StackExchange, myOpenID Woes

Over the last few days, I experienced myOpenID downtime, which prevented me from using the StackExchange suite of sites, such as StackOverflow.  I have resolved my issue, have a word of caution for others in my situation, and have a suggested solution.

For those who don’t know, some background:

  • OpenID is a decentralized, single-sign-on authentication system, supported early on by JanRain, and ostensibly maintained by the OpenID Foundation.  There are many OpenID service providers, including myOpenID, which was created by JanRain.
  • StackExchange is a set of Q&A sites that use social-networking and a tiered voting system that results in very well-balanced, peer-managed sites.  StackOverflow is the original and most famous of these sites, which caters to technical Q&A about programming language syntax and technique.
  • The StackExchange sites each have user-profiles, and all of these profiles can be linked together.  Authentication is provided by OpenID.

Awhile ago I wanted a StackOverflow account, so I created a myOpenID login, created a StackExchange and StackOverflow user-profiles, and associated my myOpenID login for OpenID authentication.

All seemed fine with this setup; I have successfully used this intermittently for years.  That is, until earlier this week when I went to re-login using myOpenID, when I discovered this authentication login service is down.  “What, how could this be down, this was supposed to be the premier OpenID service on the web!”.

After some searching, I realized my assumptions were woefully wrong.  JanRain, while having initially invested in OpenID, seems to have moved away from this and onto managing centralized, commercial sign-on services such as via Facebook and Google, along with tracking, targeting, and managing user-data for commercial uses.  In fact recently, they have invested little in their myOpenID service, ( there have been several, multi-day outages. )  In fact, it seems that the whole OpenID infrastructure hasn’t been growing or maturing well at all.

So, after a few days, the myOpenID service came back.  With this, I was able to access my StackExchange profile.  Having just been burnt by myOpenID, I didn’t want this to happen again.  Thankfully, one can associate more than one OpenID logins to a StackExchange profile.  Also, StackExchange provides their own OpenID logins.  So, I created a StackExchange OpenID, and added this to my profile.  Now I have some redundancy as both OpenID services would need to be down to prevent StackExchange use.  This also gives a bit of security, since StackExchange has a vested interest in maintaining it’s own OpenID logins for their own users.

Some reflections & lessons learned:

  • without an OpenID login provider having a strong incentive to maintain their service, this situation is quite fragile; the whole point of the OpenID was that you’d have one e-mail/password combo that would be used to authenticate to multiple sites, but if that provider isn’t reliable, it’s another point-of-failure.
  • understanding the above, and wanting to protect access to StackExchange, ( and any other OpenID authenticating sites, ) it is imperative to have redundant OpenID logins associated with my profile.
  • given that StackExchange provides their own OpenID login, it seems quite natural to have one and associate it with their user-profiles.  They wouldn’t want to have any downtime in the OpenID system, since it will directly affect their users.
  • finally, I find it sad that the single-sign-on via an open, decentralized system like OpenID hasn’t grown faster.  Abstractly, having this would make the internet a much better place.

Some advice if you use any OpenID login-based authentication service:

  • check if you can have multiple OpenID logins associated with your profile.  If so, I strongly encourage you to do so.
  • if you use myOpenID, consider finding another primary OpenID provider, and migrate to that soon.
  • if you use StackExchange but don’t have a StackExchange OpenID associated, consider creating one and adding to your StackExchange profile: it likely will be there as long as the StackExchange sites persist.

References:

Update:  2013 July 25 18:06:37

StackExchange Team got back to my initial e-mail regarding my difficulties; they are taking some pro-active steps to mitigate this problem:  http://meta.stackoverflow.com/questions/190442/myopenid-no-longer-supported-add-alternative-login-method-to-your-account

2 thoughts on “StackExchange, myOpenID Woes”

  1. How feasible (easy?) is it to run your own OpenID provider?

    On a quick google search, I stumbled across this list of openid server software:
    http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server

    but is any of it any good/easy/small/simple to install? (ie, my own preference would be for nothing involving a SQL database unless it is sqlite… but simple text files might be nicer / more convenient to maintain for just myself or a small group of folks on a private domain…)

    Do you have any insight into this?

  2. Dave,

    I’ve never investigated the software to manage my own OpenID service. It would be a nice thing to have in one’s own infrastructure. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *