A Beginner’s Guide to OpenID

September 2, 2007 in OpenID by Carsten Pötter | Comments

In recent months OpenID has got some really good coverage, it has been awarded and with OpenID 2.0 being in its final stages of development coverage will certainly continue to increase.

However not everyone is embracing OpenID. Some people have problems understanding it or finding an OpenID provider. And quite frankly, they are not to blame. I have also covered OpenID regularly but looking back at the articles I probably failed to provide you with an idea about the basics. So I try to offer a simple guide to set up an OpenID and eventually use it for your own benefit.

What is OpenID?

However before starting to use OpenID I better provide a short explanation of what it is about. OpenID is a system which lets you log in to all websites (applications, blogs, wikis,…) which support it. You don’t have to think about a new user name and password each time you decide to use a new service. And yes, remembering all those passwords can be difficult as well because you really don’t want to use the same password for all the websites you are registered with.

Systems which let you log in to various applications and services with just one user name and password are called Single Sign-On systems. You probably know some already. Google has its own system (Google Account Authentication), Yahoo has also one (BBAuth). Basically both systems allow you to sign in to most (e.g. del.icio.us is an exception) Google and Yahoo services and properties. Though you are limited to services of the respective companies. OpenID is not limited to just one company, though. It is decentralised – everyone can provide an identity service based on OpenID – and open. Also the developers of OpenID won’t charge you with fees if you want to use it.

An OpenID is fairly easy to remember; it is just a URI: http://example.com can be one and http://notsorelevant.com is actually one; I’ll explain that later. So all you have to remember is a URI and the password to log in to your provider.

Identity Providers

Identity Provider (IdP) or OpenID Provider (OP): Before using an OpenID you have to register with an Identity Provider. The provider’s job is to authenticate you to the website you want to use and offer you a URI, your OpenID, of course.

But first you have to find an IdP in order to get an OpenID. But where to find one? Well, the good thing is you probably already have an OpenID. There are some services that have transformed their user profiles to OpenID’s. Here is a list of some well-known ones including the respective URI’s:

  • AOL/AIM: openid.aol.com/username
  • WordPress.com: username.wordpress.com
  • LiveJournal: username.livejournal.com/
  • Vox: username.vox.com/
  • Technorati: technorati.com/profile/username
  • Typekey: profile.typekey.com/username/
  • Ziki: my.ziki.com/username

So if you are registered with any of the mentioned services you can use those profile URI’s and easily log in to every OpenID enabled website. Cool, isn’t it?

Though there are also some more specialised IdP’s. There are quite a lot and I certainly don’t know all of them so I list just some good and respected services. For a comprehensive list of providers have a look at the OpenID.net wiki. That is especially recommended if you are looking for a provider from your own country and/or one that is run in a language you understand better than English.

Those providers offer different ways of authentication, security options (anti-phishing,…), and additional services. So your decision is probably dependent on your own preferences. Also keep in mind that you are not limited to just one provider. Similarly to email you can use multiple providers for different purposes (private, business,…).

Relying Parties

Relying Party (RP) or Consumer: The Relying Party is the OpenID enabled website you want to use.

You have an OpenID now but where can you use it? Good question. By now several thousand websites are OpenID enabled, from small personal blogs to sites of some big companies. Some interesting ones are:

The OpenID Directory is listing a lot more websites and is highly recommended; myOpenID is also featuring a long list of affiliated sites.

How Does It Work?

You have an OpenID and know where to use it now. So here are some screenshots on how it actually works. I use myOpenID as a provider and Moneygement as a relying party.

moneygement_sign_in On the right side of the Moneygement homepage is a sign in box. I just have to type in my OpenID there. http:// can be omitted. That’s cool because it would be very inconvenient if users had to type that in as well. You don’t type http:// in the browser anymore, do you? Now Moneygement is forwarding me to my provider (=myOpenID.com).

myopenid_sign_in

myOpenID.com has some security features to prevent phishing. I have to go to its homepage or use a bookmarklet to log in. I have decided to use the bookmarklet and after clicking it I have to sign in to myOpenID. If cookies are enabled I have to do this just once.

login

Now I have to confirm my OpenID to Moneygement; I can decide if I allow confirmation to Moneygement forever, just once or I can deny it. Also note that Moneygement has asked for additional information about myself. myOpenID can provide the desired information and auto-fill the appropriate fields at Moneygement. This nifty feature of OpenID is called Simple Registration Extension (SREG).

verification

By clicking any of the allow buttons I will be forwarded back to Moneygement.
email_validation I am logged in now but still have to verify my email address which has been transmitted by SREG from myOpenID. This is optional and up to the RP to decide. Usually RP’s use it to verify that you are a human being and not some spam bot; captchas are also used for the same purpose rather often.

Now you know the basics of logging in with an OpenID. :)

Delegation

If you have control over a website, i.e. you can edit the HTML of the site, you might consider delegation. Delegation means that you can use the URI of your website or blog as an OpenID without becoming an IdP yourself. All you have to do is adding some HTML to the Head section of your site.

I use this blog’s URI (http://notsorelevant.com) as an OpenID and delegate to myOpenID but it works with every other IdP as well. The additional HTML of the header looks like this:

<link rel="openid.server" href="http://www.openidserver.com/server" />
<link rel="openid.delegate" href="https://username.openidserver.com/" />

Of course, openidserver.com is the URI of your IdP. So the first line is telling the RP what’s your IdP and the second one what’s your account there. The benefits of delegation are obvious: you can switch IdP’s whenever you want without losing any data at RP’s. Your OpenID remains the same, e.g. your blog URI. If you didn’t use delegation you would create a new account at RP’s each time you sign in with a new OpenID. Some RP’s let you associate multiple OpenID’s with one account, though.

Running Your own OpenID Server

If you are feeling really geeky now you can try and run your OpenID server now. I have written a blog post about it in May already, so check it out. Keep in mind that you have to care about security questions yourself then. Too much hassle for me so I rely on established providers.

Obstacles

Usually logging in to OpenID enabled sites is very easy and straight forward. Though sometimes you might encounter some problems.

  1. On new sites go to sign in or log in, not sign up, register or whatever. You have the credentials to sign in already: your OpenID.
  2. Sometimes you have to look a little bit close to discover the OpenID login box. Some sites hide them behind another link at the login screen because user names/passwords are still the dominant method of login there.
  3. You can only use an OpenID if you have signed in with a user name/password combination first. Usually this happens when a service hasn’t adopted OpenID right from the start. You have to associate your existing account with an OpenID first. Later you can sign in with your OpenID.
  4. Not every IdP is also a RP; e.g. at the moment you can’t create a WordPress.com account with an OpenID other than a WordPress.com one.
  5. Some services (e.g. AOL) are whitelisting IdP’s, i.e. they don’t accept OpenID’s from every IdP.

Though those are just some minor obstacles and the more you use OpenID the more you will be comfortable with it. Remember it’s just a URI. :)

Tags: AOL, Business, delegate, easy and straight forward, good and respected services, Google, HTML, http, MyLID.net, OpenID.net, private, Relying Party, Yahoo

  • Carsten: I'm the technical director for the PiP at VeriSign and I wanted to commend you on a very well written post. The functionality you describe for MyOpenID is also available in the PiP but in addition, I would also mention that when you use our service you can also bind your Paypal Security Key (https://www.paypal.com/us/cgi-bin/webscr?cmd=xp...) to your PiP account to allow for 2nd factor authentication (something you have and something you know) as a higher level authentication. In addition, you might also check out the 'SeatBelt' product it not only works with our OP but with AOL, Xlogon and MyOpenID.net (https://pip.verisignlabs.com/seatbelt.do). It currently supports not only English but also German (thanks to the efforts of Xlogon) and next week we'll be launching a Korean version.

    Finally, our implementation also allows you to create multiple OpenID identifiers from within a single account - so you might check that out as well.
  • Carsten Pötter
    Actually I have a PiP account already and I also tried SeatBelt. Though I have to test SeatBelt a little bit more before using it. When I first tried it, it disappeared from my browser occasionally. I will give it a try again someday which should be fun as I have accounts at all supported IdP's. :D
  • Not that you don't have enough OpenIDs already, but give https://www.signon.com a try as well :-).
    thks.
  • Carsten Pötter
    I will have a look at it someday. Though currently I don't have enough spare time to check it out.
blog comments powered by Disqus