Is OpenID the answer to single sign-on?
October 28th, 2007OpenID is often compared to Microsoft’s Passport and normally it’s said to be better because “it’s not controlled by any one big corporation”. You may have heard or read about OpenID, but chances are that you 1) aren’t using it or 2) have not really looked into it and 3) even if you have, you still don’t understand it. As with many open source projects documentation is scattered, complicated and mostly technical. Over the last few weeks I have tried to make some sense of OpenID and here is my take on it.
What is OpenID?
It’s a way to identify and authenticate yourself using a trusted Web site of your choice. The “trusted Web site of your choice” has to be an OpenID provider. To register with a Web site that supports OpenID all you need to do is provide them with the URL of your OpenID provider then login at your OpenID provider’s Web site. So basically the login happens at your OpenID provider instead of at the site you’re trying to register with.
OpenID is a way to authenticate yourself to various places (websites) by verifying your identity as the owner of a particular URL (say, a website of your own). Instead of giving a username and password to a login form, you just give it your URL.
The nice thing about OpenID is that you can use your own Web site as your OpenID. That does not mean that you need to set up anything special on your Web site. With a couple of lines of HTML code on your Web site you can delegate OpenID authority to another site. That way you can transparently use a trusted OpenID provider of your choice to do the hard work, while keeping your own domain name as your OpenID.
How do you use your Web site as your OpenID?
It’s a two step process.
1) Choose an OpenID provider.
There are many OpenID providers to choose from and chances are that you already have an OpenID. Sites like Technorati, wordpress.com, etc. provide OpeinIDs, but like most I didn’t trust other sites and wanted to do it on my own so I tried phpMyID. I was quite pleased with my accomplishment, but then I started reading and learning about OpenID security issues and decided that it’s best to use a site dedicated to the purpose like myOpenID. You will find statements like “OpenID: it’s about *identity* and not *trust*“, which definitely doesn’t build trust! So it’s a good reason to choose a trustworthy OpenID provider like myOpenID or VeriSign’s Personal Identity Provider.
2) Configure your site to point to your OpenID provider.
Once you’ve registered with an OpenID provider, you can use the OpenID URL that they provide ar your OpenID. But it’s much nicer to use your own Web site as your identity (heck, it should be much better!). OpenID allows you to use your own Web site as your OpenID and delegate authentication to another site. For example, my OpenID is, of course, http://www.davinciplanet.com. My OpenID provider, for now, is myOpenID and to do that all I need is to include the following lines of HTML in my site:
<link rel="openid.server" href="http://www.myopenid.com/server"/>
<link rel="openid.delegate" href="http://davinciplanet.myopenid.com/" />
<meta http-equiv="X-XRDS-Location"
content="http://www.myopenid.com/xrds?username=davinciplanet.myopenid.com"
/>
What does OpenID give me?
On some sites like jyte you can enter your OpenID URL instead of registering to “make a claim”. Many blogs now accept OpenID which means that you don’t need to register to comment.
What doesn’t OpenID give me?
Single sign-on. It’s a great idea with great potential and being open source it is a perfect fit to be an open source/Web 2.0 hit. But, it’s in the adoption phase and very few people understand it. And very few sites support it.
Resources
November 1st, 2007 at 10:15 pm
Lifehacker has a similar point of view: Lifehacker. I don’t trust it for bank accounts and the like, but it’s good for blog commenting.