diff --git a/core/modules/openid/lib/Drupal/openid/Controller/OpenidController.php b/core/modules/openid/lib/Drupal/openid/Controller/OpenidController.php
new file mode 100644
index 0000000..1c62545
--- /dev/null
+++ b/core/modules/openid/lib/Drupal/openid/Controller/OpenidController.php
@@ -0,0 +1,38 @@
+<?php
+/**
+ * @file
+ * Contains \Drupal\openid\Controller\OpenidController.
+ */
+
+namespace Drupal\openid\Controller;
+
+use Drupal\Core\ControllerInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+
+/**
+ * Controller routines for openid routes.
+ */
+class OpenidController {
+
+  /**
+   * Completes openid authentication, then returns the result or a redirect.
+   *
+   * @return \Symfony\Component\HTTPFoundation\RedirectResponse
+   */
+  public function authenticate() {
+    $result = openid_complete();
+    switch ($result['status']) {
+      case 'success':
+        return openid_authentication($result);
+      case 'failed':
+        drupal_set_message(t('OpenID login failed.'), 'error');
+        break;
+      case 'cancel':
+        drupal_set_message(t('OpenID login cancelled.'));
+        break;
+    }
+    return new RedirectResponse('/');
+  }
+
+}
diff --git a/core/modules/openid/openid.module b/core/modules/openid/openid.module
index 51fe3c2..d431c8d 100644
--- a/core/modules/openid/openid.module
+++ b/core/modules/openid/openid.module
@@ -7,18 +7,12 @@
 
 use Guzzle\Http\Exception\RequestException;
 use Drupal\block\BlockPluginInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
 
 /**
  * Implements hook_menu().
  */
 function openid_menu() {
-  $items['openid/authenticate'] = array(
-    'title' => 'OpenID Login',
-    'page callback' => 'openid_authentication_page',
-    'access callback' => 'user_is_anonymous',
-    'type' => MENU_CALLBACK,
-    'file' => 'openid.pages.inc',
-  );
   $items['user/login/openid'] = array(
     'title' => 'OpenID',
     'page callback' => 'drupal_get_form',
@@ -774,7 +768,7 @@ function openid_authentication($response) {
     }
     else {
       module_invoke_all('openid_response', $response, $form_state['user']);
-      drupal_goto();
+      return new RedirectResponse('/');
     }
 
     $messages = drupal_get_messages('error');
@@ -796,13 +790,13 @@ function openid_authentication($response) {
     // registration page and prefill with the values we received.
     $destination = drupal_get_destination();
     unset($_GET['destination']);
-    drupal_goto('user/register', array('query' => $destination));
+    return new RedirectResponse('user/register', array('query' => $destination));
   }
   else {
     drupal_set_message(t('Only site administrators can create new user accounts.'), 'error');
     module_invoke_all('openid_response', $response, NULL);
   }
-  drupal_goto();
+  return new RedirectResponse('/');
 }
 
 function openid_association_request($public) {
diff --git a/core/modules/openid/openid.pages.inc b/core/modules/openid/openid.pages.inc
index df730af..90cea0b 100644
--- a/core/modules/openid/openid.pages.inc
+++ b/core/modules/openid/openid.pages.inc
@@ -6,24 +6,6 @@
  */
 
 /**
- * Menu callback; Process an OpenID authentication.
- */
-function openid_authentication_page() {
-  $result = openid_complete();
-  switch ($result['status']) {
-    case 'success':
-      return openid_authentication($result);
-    case 'failed':
-      drupal_set_message(t('OpenID login failed.'), 'error');
-      break;
-    case 'cancel':
-      drupal_set_message(t('OpenID login cancelled.'));
-      break;
-  }
-  drupal_goto();
-}
-
-/**
  * Menu callback; Manage OpenID identities for the specified user.
  */
 function openid_user_identities($account) {
diff --git a/core/modules/openid/openid.routing.yml b/core/modules/openid/openid.routing.yml
index a6a34e8..d7304fc 100644
--- a/core/modules/openid/openid.routing.yml
+++ b/core/modules/openid/openid.routing.yml
@@ -7,3 +7,10 @@ openid_user_delete_form:
     _form: 'Drupal\openid\Form\UserDeleteForm'
   requirements:
     _entity_access: 'account.update'
+
+openid_authenticate_page:
+  pattern: '/openid/authenticate'
+  defaults:
+    _content: '\Drupal\openid\Controller\OpenidController::authenticate'
+  requirements:
+    _user_is_anonymous: 'TRUE'
diff --git a/core/modules/user/lib/Drupal/user/Access/AnonymousUserAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/AnonymousUserAccessCheck.php
new file mode 100644
index 0000000..ec14501
--- /dev/null
+++ b/core/modules/user/lib/Drupal/user/Access/AnonymousUserAccessCheck.php
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\user\Access\AnonymousUserAccessCheck.
+ */
+
+namespace Drupal\user\Access;
+
+use Drupal\Core\Access\AccessCheckInterface;
+use Symfony\Component\Routing\Route;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Checks whether the user is anonymous.
+ */
+class AnonymousUserAccessCheck implements AccessCheckInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function applies(Route $route) {
+    return array_key_exists('_user_is_anonymous', $route->getRequirements());
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function access(Route $route, Request $request) {
+    return user_is_anonymous();
+  }
+
+}
diff --git a/core/modules/user/user.services.yml b/core/modules/user/user.services.yml
index 77f93e2..a74c590 100644
--- a/core/modules/user/user.services.yml
+++ b/core/modules/user/user.services.yml
@@ -3,6 +3,10 @@ services:
     class: Drupal\user\Access\PermissionAccessCheck
     tags:
       - { name: access_check }
+  access_check.user.anonymous:
+    class: Drupal\user\Access\AnonymousUserAccessCheck
+    tags:
+      - { name: access_check }
   access_check.user.register:
     class: Drupal\user\Access\RegisterAccessCheck
     tags: