OIDC joins my wall of shame, along with oauth2 and IPsec and USB-C, of standards that specify so little that anybody can comply with them without ever interoperating with anybody.

You have an extra special place for SAML, I suppose?

I don’t know enough personally. SAML seems a bit horrible, but I think the required baseline functionality might be enough to consistently login. It has a lot of optional features but I’m less offended about that.

None of these {#{}}^ standards give me what everyone actually needs: a zero-admin user friendly way for users to push a button to share their identity with a web site. This is why we get stuck with the big 3 identity providers. It’s a giant failure of standardization.

Sounds like time to write a new minimal standard with conformance criteria/test suites :D

My original OpenID was nice. 🤷‍♂️😜

I thought that at the time! But what stopped it? I know oauth1 had some crazy crypto-in-javascript nonsense that held it back, but that wasn't in openid. I'm not clear what happened there... or whether it's reversible :)

Brad, Didn't it have URLs as IDs or something? That part felt weird even at that time (vague memories...)

Yes, it used URLs instead of email addresses. It was ahead of its time. (Nowadays non-nerds people are more likely to identity with or share their Facebook or Instagram or Twitter or GitHub handle than an email) Relying Parties balked at not having an email address to spam with.

Have you considered using IndieAuth (indieauth.spec.indieweb.org) which does the same now? I’ve implemented it on my personal site (github.com/shurcooL/home/iss…) and I’m very happy with it. Especially during GitHub outages.