[wp-hackers] GSoC 2008 Proposal: Core OpenID Support

[Otto]

On Tue, Mar 18, 2008 at 3:47 PM, Ronald Heft <ron at cavemonkey50.com> wrote:
> While a blog administrator can take advantage of OpenID by installing a
> plugin, not many do. The mass majority of WordPress blogs do not have any
> OpenID support, and that disadvantages the OpenID user.

I should point out here that the goal here should be to improve
WordPress and the experience of the WordPress user. We're not
developing for the OpenID user base.

> An OpenID user can
> not install OpenID on any blog they wish; that option is up to the blog
> administrator. So, if I come across Joe's Blog and I want to comment, my
> option of using OpenID is limited to if Joe installed a completely optional
> plugin. By having OpenID support built right into WordPress, the number of
> OpenID capable WordPress blogs would skyrocket.

True, but largely irrelevant. What does OpenID specifically bring to
the table for WordPress? You've made some excellent points already in
your first post, so allow me to rebut those directly:

Faster commenting: Fill in one field instead of two, or three? Seems
thin, at best. And you didn't add how with OpenID, you'll get
redirected to another website which you have to login to or have
cookies for. The user experience of the commenter seems to be enhanced
very little, for these cases. In fact, the user experience in most
cases I've seen is significantly degraded, because now the whole
interface changes when they go off to another site.

Easier registration: Unless OpenID adds a significant amount of user
data that it does not have already, such as the user's first and last
names, display names, etc, filling out a registration/profile is still
required. You cannot one-step-register, even with OpenID.

Spam: False, OpenID does not and was never intended to prevent spam.
OpenID advocates admit this:
http://wiki.openid.net/FAQ#Does_accepting_OpenID_logins_protect_me_from_spam.3F
Also, there has been OpenID spam already:
http://www.google.com/search?q=openid+spam

Give WordPress.com users a way to login: What if I don't want
WordPress.com users logging into my site? I think most people on this
list would agree that most blogs do not allow registration. Blogging
is generally a one-sided thing: you speak, other people listen. The
only feedback is usually in the form of unauthenticated comments. This
is the most common case. What does OpenID add for this case in
particular?

> And while yes, the spam argument is kind of moot, and most websites do not
> require registration, the websites that do are a pain to deal with. I would
> much rather enter in my OpenID then go through the whole registration
> process.

You have to go through the whole registration process anyway, if they
require it. OpenID is not a replacement for registration, it's merely
a replacement for username/passwords.


My vote says to leave it a plugin. An OpenID server integrated into
WordPress would be nice, but it's not strictly speaking necessary.
It's plugin material. I'm using a minor theme mod on mine to delegate
my own OpenID to wordpress.com. Works fairly well, although maybe 40%
of the time the site has a broken OpenID implementation and it doesn't
work at all.

But an OpenID consumer is definitely plugin material, because the
large majority use-case does not seem to require it.