SuperSatellite

Getting into OpenID

// January 23rd, 2008 // Web

I spent last night doing some research that I believe to be worth sharing for those interested in the subject. In an effort to improve flexibility of this blog, as the announcement above mentions (at least at the time this was written), I now support OpenID. OpenID is a neat new technology that serves as a universal login among sites that support it. Believe it or not, that is more and more places: AOL, LiveJournal, Wordpress.com, and Technorati – they all are currently OpenID providers. That is to say if you have an account with them, you already have an OpenID you can use elsewhere.  It will help streamline things like leaving comments on my blogs, because you can login without actually needing an account, so no need to fill in multiple fields over and over for anonymous comments.

So anyway, what’s this all about? Well, with us doing more and more online these days, it gets very cumbersome memorizing dozens of logins. With OpenID, a site you wish to log in to can quickly check your identity and grant you access, bypassing all the normal registration steps by retrieving a standard data set from your delegate. Yes, there is obviously a risk here. If someone got your OpenID account, they could get access to your sites. But, it’s 100% portable, so if that happened, you could always switch to a new ID (this works especially well if your ID is your own URI (Uniform Resource Identifier), like www.yourname.com).  Also, you can use it for non-sensitive things, like forums, where all you really want is a login and password to ask a question or such. In that case, if the ID got hijacked, no actual personal data lost.  The concept is a very neat one to say the least, and it’s gaining a lot of momentum too (the next version of Drupal is including it in its core, and there are addons for most popular CMS (Content Management System), such as WordPress).

It’s certainly worth trying out. You can start an OpenID with lots of sites. I used MyOpenID.com, but there are others like ClaimID, myID.net, or VeriSign’s Personal Identity Provider. Their sole purpose is to manage an identity, and provide a place to authenticate it.  The ID is basically a URI, something in the form of yourname.myopenid.com.  MyOpenID was good for me because I quickly found documentation on how to use it, and it allows you to set up multiple personas, so that when you log into a site the first time, you can essentially choose what and how much information to let them see. The best primer I found was over at Sam Ruby’s blog, where he goes into the basics of how to set up your open ID, and also how to use your own URI as one.  Absolutely worth reading.  Let me repeat, absolutely worth reading.  He’s lined out nearly everything you need to know in order to get started.

If you are running your own site, it’s easy to let them managed the login. For instance, sign up with MyOpenID. Then in the template for your site, add this code to the header:

Just swap out “name” for your actual account name. That’s it. What will happen when you go to an OpenID enable site (like mine), you’ll punch in your site’s URI as your OpenID. The site you’re at will hit yours and look up the server and delegate, which will redirect you to their login page. Pop in your password and it will send whatever dataset you want to the original site for registration, and then pop you back over there. Sounds complex, but really very simple.  If you’re at LiveJournal or something like that and don’t have your own actual hosted site, when you go to an OpenID enabled site, you just type in your LiveJournal address, and it will authenticate you, no extra steps even necessary.

Even better, if you want to be a true master of your own domain, Sam goes on to describe how to create your own OpenID server and delegate for yourself using phpMyID.  phpMyID is a single user environment designed for individuals to use their own host to manage their ID.  Basically it puts you in total control.  If you choose to try it out (remember, OpenIDs are portable, so if you don’t like it, you can easily switch to one of the hosted solutions just by changing the server and delegate href in your header), Sam has some more updated instructions for it.  The only problem I have is that you then lack some of the neat features other professional providers are offering, like the personas.  It just comes down to how paranoid you want to be.  But be prepared for hiccups when installing phpMyID.  Particularly, make sure openid.server and openid.delegate hrefs include their trailing slashes, otherwise you’ll get wacky errors with no feedback as to why (and I can’t recall the name of the function now… It had something to do with “naive_”….something or other).

My big concern at this time is security.  I’m not entirely sure what prevents a potentially nefarious site from playing a monkey in the middle, and sniffing out your information.  Although running your own ID server and paying attention to where you’re signing on at would go a long way towards preventing that.  And regardless, I am already finding mine handy for the simple purpose of leaving comments on friends’ blogs who are on networks where I don’t have an account.  That alone is a big advantage and not exactly a security risk to me.  I hate going through the hassle of signing up for accounts I’ll never use beyound commenting or such, so this sells itself well.

Yahoo, MSN, Google, and lots of other sources are playing with it to in different ways.  So this is far from some wacky, half-cocked new technology.  It’s sort of like Microsoft’s Passport system, except way more powerful.  Go give it a good once over, it might come in handy.