What is OpenID?

Posted by Gareth Heyes
October 25, 2007

Here’s a quick intro to OpenID and how it can be used whilst blogging and commenting, in the coming weeks we’ll be posting more articles on the weakness of OpenID and how mistakes can be avoided.

OpenID is a single sign on service which allows you to use your blog or web page as a unique identifier. This is useful because instead of entering a different username and password each time you want to comment on a blog you can just use your OpenID account. It isn’t an identity system, it doesn’t stop anyone setting up a blog and claiming to be you and can be as powerful or as simple as the provider requires.

There are three parties involved when using OpenID as authentication: You, the OpenID provider and the site you require access to. A OpenID provider is the company which looks after your OpenID account, they are responsible to allow/deny access to any OpenID enabled web site, you must trust a provider with all your personal details and credentials and they must be secure for that reason. So you can think a provider as a gatekeeper which will only allow sites to pass with your permission.

In order to comment on a blog that uses OpenID, you first need an account from a provider, once you’ve registered with them you will then have your own unique OpenID identifier which is in the form of a web address, this is your identity page. A identity page is a web site with a tag that specifies which provider you use and can be provided by the provider or by yourself or your blog. The tag looks like this:-


<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid2.provider" href="http://www.myopenid.com/server" />

So in the example above MyOpenID is used as the provider and the web page address is used as your OpenID identifier. So by to the blog you want to comment on, you place your identifier (Your web address) into the OpenID enabled blog, the blog then sends the request to your provider and the provider then asks you for confirmation, you then allow or deny the site. Once this transaction is complete the blog then logs you on as the account specified in your OpenID provider.

Reflections

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by David Kierznowski on October 25, 2007 @ 4:59 pm

Excellent summary Gareth. I have been thinking about implementing OpenID on BlogSec.

Perhaps we should wait until our OpenID security risk article? :)

Comment by Gareth Heyes on October 25, 2007 @ 5:03 pm

Thanks David :)

Yeah there are quite a few security risks involved with OpenID ;)

Comment by Gary Krall on October 25, 2007 @ 11:34 pm

Hi Gareth: Delegation from the PiP is almost identical:

More details can be gleaned from: http://wiki.openid.net/Delegation

Good article btw…

Pingback by BlogSecurity » Blog Archive » Choosing the right anti-spam solution on November 6, 2007 @ 7:43 pm

[...] have to login every time I want to leave a comment! That means having to remember another password! OpenID may be the way forward in this [...]

Leave a comment

(required)

(required)