Skip to content

OpenID for comments in

I have played with OpenID on my test site, and it’s about time to make it available on You may now use your OpenIDs here for your comments!

Many thanks to Jed and Kathleen for helping me out with testing. 😀

How to use OpenID here

1. First of all, you need an OpenID. If you have a blog at LiveJournal,, Vox or TypePad, you already have one: your OpenID is simply the blog’s web address (its URL). Alternatively, you can obtain an OpenID from a vast group of OpenID providers.

2. In the comment form, rather than filling out the Name and Email fields, you need only fill out the Website field. Just enter your OpenID there, then continue on to typing your comment. However, if you do leave the Name field empty, your link will be labeled as Anonymous (though it will still point to your OpenID address).

3. Preview still works as before.

4. Hit the Post button, which will authenticate (when needed) then submit the comment.

That’s it! If you run into strange issues, let me know in the comments. But do read on if you’re curious about more technical details…

Questions & answers

“I don’t want to use OpenID here. May I still leave comments?” Why, yes! You’ll just need to use the “old” method of filling out the Name and Email fields. You can also enter your website URL in the Website field, which will then behave as before.

“How does comment preview work with OpenID authentication?” Even though comment preview still works as before, it is separate from OpenID. In other words, OpenID authentication does not occur when you click the Preview button. The OpenID authentication process takes place once you click the Post button to submit a comment.

“Hey! Why am I seeing a page about comment moderation? I thought I was able to submit comments before…” A known bug, where I’ll need to moderate the comment to make it appear. Fortunately this doesn’t seem to happen all the time.

“How does this relate to the WordPress user registration?” The plugin I use, WP-OpenID+, automatically creates a WordPress user account on this blog, based on your OpenID. Think of it as another way of WordPress user registration.

“Okay, I’ve submitted a comment using my OpenID. What’s this stuff about logging in/out and site administration?” Because a WordPress account is created based on your OpenID. Such an account has Subscriber level role and privileges, which means being able to submit comments to open articles. When logged in, you can submit comments; when logged out, you need to fill out the form fields again (unless your web browser has some sort of form save and autofill). Filling in the Website field with an OpenID then submitting a comment implicitly logs you in.

The Site Admin link you see at the bottom of the sidebar (while logged in) lets you modify your WordPress account profile and OpenIDs (you can have more than one) for this site. You also get the WordPress Dashboard, a panel containing WordPress news and some statistics for my blog. Overall, though, I don’t feel this kind of user administration is a clear or useful feature for commenters; see the issues section for further information.

“So will you still allow the previous way of WordPress user registration?” I had made optional the “previous style” WordPress registration, where you clicked on the Register link in the login screen or sidebar, gave yourself a username and submitted your email for a password. However, very few people used it. So now I’ve decided to turn off registration by that path, which simplifies site administration. Now there are two ways to enter comments here:

  • Old non-registration style, not using OpenID: Requires Name and Email. As before, your email will not be published or distributed. This will not create any user account on this site.
  • OpenID style: Automatically creates a WordPress user account.

“What should I do if I already have an old style WordPress account at this site?” Ah, the lucky (very) few. 😉 Contact me if you also have an OpenID, because I’ll want to delete your “previous style” account here so that you can use OpenID instead. If you don’t, I may leave those accounts around for legacy purposes, since the number is so small.

Minor issues

There a few quirks with how the OpenID plugin behaves. Hopefully these will be resolved eventually, but in the meantime I’ll document them here.

Autogeneration of user accounts

Will Norris, the author of the essential WP-OpenID+ plugin, has thoughtfully made account generation optional in an unreleased version. But for the sake of stability, I’ll stick with the released version for now, r13, so such accounts will be created.

Since you can log in and out, you can also modify your profile and OpenIDs. The problem is that several of these features don’t really apply with OpenID, hence are potentially confusing:

  • Email should not be needed for OpenID commenting. But if you modify anything in Your Profile, you need to enter an email addy. It still won’t be shared or published, but it shouldn’t be necessary.
  • A password is not needed, either, since authentication (“logging in”) is based on the OpenID, not a username / password combination. For now just make both password fields in this section empty.
  • The visual editor is meaningless to Subscribers, since it’s used for writing articles, a privilege deliberately unavailable to this role.
  • And how useful is the Dashboard panel for you as a Subscriber? My gut tells me, “No, it’s not really useful.”

I tried hiding the Subscriber admin panels by hacking around by changing bits in the core menu.php file. But such tweaks remained just that: unsatisfactory hacks that still need tweaking elsewhere, perhaps in theme files. More of a code maintenance headache, without making the user experience significantly better. Optional account autogeneration in the plugin could work around these issues in a smarter fashion. Especially since using an OpenID should avoid creating yet another account to keep track of!

Anonymous labels

As noted earlier, if you leave the Name field blank when using your OpenID, your comment will be labeled as by Anonymous. The link will still point to the OpenID address (such as a blog site), so it’d be more sensible to reuse the OpenID URL as the label text when Name is empty.

Redirection to WordPress login screen

If you decide to respond “No” at your OpenID provider’s authentication page, what should happen? This task currently redirects to the WordPress login screen with a OpenID Verification Cancelled message. Kinda confusing. Instead, it would be much more useful to direct you back to the article you were just viewing. Adding a message about canceling authentication would be nicely informative, too. This still happens even though the Login Stayput plugin is active.

When I’ve tested the “Yes, always” and “Yes, only once” responses, I haven’t encountered this unwanted redirection. Except for in the next case, using a delegation plugin…

Problems with delegation using WP-Yadis

I encountered a minor hiccup while playing with both WP-Open+ (which allows readers to enter comments using their OpenIDs) and the very handy WP-Yadis plugin, also written by Will Norris. WP-Yadis is the complement to WP-OpenID+; the former allows you to use your WordPress blog URL as your OpenID: It does this by delegating the WordPress blog URL through an OpenID you got from a third party provider. So you still need to get an OpenID from somewhere, but as I mentioned earlier, there are a scad of providers to choose from.

The problem: Let’s say I’ve got a WordPress blog called, where I’ve installed both WP-OpenID+ and WP-Yadis. I try to leave a comment using as the OpenID. It doesn’t work; I get an error, OpenID Authentication Failed: Server denied check_authentication. I’m not sure if this is merely an edge-case bug (i.e., it should still work) in the plugin(s), or if it’s actually expected behavior (in which case, it needs better error handling, a clearer “You cannot do that” message displayed, at least).

In any case, I can still leave a comment in using non-delegated OpenID (e.g., a LiveJournal URL), or while logged in as the blog owner. This is just a small annoyance with a workaround, but it would be useful to know what the expected behavior should be.

Conflicts with WordPress 2.2 and WP-OpenID+, other known issues

Several of these issues might be due to differences between WordPress version 2.1 and 2.2, as noted by Michael Gracie. His article helpfully links to a list of open WP-OpenID+ bugs.

Thoughtful ruminations: I wonder if the delegation oddity has same underlying cause as ticket #671? Could the fix for ticket #639 resolve the wacky Anonymous label? Depending on how ticket #644 is fixed, I might need to readjust my user registration policy again; or perhaps it might be more simplified (easier) when account autogeneration could be disabled?

Submit a comment

Your email is never published or shared. Required fields are marked with a red diamond, .