There is an underlying problem with Oauth and OpenID – and it has nothing to do with the idea itself. The specs for both projects are impressive (marred by a few flaws I admit) and most implementations sound. The problem is that no one seems to be using it in the way intended.
Google offer OpenID as a service to account holders. That’s excellent, millions of people use Google and can now access OpenID supporting sites. But it’s not possible to sign in to Google using OpenID.
Twitter support Oauth – and allow you to use a Twitter account to authorise with other websites. But you can’t log into Twitter using another Oauth provider.
Facebook are going entirely their own way.
The eco system is entirely unbalanced.
So long as you wish to sign into a “smaller” site using Oauth or OpenID you’re fine. But what if you want to run a Google and Twitter account (something not uncommon I imagine)? One can’t provide “auth” for the other and the end result is having two separate accounts. When you add in the fact that Oauth and OpenID are competing and that Google et al are making their own tweaks on top of the standard a huge mess arises.
Even the smaller sites, who should benefit from being able to support logins from lots of big name providers, are stuck with how to best support the varying implementations. The end result – “sign in with Google” or “sign in with Twitter” – seems to defeat the object.
I’m not sure I can see a reason for resisting this. Admittedly it is currently a little work for no gain – but just a couple of big providers making the effort would quickly turn it into a worthwhile pursuit. Till that happens Oauth/OpenID are going to “languish” as services provided by the big sites for occasional consumption by the smaller.