Support for OpenID ended on July 25, 2018

support status-completed sede

I'm using https://openid.stackexchange.com/ to log in on SEDE, the Stack Exchange Data Explorer. Will there be another kind of integration between SEDE accounts and Stack Exchange accounts or do I need to switch providers there as well?

Update: that 'another kind of integration', login via Stack Overflow with OAuth is live as of August 2020: Stack Exchange Data Explorer Login is Changing

ChatExchange is a Python API for Stack Exchange chat. It logs in by visiting openid.stackexchange.com, logging in (scraping the page for fkey), and then using that cookie to log into a Stack Exchange site. The cookie from Stack Exchange login then gets used to authenticate for chat.

SmokeDetector uses ChatExchange. If that flow breaks, we'll need to know about it so that we can put the necessary patches in place and not have extensive downtime while we figure things out. A transition period where both the old flow and the new flow work would be ideal.

The timeline says June - run an announcement banner for users who sign in with OpenID.

• Why wait until June? Shouldn't the announcement banner go up immediately?
• How about also showing the banner to users who use StackExchange as their OpenID provider?

TLDR: OK for tearing down openID if it means cleaner code, but vision-impaired people should be allowed to still answer, and if possible upvote and comment without JavaScript.

At the end of April 2018, OpenID is necessary to log in, ask questions, answer and edit on the sites of the StackExchange network without any JavaScript. But Logging in needs, as of April 2018, OpenID as explained in new message Because JavaScript is disabled, you can only log in by entering your OpenID URL manually:.

Previously, in 2013 and at the time the above question and this answer were created, openID and some whitelisting of some JavaScript sites were necessary to answer, comment, and chat on the sites of the StackExchange network.

The best browsers for vision-impaired people (me!) do not support JavaScript but are the only choice for blind users out there. I am fortunate enough to be able to use firefox, but what about truly blind people?

Security-conscious users also tend to use the fewest possible JavaScript websites.

This is also a way to speed up a lot the time to show web pages. The fastest load time is with the lynx browser. Lynx is fast because it does load images. Lynx browser also happens to be favored by blind people with text readers.

My life

I use lynx 99% of the time. No interest in seeing images except for click-bait pages.

I use firefox for www.sharelatex.com, to vote or answer on StackExchange websites, for google agendas, and for shopping. The rest, among which news.google.fr, gmail.com, searching (including in StackExchange websites), ... I do that in lynx browser. I just started answering and editing posts on the lynx browser also. But I would also like to favorite (the favorite button is an unhelpful link to the current question), upvote, and comment nicely, and as a side have a better interface than manually entering the URL https://<URL>.com/posts/<Question ID>/comments to open hidden comments.

PS: I am now editing this post using lynx browser, thanks @KevinMontrose for the work. Though I like to be able to upvote questions and answers, I'll do that a few times a day if it did not require a graphical browser like firefox.

Just a quick addendum to Joe's post, we'll have a pretty strong support plan in place for those that become disenfranchised from their accounts due to not seeing the message. While we're being really proactive about getting the word out, there's always going to be a few stragglers.

When we pulled MathOverflow into the network after making major changes to how accounts are structured compared to the version of the SE 1.0 software they were using, we ended up having to manually fix quite a few accounts and it went remarkably well. So, we've got everything needed to support folks. It won't be the end of the world for anyone that misses the boat.

There's also the case of benevolent bots, those that folks in our community create that need to log in to be useful. Reach out to us with any major concerns so that we can do what we can to coordinate (which could be as simple as guiding you to other larger projects working on the same thing where you could combine forces).

The numbers seem too convincing for the decision but don't we need to consider each user group's activity/contribution to the community?

The activities/contributions of 13k active OpenID users(which is 0.13% of total members) constitute only 0.13% of the total activity/contribution?

Can you keep providing OpenID without accepting different OpenID providers?

(And of course, if so, would you consider it?)

I understand the complexity involved in accepting many different logins. Surely that is (at least in great part) separate from the complexity of providing OpenID? One requires calling external APIs the other is providing one to the outside by only checking SE login. Or can you not have one without the other? Or does this question not make sense because it's basically what OAuth does?

I'm not the most regular user of OpenID but it's sure nice to not have to create an account for every bug tracker or what not out there that I'll use only once.

Stack Exchange is the only OpenID provider I can use, for reasons. I'm not in the same position as some other people who've used theirs for things other than testing, but I would still find some similar system extremely useful. Are there plans to provide a Stack Exchange OAuth?

I'm one of those folks who's impacted though in the oddest of ways. I've used an OpenID provider I run myself as a backup since every so often, I run into workplaces that supply me with systems I don't trust. Being able to log into what's essentially a disposable set of credentials was kind of reassuring.

That said? Considering the epic dead pool of OpenID providers, and what I read on various tweets, and the reactions of devs current and past? This has to be a good thing.

It would be nice to have a "roll your own" sign-on option - for folks who want to have their cake and eat it - and have SE login and a backup without needing to trust Facebook or Google. I half suspect the need for this on SE is relegated to the epically geeky, however.

ChatX is a ruby chat libarary which I wrote and maintain. I figured I could just migrate it to normal SE login, but it turns out that the "Log in with Stack Exchange" button to log in to chat actually POSTS to https://openid.stackexchange.com/affiliate/form/login/submit. Hence, this will also break when openid breaks. That leaves only google/facebook/yahoo oauth, which aren't really things we can migrate chatbots to easily.

TL;DR I'd like to see a solid SE non-openid login form ASAP that I can migrate my stuff to.

If it's easy (big "if"), is there any chance of getting a site-agnostic global-auth login page at https://stackauth.com/users/login, for chat bots to use? It wouldn't be part of any user-facing website, so it wouldn't create any misleading expectations like preserving https://stackexchange.com/users/login.

The bot libraries generally only take email and password to login, which means they don't know what sites the account has profiles on, so they don't know which site-specific login route to use.

So does this mean that the Android Stack Overflow app will finally support Facebook logins? For the longest time, it's supported Google, Stack Exchange, and OpenID logins only, and I suppose the third button's up for replacement now...

I understand removing code that very few uses. I use OpenID over Google/Facebook for anti-surveillance reasons.

When you remove OpenID I understand I can still use username/password.

Is there another alternative? If OAuth is still supported, can I be my own OAuth provider?

Would you please put in your main post the websites/logins you will still specifically maintain? I login with Yahoo. I will never have a Facebook account, and keep Google strictly for use of updating apps on my phone and nothing else (otherwise I'm logged out). Just want to make sure that your current support for everything not OpenID remains in tact. Right now those options are:

• LiveJournal
• Blogger
• AOL
• Yahoo

I don't mind your special partnerships with Facebook and Google. It's good business. The rest of us shouldn't also find ourselves shut out with this change however.

then make life easy and go now and add your Google or Facebook credentials or set up email/password auth.

I do not want to have neither a Google nor a Facebook account - and even if I had to, I would not want to link those to my account here.

March - Convert Launchpad (used on askubuntu.com ) to OAuth

So, if I sign in to AskUbuntu via Launchpad, will I be able to then log-in to the rest of my accounts, without having to add an extra e-mail address? If so, then it's all the same to me if OpenID is gone (I liked this site, because I did not have to register to begin with, which OpenID with my Launchpad account allowed then).

I expect that a good number of those active OpenID users will not be able to figure out how to migrate from the instructions in this question, or from anywhere else reasonably discoverable.

See this post for details, but briefly: if you already have an email/password login, but have no idea what the password is (because you've been using OpenID for years), you can't use login-add, or the only other obvious link from mylogins (password-reset), or in fact anything else visible anywhere I can find on the site. What you have to do is go to account-recovery, which you would never find.

This question should be edited to explain what many of the actual active OpenID-logging-in users actually need to do. (And whatever announcements go out as July approaches also need that explanation.)

Also, the relevant pages should be improved, but there are other questions for that: add-login page tries to auth existing email/password login.

The decision to drop OpenID support is very unfortunate.

I use OpenID as my preferred login method wherever possible. I would argue that most of those users using OpenID are probably also those more valuable in the community compared to masses of one visit Facebook "users" and the likes. Why on earth would anyone want to use such an account to log in to SO? To brag about answering questions in front of their "friends"? Someone must have hit the ground with their head really hard.

On the note of simplification of code by removing OpenID. Since when it became a solution to a problem to "ignore the problem"? Is that why we write code? Do not think so. Making pretty pictures somewhat does not make much to support that.

How do you come to the conclusion that OpenID is a failure? I am using mojeid.cz as an authentication provider. The service is run by a nonprofit organization that is also maintaining our national TLD registry - CZ.NIC. It is steadily picking up traction and is on track to become a nationwide login method with verified identity, to have the same legal weight as declaring identity in person against state authorities. It is also gaining wide support on commercial sites as well.

Third-party OpenID service allows me to log in anywhere using two-factor authentication, which has only a poor replacement in using google or even Facebook with questionable "trust feeling". That does not feel like an adequate replacement. How can we use prehistoric "mail+pass" with any sense of security and privacy compared to google and Facebook login providers?

Are you planning to add two-phase authentication support for logging in with mail+pass?

Keeping the OpenID support would be preferable from a not-a-noob user perspective. Please reconsider and DO NOT remove it.

Run an announcement banner for any user who signs in with deprecated OpenID credentials urging them to add a new provider to their account

You should definitely show that banner for any user that is logged in via OpenID, not just when signing in. I, for example, am signed in with OpenID, but my last new login was in December.

Additionally I have not received any emails yet and June is almost over. I have not registered an email on my Stack Exchange account, but I have one for Stack Overflow.

Just dropping in an "answer" with some misinformation following the closure of OpenID.

I've been authenticating using my own provider and was just locked out of my account. I could not remember other logins and, being locked out, had no way to see them. Anyway I tried the email address that I use on here for a password reset and that got me in.

What's interesting is the wording in the password reset email:

We received an account recovery request on Stack Overflow for ......

If you initiated this request, reset your password here.

As a reminder, you can use any of the following credentials to log in to your account:

• Click the "more login options" link, enter "http://openid.url" in the OpenID field and click "Submit"

Which is obviously wrong. Just thought I'd point it out in case it was missed.

I am sorry to see OpenID go. I remember writing my own Ruby module to authenticate users using OpenID; I remember how awkward it was to get it working. But it was fun... farewell OpenID.

PS. As an alternative login, I second the idea of a GitHub option. It's the best fit for this site; I would personally never use Google to authenticate or Facebook for anything!

OpenID was never intended as a general login system. That's just a widespread misattribution. (Which SE has clearly contributed to.)

Shutting it down habitually will have some ripple effects outside of SE/SO, however. It's not just Stack-specific bots using the OpenID consumer. Many users here do utilize the OpenID provider too.

• For instance I get the most useful flags on //freshcode.club from users with a StackExchange OpenID handle.
• They're not just more frequent than Yahoo logins, but inherently more trustworthy. IMO.

Just measuring active SE logins falls a bit short of its actual impact. Code complexity might not warrant it. But all the maintenance and effort done over the years wasn't spent on the local scope alone.

Just got the notification as a user of OpenID.

Stack Overflow being a developer centric site, I'm surprised that there isn't a GitHub login option. The majority of services I use seem to integrate.

Personally, I'd prefer that over Google/Facebook.

If you have your own domain set to be your OpenID provider, you may find https://bogomips.org/local-openid/ useful for running a one-off service long enough to log in to Stack Overflow and change your settings. Note that if you run it behind a reverse proxy you will probably have to edit the server_root method to provide your base_url. Also if you are using a modern Ruby you will need to edit ruby-openid-2.1.8/lib/openid/cryptutil.rb to redefine CryptUtil.hmac_sha1 to be:

def CryptUtil.hmac_sha1(key, text)
  digest = OpenSSL::Digest.new('sha1')
  OpenSSL::HMAC.digest(digest, key, text)
end

(The shipped version depends on digest/hmac, which was removed around Ruby 2.2.

I wanted to ask if this change (affecting 14,000 users) was discussed on meta before the decision was made? Maybe I just missed it?

Add a link to this question to the login page. I never received an email and had no idea where my login option had gone. This page is difficult to find (googling for problems about SO as opposed to on SO is always difficult...)

The Stack Exchange login screen does not have an email/password option, only the OpenID options:

https://stackexchange.com/users/login

Might be nice to get one.

I have accounts on many Stack Exchange communities (and unfortunately I don't even remember all of them by heart - I just login to them from time to time).

If I add another login method to Stack Overflow, will it be added automatically to all other Stack Exchange communities?

Or must I track the list of all the communities where I have previously logged-in with OpenID and manually add the new login method? (and to do all this during the next few weeks...)

I have a few questions, please.

1. Using what I thought were my Stack Exchange Open ID (https://openid.stackexchange.com/) username and password to log in via email at SE sites seems to work. Is this because my login has been auto-migrated to email and password?
2. Do I understand correctly that https://openid.stackexchange.com/ will, at some point, cease to be available?
3. If the answer to 2 is a yes... I think I may have logged into one or two other non-SE sites using OpenID, with Stack Exchange OpenID as my provider via entering my own domain. My site's head section has <link rel="openid2.provider" href="https://openid.stackexchange.com/openid/provider"/>. To continue doing so, will I be able to point this link href value to another provider? (Or also migrate to using an email address and password at each site?)

I don't believe I received any notification email or saw notifications at SE sites, and I only found out about this today due to actively searching after realising that the SE sites' login pages no longer have an option to log in with OpenID.

If the software design is not complete garbage, the authentication method is implemented by an isolated module with a defined interface, right?

So why did this not begin as a request for volunteers to maintain the OpenID module? If no one volunteers, then remove support...