OpenID, an open source passport system? Not quite, it’s more!
Some weeks ago I read an article on a weblog about OpenID, a new ‘open source’ and decentralised identification method, or protocol as you might name it as well. I became enthusiastic almost the second I read about it, and I hope I’ll be able to convince you of the fantastic features of it as well with one simple reason: the more users, the more websites that will use it, the more users that will start to use it, it’s a vicious circle.
What is OpenID?
I could write a long story here, but it would be somewhat wasted time as the contributors of OpenID.net have written a perfect little intro already, which I’ll be quoting below:
OpenID is an open, decentralized, free framework for user-centric digital identity.
More good news is the fact that OpenID is a ‘free’ project, nobody holds the rights of it and all code is released under the most liberal license available, in addition to that nobody is making money on it, unless they provide additional services, that is. It’s just benefiting the community, which is good news for everyone!
How does it work?
To quote OpenID.net once again:
OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.
The first piece of the OpenID framework is authentication — how you prove ownership of a URI. Today, websites require usernames and passwords to login, which means that many people use the same password everywhere. With OpenID Authentication (see specs), your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider).
To login to an OpenID-enabled website (even one you’ve never been to before), just type your OpenID URI. The website will then redirect you to your OpenID Provider to login using whatever credentials it requires. Once authenticated, your OpenID provider will send you back to the website with the necessary credentials to log you in. By using Strong Authentication where needed, the OpenID Framework can be used for all types of transactions, both extending the use of pure single-sign-on as well as the sensitivity of data shared.
A little more detailed explanation in human-terms: OpenID uses the idea that basically everyone with a connection to the internet either has a website, or is able to sign up for one, which makes it the perfect way to idenfity yourself. Using OpenID means you’ve only got to remember one username and one password; the ones of your OpenID account, using these two datas you will be able to sign in on any websites supporting OpenID whether you’ve visited it earlier or not.
I personally really like this feature; I’m one of the people on the web that do know it’s unsafe to use the same password everywhere, so I pick a lot of different passwords on different websites. However, that comes with a high price; I think it happens at least once a week that I’ve forgotten the password I’ve used on a website, which forces me to wait for a ‘lost password’ email again – really annoying. OpenID promises to change all of this, as long as enough websites will start to support it.
So how can I start using it?
There are two answers to this question; the simple and the difficult version. To keep everything organized I’ll first start with the ‘easy’ answer and use the more difficult one in the next part.
On the web you can find various providers of OpenID accounts, there actually is a Wiki page full of them, these providers differ tiny bits from eachother, some offer a bit of extra functionality, a nicer user interface or try to make money by putting up loads of advertisem
ents. The majority however is just ‘plain’ and simple.
Myself I’m currently using ‘MyOpenID‘, simply because it’s the first one that came up on the list and it seems to be pretty trustable with their encrypted connection and certificate, it’s all up to you what one you pick though.
So suppose you’ve picked MyOpenID, the first thing you should do is go to their homepage and hit ‘sign up‘, you’ve got to follow a couple of steps, just like on every regular registration website. After you’ve finished and activated your account, you’re almost good to go. As last step you’ve only got to create one or more ‘identities’, often named ‘personas’. It’s smart to create multiple ones; one to use with websites you’re not sure whether to trust or not that do not need to know your ‘real’ last name and such, and one with more detailed information, allowing you to sign in on websites that are trusted and require more information.
If you’d like to try your account out, feel free to post a comment to this blog using your OpenID to ’sign in’: All you’ve got to do is enter ‘yourname.your-openid-provider.com’ (i.e. ‘leftblank.myopenid.com’), enter the comment like you’d do normally and allow the website you’re logging into, in this case ‘leftblank.nl’ to gather the bits of information, such as your name from ‘your-openid-provider.com’, after you’ve done this your comment should show up and you’re done, without entering a single password!
But what happens when ‘myopenid-provider.com’ goes offline, or I don’t trust it anymore?
You could simply cancel your account at your current OpenID provider and open a new one with the same information, or different for that matter, and use it as if you were still on the old one. Most websites will treat those as equals or allow you to enter a different URI instead of your current one, others might not, in which case you’d have to accept losing your history on that particular website.
There is a nice way to get around this though; simply use your own website or domain to login! That almost sounds too good to be true, doesn’t it? Well, it’s really possible! Part of the way OpenID handles identities is the option to redirect one URI to another, allowing you to send requests to your own domain to any other domain you’d like.
To do so you’ve only got to include three lines of code in your HTML header which will tell the OpenID websites what ‘real’ provider to contact, these lines differ per provider though, most ones actually show them on one of their ‘Help’ or ‘Profile’ pages though, which will make it a lot easier. In case you’re using MyOpenID.com or -compatible service you’ve only got to alter these lines slightly, if it doesn’t work you should check your providers website.
Put the following code before the tag in your template or code:
<link href="http://www.myopenidprovider.com/server" rel="openid.server" />
<link href="http://myusername.myopenidprovider.com/" rel="openid.delegate" />
<meta http-equiv="X-XRDS-Location" content="http://myusername.myopenidprovider.com/xrds" />
It wouldn’t be open source if there wasn’t another solution, and there is! If you’re really tech savvy, or paranoid about security – which isn’t always bad, you can also check the ‘Run your own identity server‘ on the OpenID wiki, which contains a list of the biggest packages of software you can use to run your own OpenID server, allowing you to maintain complete power over it. I might do this some day as well, it’s always nice to know your data and identity is secure, it definitely wont hurt in any way.
Where can I use it?
There are a couple of ‘big names’ involved right now, which I’ll list below (source; Wikipedia).
- Livejournal.com provides an identifier to every user with a journal. Many other LiveJournal-based sites also provide identity services, including Deadjournal, GreatestJournal, InsaneJournal, Livejourbal, LJ.Rossia, SviestaCiba and SAPO
- Xpoint.ru allows registered forum users to log in at any OpenID capable service with their profile URL
- Journals.jevon.org provides a beta OpenID server, as well as journals which automatically come with an OpenID identifier
- Wikitravel provides an identifier to each registered user
- MyOpenLink Data Spaces (ODS) a new generation Data Space service that delivers OpenID support as part of its Semantic Web Presence creation functionality
- Amateur Writerz – OpenID provided with account sign up (also supported for new users, thus not requiring account sign up)
- Vox.com provides an identifier to every user of their service
- Technorati enables members to log in to any OpenID-capable service with their profile URLs
- AOL.com provides an identifier to AOL and AIM accounts. Experimental currently; see [1]
However, there also is an increasing amount of weblogs and smaller websites that support OpenID, simply because it’s nice and it’s easy. You’re currently on one of them, in case you’d like to find more and look at the ways they’ve implented it, you should take a look at the OpenID Directory at MyOpenID.com. You can request your website to be added there as well, but current it seems like only big names are added to the list, perhaps this’ll change later.
The end
By now I think I’ve explained most of the essentials of OpenID, in case you’re interested in more information you can follow the links I’ve supplied throughout this article for more detailed information. Until then, please support OpenID, help to make the web an easier and more secure place!
Also, links to this article as well as comments will be highly appreciated; this weblog could use some more exposure – perhaps I’ll feature one of your articles as well if I find them interesting, thanks for reading.
Popularity: 19% [?]