OpenID
Posted by Graham Stratton Mon, 02 Oct 2006 13:55:00 GMT
As mentioned in the wikipedia entry on OpenID, OpenID was created by one of the LiveJournal developers.
The idea of OpenID is that users will be able to identify themselves by a single identifier, such as a URL. They can choose a single server to be responsible for their OpenID validation, instead of having to have many usernames and passwords stored on many computers around the planet.
User’s view
To use OpenID validation, one must first create an OpenID identity on a validation server. There are already a number of companies offering this service, for example MyOpenID.
Then, to use a website which supports OpenID, all users need to do is to enter their identity (say a URL). After that, there are two things which may need to happen. One is that they made need to log in to their OpenID server, if they have not logged in during their current browser session. The other is that they made need to tell their OpenID server that this is a safe site to give their ID to. If either of these is the case, users will find themselves redirected to their OpenID server for this purpose, after which they will be redirected back to the site for where they came. If users are already logged in and have previously given their OpenID server permission to access the site, then users do not see any login happening, and they can continue using the site.
Behind the scenes
So what’s actually going on to make all this work?
Well, I read a few summaries and eventually tried the OpenID 1.1 specification, which is actually about the clearest description out there. Nevertheless, I’ll have a go at describing it.
When a user wants to log in to targetsite.com, they fill in a form including their OpenID, say firstname.surname.myopenid.com. Targetsite.com then fetches this URL. In the page returned will be a link showing where their OpenID server is, like this:
<link rel="openid.server" href="https://www.myopenid.com/server" />
So: your identiity page does not need to be hosted by your OpenID server. So, provided you put the above line in it, you can use your homepage URL, myhomepage.com, as your OpenID, provided you have a found an identity provider (IdP) who will assert your control of the identifier myhomepage.com. But what if your identity provider will only assert your ownership of a URL on their site, say firstname.surname.myopenid.com?
In this case, you can delegate the identifier to a different identifier, so your homepage should contain:
<link rel="openid.server" href="https://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://firstname.surname.myopenid.com/">
Then, to validate your ownership of your homepage, targetsite.com will ask myopenid.com/server/ whether you own firstname.surname.myopenid.com. (OpenID 2.0 is different, see Using your own URL as an OpenID.
Retuning to the plot, targetsite.com will redirect the user agent (ie the browser) to the IdP’s checkid_immediate URL. By redirecting the user agent their, the IdP can access cookies or other credentials in order to check whether the current session is authorized.
