A day after announcing their support for OpenID, Google has decided to back off on the requirement that relying parties first get approval from Google to accept OpenIDs originating from Gmail. Google says the reason they’re lifting the requirement is that more sites than they could handle applied for API access.
在宣布对OpenID的支持后的第二天,Google决定放弃要求依赖方首先获得Google批准才能接受来自Gmail的OpenID的要求。 谷歌表示,之所以取消要求,是因为申请API访问的网站数量超出了他们的处理能力。
Google’s Eric Sachs explains in a blog post what this means for consumers:
Google的Eric Sachs 在博客文章中解释了这对消费者意味着什么:
That registration requirement also led to some confusion because users wanted to be able to use existing websites that accept OpenID 2.0 compliant logins by simply entering “gmail.com” (or in some cases their full E-mail address) into the login boxes on those websites. Normally what would happen after a user typed gmail.com is that the relying party website would look for a special type of file (XRDS) on the gmail.com servers that would check if Gmail run an OpenID identity provider. For yesterday’s launch, we specifically chose not to publish that special XRDS file on gmail.com because if we had published the file, users would have received an error at Google if the website they were trying to log into had not registered with us. Now that we have removed the registration requirement, we will work on pushing that XRDS file as quickly as possible. Once the XRDS file is live, end-users should be able to use the service by typing gmail.com in the OpenID field of any login box that supports OpenID 2.0, similar to how Yahoo users can type yahoo.com or their Yahoo E-mail address. (In the meantime, if you feel really geeky, you can type “https://www.google.com/accounts/o8/id” into an OpenID 2.0 compliant login box and see the directed identity workflow in action.)
该注册要求也引起了一些混乱,因为用户希望能够通过简单地在登录名上的登录框中输入“ gmail.com”(或在某些情况下,其完整的电子邮件地址)来使用接受OpenID 2.0兼容登录名的现有网站。网站。 通常,在用户键入gmail.com之后会发生的事情是,依赖方网站会在gmail.com服务器上查找特殊类型的文件(XRDS),该文件会检查Gmail是否运行OpenID身份提供程序。 对于昨天的发布,我们特别选择不在gmail.com上发布该特殊XRDS文件,因为如果我们发布了该文件,则如果他们要登录的网站未在我们这里注册,则用户会在Google上收到错误消息。 现在我们已经删除了注册要求,我们将尽快推送该XRDS文件。 XRDS文件生效后,最终用户应该可以通过在支持OpenID 2.0的任何登录框的OpenID字段中键入gmail.com来使用该服务,类似于Yahoo用户可以键入yahoo.com或他们的Yahoo E-邮件地址。 (与此同时,如果您真的很讨厌,可以在符合OpenID 2.0的登录框中输入“ https://www.google.com/accounts/o8/id”,然后查看实际的定向身份工作流程。)
Google also addressed the issue of when and if they’ll become a relying party. The reason they haven’t, says Sachs, is a technical issue. That problem, he says, is that rich-client apps would break if Google supported federated login for consumer users because the idea of a username and password is hard coded into those desktop and mobile apps. That’s exactly what already happens today, he says, for enterprise email customers that use their own identity provider and for which Google is a relying party.
Google还解决了何时以及是否成为依赖方的问题。 萨克斯说,他们之所以没有,是一个技术问题。 他说,问题在于,如果Google支持消费者用户的联合登录,则富客户端应用程序将会崩溃,因为用户名和密码的想法被硬编码到那些台式机和移动应用程序中。 他说,对于使用自己的身份提供者并且Google是其依赖方的企业电子邮件客户而言,这就是今天已经发生的事情。
Sachs says Google is working on the problem, but falls short of promising that Google will become a relying party (or talking about a timeline for that to happen).
萨克斯(Sachs)说,谷歌正在努力解决这个问题,但没有承诺谷歌将成为一个依赖方(或谈论实现这一目标的时间表)。
One of our readers, Deron Meranda, provided some interesting ideas on other reasons why a large provider of OpenIDs such as Google or Yahoo! might not want to be a relying party in a comment yesterday. An excerpted version is below:
我们的一位读者Deron Meranda就其他原因如Google或Yahoo!这样的大型OpenID提供者提供了一些有趣的想法。 也许不想在昨天的评论中成为依靠党。 摘录的版本如下:
If one of their email accounts gets hacked; they may have some legal liability, or at least bad PR to content with. It’s bad enough when Yahoo! gets a lot of bad press when [US Governor Sarah] Palin’s account was cracked; imagine what would happen if a third-party OP was also in the mix. Yahoo! would still get all the bad attention, but the breach wouldn’t even be their fault or under their control.
如果他们的一个电子邮件帐户被黑客入侵; 他们可能要承担某些法律责任,或者至少对PR满意。 当Yahoo! [美国州长莎拉]佩林的帐户被盗后,媒体受到了很多负面新闻的报道; 想象如果同时使用第三方OP会发生什么情况。 雅虎! 仍然会引起所有不良关注,但违反行为甚至不是他们的错或在他们的控制之下。
Also, the big guys are, hopefully, much more security savy [sic] than smaller sites. They have the capacity to correctly and securely manage logins, encrypt passwords, deal with password recovery, protecting against bot accounts, and so on. Also they can tend to be a little more protective over user’s privacy (or at least have more money and layers); sure it’s not perfect, but Google is going to resist pretty hard when some company says it needs the name of the user for an account; without some sort of legal warrant. I’m not sure all the smaller OPs out there are as “secure” or trustworthy, so the big players should be concerned that this could jeopardize it’s user’s privacy when it outsources authentication to another party.
而且,希望大型公司比小型站点具有更多的安全知识。 他们有能力正确,安全地管理登录名,加密密码,处理密码恢复,防范僵尸程序帐户等。 而且,它们可能倾向于对用户的隐私更具保护性(或者至少拥有更多的金钱和财富); 确保它不是完美的,但是当某家公司表示它需要一个帐户的用户名时,Google会极力抵抗。 没有任何法律令。 我不确定所有较小的OP是否都是“安全”或可信赖的,因此大型参与者应该担心,当将身份验证外包给另一方时,这可能会损害其用户的隐私。
This is not to say that we shouldn’t pressure them to become RPs as well, but we should appreciate that there are some special circumstances for them that need some careful thought. I think some of that is just a matter of time, allowing OpenID to mature more.
这并不是说我们不应该向他们施加压力,也要使他们成为RP,但是我们应该意识到,在某些特殊情况下,他们需要仔细考虑。 我认为其中一些只是时间问题,允许OpenID更加成熟。
Also, unless you are one of the few big players (Google, Yahoo!), then you should be an RP. The arguments for being an OP only is not nearly as defensible.
另外,除非您是少数几个大公司(Google,Yahoo!)之一,否则您应该是RP。 仅作为OP的论点几乎没有根据。
In other words: it’s politics.
换句话说:这是政治。
Whatever the reason, I’ll still stand by my assertion that OpenID won’t work, and won’t be an easy sell for consumers, until they can truly trust that their ID will work as a login everywhere, regardless of who their provider is. The attempts by Yahoo! and Google to obfuscate the OpenID brand by encouraging developers to add “Sign in with Yahoo!/Google” buttons are also not helpful. Hopefully, though, the big three really do want to become relying parties, rather than control a branded universal identity experience. This is one thing I would love to be wrong about.
不管是什么原因,我仍然坚持我的主张,即OpenID将不起作用,并且对于消费者来说不会轻易卖出,直到他们真正相信其ID可以在任何地方作为登录名,而不管其提供商是谁。是。 雅虎的尝试! 谷歌通过鼓励开发人员添加“使用Yahoo!/ Google登录”按钮来混淆OpenID品牌也无济于事。 不过,希望三巨头确实希望成为依赖方,而不是控制品牌化的通用身份体验。 这是我想错的一件事。
翻译自: https://www.sitepoint.com/google-removes-openid-whitelist-requirement/
相关资源:jdk-8u281-windows-x64.exe