At the Forge - OpenID

 in
An introduction to OpenID, an open-source, distributed, single sign-on solution for Internet applications.
Creating and Using an OpenID

With all the background information out of the way, let's create and use an OpenID. An OpenID is nothing more than a URL, typically written as http://USERNAME.PROVIDER.com. For example, my OpenID is http://reuvenmlerner.myopenid.com.

Notice that I can share this URL publicly; there is no reason for me to keep it secret. MyOpenID.com is just one of several OpenID providers. Indeed, many people already have an OpenID, even if they don't realize it. For example, if you have a blog at LiveJournal, that URL can be used as your OpenID.

To sign up for an OpenID, simply go to the home page of your provider. For example, go to the MyOpenID.com home page and click on “sign up for an OpenID”. That takes you to https://www.myopenid.com/signup, which asks you to enter a user name (it must be unique) and a password. You also can provide an e-mail address, which is optional, but doing so allows you to recover your password if you ever forget it. Finally, MyOpenID.com uses a captcha to ensure that a person, rather than a program, is signing up for the account.

Once you have signed up for an OpenID, you can use it to log in to a Web site that supports it. Typically, logging in to a Web site requires that you enter both a user name and password. But, if you use OpenID, you enter in neither of these to the Web application's login screen. Instead, you enter only the URL of your OpenID, including the http prefix that we so often ignore nowadays.

For example, I can go to www.wikihow.com, a site that lets anyone create a how-to manual. I click on “create an account or log in” at the top of the page, which brings me to a login screen. The resulting screen tells me I can log in using OpenID, if I want, by going to www.wikihow.com/Special:OpenIDLogin. (In other words, wikiHow has two separate login pages: one for regular users with a user name/password combination and another for OpenID users, who enter only their OpenID URL.) Finally, I enter http://reuvenmlerner.myopenid.com into the text field.

Because I had logged in to OpenID earlier, I wasn't asked to provide my password. However, this is the first time I've tried to log in to wikiHow with OpenID. Thus, MyOpenID.com must verify that I am willing to share information with wikiHow. I click on the allow forever button, which means whenever I'm logged in to MyOpenID.com, it should share information with wikiHow. After clicking this button, I am redirected back to www.wikihow.com, where I am logged in and identified by my first name.

Switching Providers

This system works quite well in my experience, and you quickly become used to the back and forth authentication process. However, major problems remain. What happens if MyOpenID.com goes out of business? What if its database is compromised? What if it turns out to be highly unethical and is using people's IDs? What if I find a provider whose Web site is more attractive to me?

I always can switch to a different provider, of course. But, that effectively means having a new and different user name on a site. On a social-networking site, this obviously would be disastrous, as I would need to reconnect from my new account to each of the people in my old account.

The solution to this is quite clever. Instead of giving people the OpenID I mentioned above, I instead give them an OpenID on a Web site that I control, whose URL is unlikely ever to change. For example, I can give an OpenID of http://reuven.lerner.co.il.

I know that the lerner.co.il domain will remain mine forever. Thus, I can be reasonably sure that this URL also will be in my possession for a long time. Moreover, I control the contents of the home page. That page may contain any HTML content I want. But, it also should contain the following two <link> tags in the <head> section:


<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://reuvenmlerner.myopenid.com/" />

We already saw how I can log in to wikiHow by giving my OpenID at MyOpenID.com. But, with the above lines in place, I also can log in to wikiHow by entering http://reuven.lerner.co.il.

This tells wikiHow to retrieve the home page from my personal Web site. It uses the first <link> tag to know which server to use and the second <link> tag to know which user name and ID to authenticate. Everything then continues as usual. I authenticate myself as necessary against MyOpenID.com, which then redirects me back to wikiHow.

The beauty of this redirection system is that if I decide against using MyOpenID for any reason in the future, I simply change the <link> tags in index.html. wikiHow and all other sites will follow whatever reuven.lerner.co.il points to, whether it's MyOpenID.com, Vidoop.com or something else. In this way, I ensure that my OpenID always is associated with the provider who offers me the best combination of security and usability for my purposes.

Unfortunately, things don't always go smoothly. For example, when I registered with wikiHow, it got my nickname (Reuven) from MyOpenID.com. When I try to log in with my new, redirected OpenID, wikiHow thinks it's dealing with a new user—one whose requested nickname clashes with that of an existing user. So, the key is to set up and use the redirecting URL early on, and not switch to it after you already have used OpenID for some time.

There are other problems as well. For example, I currently juggle two different sets of identities on-line, as some companies want to deal only with US citizens living in the United States. And, although I'm currently back home in Modi'in, Israel, I continue to have a US phone number (through Skype), a mailing address (at my parents' house), and a US bank account and credit card. So, I need two separate identities: one with my Israeli information and another with my US information.

Fortunately, OpenID 2.0 supports both the export of information to the consumer application and also the use of multiple personas. Each persona can have a separate name, nickname, image and location, and I can choose which persona is associated with each consumer, under the umbrella of the same OpenID.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Firefox!

Anonymous's picture

You make Firefox look like the best thing since sliced bread. Firefox is not as good as Opera and Safari these two browsers are closed so they are more secure. Try Opera on your Linux Box. I use Safari on all my Mac's I did try the OS X version of Firefox the UI and everything is ugly!

"Firefox is not as good as

Anonymous's picture

"Firefox is not as good as Opera and Safari these two browsers are closed so they are more secure."

Are you serious!? Obscurity is not security. Does obscurity work for IE?

Is it safe?

goblin's picture

Well... Is it?

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState