>match by \u003Cstrong>OpenID provided email address\u003C\u002Fstrong> ... if you are on our trust whitelist. This works for those rare OpenID providers (currently, only Google GMail) who generate domain-specific identifiers.\u003C\u002Fli>\n\u003C\u002Fol>\u003Cp>This satisfies all known OpenID providers, so \u003Cstrong>we can now potentially associate your accounts, across all of our websites, automatically\u003C\u002Fstrong>. You'll still have to log in, of course, but the login itself could trigger account association for every site in the network.\u003C\u002Fp>\n\u003Cp>There is one, and only one downside: we must demand email from Google OpenIDs. Email is not usually required to use our sites, but  you can't log in via Google if you refuse to provide email to us. You can always switch OpenID providers, of course, but we regretfully must make the email demand mandatory in the case of Google.\u003C\u002Fp>\n\u003Cp>Still, given the overwhelming dominance of Google OpenIDs, we think that's a major improvement, and only a minor tradeoff.\u003C\u002Fp>","html","2010-04-13T12:00:00.000Z",{"current":618},"openid-one-year-later",[620,628],{"_createdAt":621,"_id":622,"_rev":623,"_type":624,"_updatedAt":621,"slug":625,"title":627},"2023-05-23T16:43:21Z","wp-tagcat-background","9HpbCsT2tq0xwozQfkc4ih","blogTag",{"current":626},"background","Background",{"_createdAt":621,"_id":629,"_rev":623,"_type":624,"_updatedAt":621,"slug":630,"title":632},"wp-tagcat-company",{"current":631},"company","Company","OpenID, One Year Later",[635,641,647,653],{"_id":636,"publishedAt":637,"slug":638,"sponsored":12,"title":640},"76c9771b-34e6-4d98-8641-ecefc711f0ef","2026-07-06T15:23:34.559Z",{"_type":10,"current":639},"when-the-sensor-starts-thinking-snortml-agentic-ai-and-the-evolving-architecture-of-intrusion-detection","When the sensor starts thinking: SnortML, agentic AI, and the evolving architecture of intrusion detection",{"_id":642,"publishedAt":643,"slug":644,"sponsored":12,"title":646},"28e560af-f0aa-4d46-bd90-f435ad604aa7","2026-06-26T14:00:27.102Z",{"_type":10,"current":645},"paging-charity-how-can-engineering-leaders-avoid-becoming-bond-villains","Paging Charity! How can engineering leaders avoid becoming Bond villains?",{"_id":648,"publishedAt":649,"slug":650,"sponsored":12,"title":652},"4b22c2a3-3779-4966-93eb-5230391dbdce","2026-06-23T14:08:58.595Z",{"_type":10,"current":651},"your-ai-shipped-a-backend-that-boots-that-is-the-whole-problem","Your AI shipped a backend that boots. That is the whole problem.",{"_id":654,"publishedAt":655,"slug":656,"sponsored":12,"title":658},"5cf362e1-fe7b-45af-b69c-914731c6a052","2026-06-23T14:00:00.000Z",{"_type":10,"current":657},"the-2026-developer-survey-is-now-open-for-human-developers-only","The 2026 Developer Survey is now open (for human developers only)!",{"data":660,"sourceMap":-1},{"count":661,"lastTimestamp":12},0]