Is OpenID Connect a new version of OpenID?

Short answer: who cares?

Tl;dr; no.

OpenID Connect seems getting traction. As one of implementers of an OpenID and OpenID 2.0 implementations, I am very curious about why the foundation keeps using the term OpenID with it.

OpenID, to me, was a revolution started by a few brightest minds of our generation. Its aim was to be “a decentralized identity system, but one that’s actually decentralized and doesn’t entirely crumble if one company turns evil or goes out of business.” (The top page of OpenID.net in 2005).

Is OpenID Connect still a decentralized identity system that doesn’t crumble if Facebook or Google or AOL or whichever internet giant goes out of business? No, it is not something like that. But who cares? If they go, everybody goes.

It has been that way OpenID evolved since OpenID 2.0, which allows you to start an authentication process by merely stating you are one of an account holders of “yahoo.com”. OpenID, because it is to verify that you own your own domain such as “www.lukypines.com”, always had to ask you to enter “http://www.luckypines.com”, or just for another example, “http://itsme.yahoo.com” (it is not a valid URI as of this writing). Neither Yahoo nor Google gives each user account its specific subdomain, like LiveJournal and TypePad did, like other hip services did too at that time. So that made insufficient for a person to be an account holder in Google, Yahoo, AOL, … to have him/herself to be an OpenID verified identity because s/he doesn’t own a domain.

OpenID 2.0 solved the problem by adding OP Identifier to the spec. Instead of asking a user a domain s/he owns, it allowed a user to tell a relying party a domain owned by one of internet giants who should identify the user on behalf.

At this point, OpenID 2.0 becomes a protocol for a select few centralized identity providers, which only a few internet giants could manage your identity. It may be open because the protocol is open, and there are many reference implementations that are open source. but OpenID 2.0 is not “a decentralized identification system” any more.

It was interesting that OpenID was “a visionary’s tool that never got much commercial adoption” for the OpenID foundation, and OpenID 2.0 had adoption problems because it relies on XML (“What is the history of OpenID?” - http://openid.net/connect/faq/).

Those are probably true; as one of Six Apart employees (2006 - 2010), I saw OpenID implementations everywhere; but those are all by visionaries and none was by those giants. It was a start-up project. I saw a lot of implementations of many many things that relied on XML. But those were not by someones who should be considered majority enough.

Now, finally, OpenID Connect launches. It’s not even an OpenID 3.0. It’s just a profile of OAuth 2.0. I am confused; why shouldn’t it be OAuth 2.0 + Authentication Profile? I mean, those concerns that OpenID Foundation raises are valid; relying too much on HTTP redirection don’t work well in this native mobile app eco-system. XML is a thing in the past; JSON is the only pragmatic option of serializing an opaque data between two computer systems and communicate them over the wire. But it doesn’t solve the problem in a way the visionaries saw in OpenID. Why does it have to be a version of OpenID?

I may be feeling a little too nostalgic; it was good old days for me when everything around me looked brighter. I am not saying OpenID Connect or OpenID Foundation is a BS. As a matter of fact I’ll implement it to our own service soon. But I can’t help but feeling uncomfortable when someone says it is the “Identity Layer of the Internet”, when all it does is to encourage us to rely on very small number of giants and forget about my owning my own identity. OpenID encouraged me to be free from authority; OpenID Connect encourages me to rely on it.

Yes, I’m interested in Camilstore too although I haven’t done anything with it yet.