Just curious about your thoughts on open auth id. Not saying you should do it but is this a possible work around where it is only a universal verification without a request for data.
OpenID is an authentication protocol, but it's not an actual service itself. In other words, it's a standardized way for websites to communicate with each other about authenticating users.
So if you have a user account on Google and would like to log into Cake, Cake could use the OpenID protocol to ask Google if you own the account you say you own.
In this scenario, Google would be acting as an OpenID identity provider (because your login information is stored and authenticated by Google) and Cake would be acting as an OpenID relying party, because Cake would rely on Google to authenticate you and say whether or not you should be allowed to log in.
This still has the drawbacks I mentioned in my previous post, though. Users sometimes forget what service they used as an identity provider, or sometimes they close an account on one service without realizing that this will cause them to lose access to other services that relied on that account as an identity provider. And the identity provider still gets information about all the third party services the user uses, when they log into those services, etc.
Allowing generic OpenID support also creates a potential security issue. While Google and other large OpenID providers have pretty good security track records, literally anyone can run an OpenID identity provider, and there's no guarantee that their security or account management practices are trustworthy. If a sketchy OpenID identity provider has a security vulnerability or gets hacked, that could compromise the Cake accounts of any user who logged in via that provider. We definitely wouldn't want that. 😬