OpenID

From EduTech Wiki
Jump to: navigation, search

1 Definition

OpenID is probably the most popular light-weight digital identity system. It also may support single sign-on (SSO) for some Internet applications that combine services, e.g. a webtop that provide an interface to social software applications. It is the answer to "can't remember my login and password" for all those web sites, for which you never should use the same id + password...

“OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.”(OpenID (Wikipedia, retrieved 19:27, 21 August 2008 (UTC))

OpenID can be complemented by other services, e.g. digital identity portals, i-cards, i-names etc. that can manage several aspects of a digital identity. OAuth is a standard that allows you allow some webservice to access a restricted set of information on another webservice.

2 The system

An OpenID is in the form of a URL. This URL can be the domain name of your own website, or the URL of an OpenID Identity Provider. When you log in with an OpenID, you have to log in to the Identity Provider for validation. Using OpenID-enabled sites, web users do not need to remember traditional items of identity such as username and password. Instead, they only need to be registered with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.

(OpenID (Wikipedia, retrieved, 21 August 2008 (UTC))

Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In the OpenID framework, one can according to the specification, distinguish:

  • The identifier of a user: a "http" or "https" URI
  • The relying party: A Web application that wants proof that the end user controls an Identifier. (User provides a website with an OpenID URL like http://XYZ@myopenid.com).
  • OpenID Provider (OP): An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. This provider has
    • an OP identifier (e.g. http://myopenid.com)
    • a OP Endpoint URL: accepts OpenID Authentication protocol messages.

In simplified terms: The end user presents an identifier to the relying party. The Relying party then discovers an OP Endpoint URL from the identifier URL and both the relying party and the OP create a cypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.

This workflow can be represented by the following figure:

OpenID interaction, Source: Rob Richards

OpenID providers may include extra services like management of "personas" for Simple Registration and Attribute Exchange data. “Simple Registration is a way to use OpenID to skip the registration step when signing in to web sites. When you sign in to a site that supports Simple Registration, myOpenID will ask you which registration information you want to use so you don't have to fill out a registration form.” “OpenID Attribute Exchange is a newer, more flexible (compared to Simple Registration) way to share information when signing in to an OpenID-enabled site. Attribute Exchange has many data types defined already, and it's easy to define new ones.” (MyOpenID Help, retrieved 21:04, 23 February 2010 (UTC).).

3 How to get an OpenID

See How do I get an OpenID? or Wikipedia. There exist several solutions.

(1) Basically you either get an account with some web sites and services that already provide OpenIDs, e.g. Blogger, Yahoo or Flicker or there exist providers that just provide the ID.

Both companies (and others too), provide in addition various API's and extensions that developers can use.

(2) It is probably a good bet to create an ID with an independent provider MyOpenID.com, since you can't know what kind of information big companies like Yahoo and Google will keep. Since you already may use various Google, Yahoo etc. services and be tracked with respects to those, you don't necessarily want these companies to know where else you log in.

(3) A politically nice solution, is to create a Creative Commons Profile. They give you a badge you can place on pages you create identifying you as a member of the Creative Commons Network. This badge not only gives visible notice that you support Free Culture, but allows to help identify you on license deeds. This service costs $50 and supports the open content license creating Creative Commons Organization.

We suggest to create two different OpenIDs in case a service is down temporarily (or permanently) or not working. Many web portals now allow to register with more than a single OpenID.

(4) Making your own OpenID for your organization or students is another option:

  • phpMyID can help you make just your own. Some php knowledge is required.
  • Also read OpenID for non-SuperUsers that will show you how to use an id that will point to your owned favorite web site (e.g. a blog).
  • If you have an LDAP server, you can use this technology, e.g. by using OpenID-LDAP. That's the kind of solution DKS thinks is best for many academic institutions. However, given that large and stable companies offer OpenIDs for free, this is only worth the trouble if your institution will make a long-term commitment to OpenID.
  • Finally, there exist a bunch of open source libraries for developers.

4 In education

Since all sorts of web 2.0 and social software applications are increasingly popular in education (see the list of web 2.0 applications), students have a real problem managing their logins on the Internet. It also is good a idea to support single sign-on when ever possible.

OpenID seems to be currently (2008) the best solution. OpenID directories list an ever increasing amount of OpenID enabled web sites:

Also, some applications already implicitly provide users with an OpenID, e.g. Blogger, Yahoo or Flicker.

Note: OpenID is not meant to be used for local logins, but you may combine local single-sign on with LDAP and OpenID for Internet logins.

5 Links