At the Forge - OpenID
With all the background information out of the way, let's create and use an OpenID. An OpenID is nothing more than a URL, typically written as http://USERNAME.PROVIDER.com. For example, my OpenID is http://reuvenmlerner.myopenid.com.
Notice that I can share this URL publicly; there is no reason for me to keep it secret. MyOpenID.com is just one of several OpenID providers. Indeed, many people already have an OpenID, even if they don't realize it. For example, if you have a blog at LiveJournal, that URL can be used as your OpenID.
To sign up for an OpenID, simply go to the home page of your provider. For example, go to the MyOpenID.com home page and click on “sign up for an OpenID”. That takes you to https://www.myopenid.com/signup, which asks you to enter a user name (it must be unique) and a password. You also can provide an e-mail address, which is optional, but doing so allows you to recover your password if you ever forget it. Finally, MyOpenID.com uses a captcha to ensure that a person, rather than a program, is signing up for the account.
Once you have signed up for an OpenID, you can use it to log in to a Web site that supports it. Typically, logging in to a Web site requires that you enter both a user name and password. But, if you use OpenID, you enter in neither of these to the Web application's login screen. Instead, you enter only the URL of your OpenID, including the http prefix that we so often ignore nowadays.
For example, I can go to www.wikihow.com, a site that lets anyone create a how-to manual. I click on “create an account or log in” at the top of the page, which brings me to a login screen. The resulting screen tells me I can log in using OpenID, if I want, by going to www.wikihow.com/Special:OpenIDLogin. (In other words, wikiHow has two separate login pages: one for regular users with a user name/password combination and another for OpenID users, who enter only their OpenID URL.) Finally, I enter http://reuvenmlerner.myopenid.com into the text field.
Because I had logged in to OpenID earlier, I wasn't asked to provide my password. However, this is the first time I've tried to log in to wikiHow with OpenID. Thus, MyOpenID.com must verify that I am willing to share information with wikiHow. I click on the allow forever button, which means whenever I'm logged in to MyOpenID.com, it should share information with wikiHow. After clicking this button, I am redirected back to www.wikihow.com, where I am logged in and identified by my first name.
This system works quite well in my experience, and you quickly become used to the back and forth authentication process. However, major problems remain. What happens if MyOpenID.com goes out of business? What if its database is compromised? What if it turns out to be highly unethical and is using people's IDs? What if I find a provider whose Web site is more attractive to me?
I always can switch to a different provider, of course. But, that effectively means having a new and different user name on a site. On a social-networking site, this obviously would be disastrous, as I would need to reconnect from my new account to each of the people in my old account.
The solution to this is quite clever. Instead of giving people the OpenID I mentioned above, I instead give them an OpenID on a Web site that I control, whose URL is unlikely ever to change. For example, I can give an OpenID of http://reuven.lerner.co.il.
I know that the lerner.co.il domain will remain mine forever. Thus, I can be reasonably sure that this URL also will be in my possession for a long time. Moreover, I control the contents of the home page. That page may contain any HTML content I want. But, it also should contain the following two <link> tags in the <head> section:
<link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://reuvenmlerner.myopenid.com/" />
We already saw how I can log in to wikiHow by giving my OpenID at MyOpenID.com. But, with the above lines in place, I also can log in to wikiHow by entering http://reuven.lerner.co.il.
This tells wikiHow to retrieve the home page from my personal Web site. It uses the first <link> tag to know which server to use and the second <link> tag to know which user name and ID to authenticate. Everything then continues as usual. I authenticate myself as necessary against MyOpenID.com, which then redirects me back to wikiHow.
The beauty of this redirection system is that if I decide against using MyOpenID for any reason in the future, I simply change the <link> tags in index.html. wikiHow and all other sites will follow whatever reuven.lerner.co.il points to, whether it's MyOpenID.com, Vidoop.com or something else. In this way, I ensure that my OpenID always is associated with the provider who offers me the best combination of security and usability for my purposes.
Unfortunately, things don't always go smoothly. For example, when I registered with wikiHow, it got my nickname (Reuven) from MyOpenID.com. When I try to log in with my new, redirected OpenID, wikiHow thinks it's dealing with a new user—one whose requested nickname clashes with that of an existing user. So, the key is to set up and use the redirecting URL early on, and not switch to it after you already have used OpenID for some time.
There are other problems as well. For example, I currently juggle two different sets of identities on-line, as some companies want to deal only with US citizens living in the United States. And, although I'm currently back home in Modi'in, Israel, I continue to have a US phone number (through Skype), a mailing address (at my parents' house), and a US bank account and credit card. So, I need two separate identities: one with my Israeli information and another with my US information.
Fortunately, OpenID 2.0 supports both the export of information to the consumer application and also the use of multiple personas. Each persona can have a separate name, nickname, image and location, and I can choose which persona is associated with each consumer, under the umbrella of the same OpenID.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
- New Container Image Standard Promises More Portable Apps
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide