At the Forge - OpenID

With all the background information out of the way, let's create and use an OpenID. An OpenID is nothing more than a URL, typically written as http://USERNAME.PROVIDER.com. For example, my OpenID is http://reuvenmlerner.myopenid.com.

Notice that I can share this URL publicly; there is no reason for me to keep it secret. MyOpenID.com is just one of several OpenID providers. Indeed, many people already have an OpenID, even if they don't realize it. For example, if you have a blog at LiveJournal, that URL can be used as your OpenID.

To sign up for an OpenID, simply go to the home page of your provider. For example, go to the MyOpenID.com home page and click on “sign up for an OpenID”. That takes you to https://www.myopenid.com/signup, which asks you to enter a user name (it must be unique) and a password. You also can provide an e-mail address, which is optional, but doing so allows you to recover your password if you ever forget it. Finally, MyOpenID.com uses a captcha to ensure that a person, rather than a program, is signing up for the account.

Once you have signed up for an OpenID, you can use it to log in to a Web site that supports it. Typically, logging in to a Web site requires that you enter both a user name and password. But, if you use OpenID, you enter in neither of these to the Web application's login screen. Instead, you enter only the URL of your OpenID, including the http prefix that we so often ignore nowadays.

For example, I can go to www.wikihow.com, a site that lets anyone create a how-to manual. I click on “create an account or log in” at the top of the page, which brings me to a login screen. The resulting screen tells me I can log in using OpenID, if I want, by going to www.wikihow.com/Special:OpenIDLogin. (In other words, wikiHow has two separate login pages: one for regular users with a user name/password combination and another for OpenID users, who enter only their OpenID URL.) Finally, I enter http://reuvenmlerner.myopenid.com into the text field.

Because I had logged in to OpenID earlier, I wasn't asked to provide my password. However, this is the first time I've tried to log in to wikiHow with OpenID. Thus, MyOpenID.com must verify that I am willing to share information with wikiHow. I click on the allow forever button, which means whenever I'm logged in to MyOpenID.com, it should share information with wikiHow. After clicking this button, I am redirected back to www.wikihow.com, where I am logged in and identified by my first name.

This system works quite well in my experience, and you quickly become used to the back and forth authentication process. However, major problems remain. What happens if MyOpenID.com goes out of business? What if its database is compromised? What if it turns out to be highly unethical and is using people's IDs? What if I find a provider whose Web site is more attractive to me?

I always can switch to a different provider, of course. But, that effectively means having a new and different user name on a site. On a social-networking site, this obviously would be disastrous, as I would need to reconnect from my new account to each of the people in my old account.

The solution to this is quite clever. Instead of giving people the OpenID I mentioned above, I instead give them an OpenID on a Web site that I control, whose URL is unlikely ever to change. For example, I can give an OpenID of http://reuven.lerner.co.il.

I know that the lerner.co.il domain will remain mine forever. Thus, I can be reasonably sure that this URL also will be in my possession for a long time. Moreover, I control the contents of the home page. That page may contain any HTML content I want. But, it also should contain the following two <link> tags in the <head> section:

<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://reuvenmlerner.myopenid.com/" />

We already saw how I can log in to wikiHow by giving my OpenID at MyOpenID.com. But, with the above lines in place, I also can log in to wikiHow by entering http://reuven.lerner.co.il.

This tells wikiHow to retrieve the home page from my personal Web site. It uses the first <link> tag to know which server to use and the second <link> tag to know which user name and ID to authenticate. Everything then continues as usual. I authenticate myself as necessary against MyOpenID.com, which then redirects me back to wikiHow.

The beauty of this redirection system is that if I decide against using MyOpenID for any reason in the future, I simply change the <link> tags in index.html. wikiHow and all other sites will follow whatever reuven.lerner.co.il points to, whether it's MyOpenID.com, Vidoop.com or something else. In this way, I ensure that my OpenID always is associated with the provider who offers me the best combination of security and usability for my purposes.

Unfortunately, things don't always go smoothly. For example, when I registered with wikiHow, it got my nickname (Reuven) from MyOpenID.com. When I try to log in with my new, redirected OpenID, wikiHow thinks it's dealing with a new user—one whose requested nickname clashes with that of an existing user. So, the key is to set up and use the redirecting URL early on, and not switch to it after you already have used OpenID for some time.

There are other problems as well. For example, I currently juggle two different sets of identities on-line, as some companies want to deal only with US citizens living in the United States. And, although I'm currently back home in Modi'in, Israel, I continue to have a US phone number (through Skype), a mailing address (at my parents' house), and a US bank account and credit card. So, I need two separate identities: one with my Israeli information and another with my US information.

Fortunately, OpenID 2.0 supports both the export of information to the consumer application and also the use of multiple personas. Each persona can have a separate name, nickname, image and location, and I can choose which persona is associated with each consumer, under the umbrella of the same OpenID.