Over the last few days, I experienced myOpenID downtime, which prevented me from using the StackExchange suite of sites, such as StackOverflow. I have resolved my issue, have a word of caution for others in my situation, and have a suggested solution.
For those who don’t know, some background:
- OpenID is a decentralized, single-sign-on authentication system, supported early on by JanRain, and ostensibly maintained by the OpenID Foundation. There are many OpenID service providers, including myOpenID, which was created by JanRain.
- StackExchange is a set of Q&A sites that use social-networking and a tiered voting system that results in very well-balanced, peer-managed sites. StackOverflow is the original and most famous of these sites, which caters to technical Q&A about programming language syntax and technique.
- The StackExchange sites each have user-profiles, and all of these profiles can be linked together. Authentication is provided by OpenID.
Awhile ago I wanted a StackOverflow account, so I created a myOpenID login, created a StackExchange and StackOverflow user-profiles, and associated my myOpenID login for OpenID authentication.
All seemed fine with this setup; I have successfully used this intermittently for years. That is, until earlier this week when I went to re-login using myOpenID, when I discovered this authentication login service is down. “What, how could this be down, this was supposed to be the premier OpenID service on the web!”.
After some searching, I realized my assumptions were woefully wrong. JanRain, while having initially invested in OpenID, seems to have moved away from this and onto managing centralized, commercial sign-on services such as via Facebook and Google, along with tracking, targeting, and managing user-data for commercial uses. In fact recently, they have invested little in their myOpenID service, ( there have been several, multi-day outages. ) In fact, it seems that the whole OpenID infrastructure hasn’t been growing or maturing well at all.
So, after a few days, the myOpenID service came back. With this, I was able to access my StackExchange profile. Having just been burnt by myOpenID, I didn’t want this to happen again. Thankfully, one can associate more than one OpenID logins to a StackExchange profile. Also, StackExchange provides their own OpenID logins. So, I created a StackExchange OpenID, and added this to my profile. Now I have some redundancy as both OpenID services would need to be down to prevent StackExchange use. This also gives a bit of security, since StackExchange has a vested interest in maintaining it’s own OpenID logins for their own users.
Some reflections & lessons learned:
- without an OpenID login provider having a strong incentive to maintain their service, this situation is quite fragile; the whole point of the OpenID was that you’d have one e-mail/password combo that would be used to authenticate to multiple sites, but if that provider isn’t reliable, it’s another point-of-failure.
- understanding the above, and wanting to protect access to StackExchange, ( and any other OpenID authenticating sites, ) it is imperative to have redundant OpenID logins associated with my profile.
- given that StackExchange provides their own OpenID login, it seems quite natural to have one and associate it with their user-profiles. They wouldn’t want to have any downtime in the OpenID system, since it will directly affect their users.
- finally, I find it sad that the single-sign-on via an open, decentralized system like OpenID hasn’t grown faster. Abstractly, having this would make the internet a much better place.
Some advice if you use any OpenID login-based authentication service:
- check if you can have multiple OpenID logins associated with your profile. If so, I strongly encourage you to do so.
- if you use myOpenID, consider finding another primary OpenID provider, and migrate to that soon.
- if you use StackExchange but don’t have a StackExchange OpenID associated, consider creating one and adding to your StackExchange profile: it likely will be there as long as the StackExchange sites persist.
Because we kept getting asked: openid.stackexchange.com is a permanent service we will fully support for as long as we are solvent as a company. Feel free to host some part of your identity with us forever, and we promise to … well, hopefully not suck in the manner to which you have become accustomed.
Update: 2013 July 25 18:06:37
StackExchange Team got back to my initial e-mail regarding my difficulties; they are taking some pro-active steps to mitigate this problem: http://meta.stackoverflow.com/questions/190442/myopenid-no-longer-supported-add-alternative-login-method-to-your-account