What is the future of OpenID, OpenID2, Open Connect? Is it worth implementing a provider? [closed]

Answer 1

OpenID 2.0 is deprecated, and just today the OpenID Foundation approved an OpenID 2.0 to OpenID Connect Migration Guide.

I'm not an expert on OpenID, but it's important to be aware that OpenID Connect is fundamentally different from older versions. In particular, it runs on top of OAuth, so the Relying Party must obtain OAuth credentials from the Service Provider.

There is spec that allows the RP to automatically obtain these OAuth Credentials (called Dynamic Client Registration), but the spec is marked as "optional", it is not widely supported in client libraries, and I severely doubt we'll be seeing many applications implementing Dynamic Client Registration.

The movement to OpenID Connect takes the power away from both users and from application developers (not to mention the smaller identity providers) and gives it all to the large, name-brand service providers. So unfortunately, it looks like the idea of setting up your own personal OpenID Provider is not going to be future proof.

Answer 2

What the future holds is of course hard to predict.

Google has implemented OpenID Connect. They have Discovery implemented, but as a generic OIDC IDP that's not very useful without Dynamic Registration since you still have to register an app and get the keys. That could work in their favour I'm afraid, since people might prefer Google login and thereby not care about OIDC based on user-provided e-mail or URL.

According to OpenID Certifications, very few have Dynamic Registration implemented, but it's still very young and could change.

I sincerely hope that full OpenID Dynamic will get a wide adoption, preferrably by e-mail providers, so that we can have a single sign-on based on your e-mail, something most people can remember rather than some obscure http endpoint.

I am about to make this for my own server; a simple small OIDC and webfinger server in node.js based on openid-connect. It is up to us to make it easily and widely adopted, I'll put a link in a comment here when my miniserver is available with an npm install :-)

Answer 3

If you want to set up your own OpenID provider, I can suggest two available options that you might like to look at. They're both PHP solutions.

The first is the easiest to implement, phpMyID, has been deprecated by its owner but it has risen again on GitHub. I quickly tested this yesterday using PHP 5.6.8. It's just two PHP files.

The second one is called SimpleID and is what I am currently using. I've used it to log on to a number of sites including this one.

Neither are OpenID Connect, however. I am looking for a solution to that so that I can upgrade (this search drew me to your question). The best candidate that I have found so far is called Gluu but it appears to be a behemoth and I haven't yet tried it.

SimpleID has a Trac ticket and a development branch to support OpenID Connect but it would appear to be dormant.

Another interesting thing I found while searching is web sign in and IndieAuth. Not OpenID, but interesting nonetheless.