OpenID: Difference between revisions
m (using an external editor) |
m (Text replacement - "<pageby nominor="false" comments="false"/>" to "<!-- <pageby nominor="false" comments="false"/> -->") |
||
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{Incomplete}} | ||
<!-- <pageby nominor="false" comments="false"/> --> | |||
== Definition == | == Definition == | ||
'''OpenID is probably the most popular light-weight [[digital identity]] system. | '''OpenID''' is probably the most popular light-weight [[digital identity]] system. It also may support [[single sign-on]] (SSO) for some Internet applications that combine services, e.g. a [[webtop]] that provide an interface to [[social software]] applications. It is the answer to "can't remember my login and password" for all those web sites, for which you never should use the same id + password... | ||
{{quotation|OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.}}([http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia, retrieved 19:27, 21 August 2008 (UTC)) | {{quotation|OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.}}([http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia, retrieved 19:27, 21 August 2008 (UTC)) | ||
OpenID can be complemented by other services, e.g. digital identity portals, i-cards, i-names etc. that can manage several aspects of a digital identity. '''OAuth''' is a standard that allows you allow some webservice to access a restricted set of information on another webservice. | |||
== The system == | == The system == | ||
Line 11: | Line 14: | ||
{{quotationbox|An OpenID is in the form of a URL. This URL can be the domain name of your own website, or the URL of an OpenID Identity Provider. When you log in with an OpenID, you have to log in to the Identity Provider for validation. | {{quotationbox|An OpenID is in the form of a URL. This URL can be the domain name of your own website, or the URL of an OpenID Identity Provider. When you log in with an OpenID, you have to log in to the Identity Provider for validation. | ||
Using OpenID-enabled sites, web users do not need to remember traditional items of identity such as username and password. Instead, they only need to be registered with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity. | Using OpenID-enabled sites, web users do not need to remember traditional items of identity such as username and password. Instead, they only need to be registered with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.}} | ||
([http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia, retrieved | ([http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia, retrieved, 21 August 2008 (UTC)) | ||
}} | |||
Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In the OpenID framework, one can according to the [http://openid.net/specs/openid-authentication-2_0.html#terminology specification], distinguish: | |||
* The identifier of a user: a "http" or "https" [[URI]] | |||
* The relying party: A Web application that wants proof that the end user controls an Identifier. (User provides a website with an OpenID URL like ''http://XYZ@myopenid.com''). | |||
* OpenID Provider ('''OP'''): An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. This provider has | |||
** an ''OP identifier'' (e.g. ''http://myopenid.com'') | |||
** a OP Endpoint URL: accepts OpenID Authentication protocol messages. | |||
In simplified terms: The end user presents an identifier to the relying party. The Relying party then discovers an OP Endpoint URL from the identifier URL and both the relying party and the OP create a cypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected. | |||
This workflow can be represented by the following figure: | |||
[[image:openid-interaction-rob-richards.jpg|thumb|800px|none|OpenID interaction, Source: [http://cdatazone.org/talks/zendcon_2009/Digital_Identity.pdf Rob Richards]]] | |||
OpenID providers may include extra services like management of "personas" for ''Simple Registration'' and ''Attribute Exchange data''. {{quotation|Simple Registration is a way to use OpenID to skip the registration step when signing in to web sites. When you sign in to a site that supports Simple Registration, myOpenID will ask you which registration information you want to use so you don't have to fill out a registration form.}} {{quotation|OpenID Attribute Exchange is a newer, more flexible (compared to Simple Registration) way to share information when signing in to an OpenID-enabled site. Attribute Exchange has many data types defined already, and it's easy to define new ones.}} ([https://www.myopenid.com/help/ MyOpenID Help], retrieved 21:04, 23 February 2010 (UTC).). | |||
== How to get an OpenID == | == How to get an OpenID == | ||
See [http://openid.net/get/ How do I get an OpenID?] | See [http://openid.net/get/ How do I get an OpenID?] or Wikipedia. There exist several solutions. | ||
(1) Basically you either get an account with some web sites and services that already provide OpenIDs, e.g. Blogger, Yahoo or Flicker or there exist providers that just provide the ID. | |||
* If you already have a Google account then you also have an OpenID, click on Settings->Edit Profile. Then scroll down and you will see your Profile URL which you can use as an OpenID URL. E.g. http://www.google.com/profiles/DanielKSchneider. If you just see a number, then you can change your nickname in the profile. | |||
* Similar for Yahoo. As for Google, you often actually don't need to know your OpenID. On many websites click on the "Yahoo button", then login in through yahoo, using your Yahoo! ID (login). Otherwise you can find the OpenID URL through [http://openid.yahoo.com/ openid.yahoo.com] or your [http://pulse.yahoo.com/ Account]. The default name is something like http://me/yahoo.com/very_long_number. You can change this default through the [http://help.yahoo.com/l/us/yahoo/edit/open_id/ customization options] (bottom of [http://openid.yahoo.com/ openid.yahoo.com]) and have something like https://me.yahoo.com/danielkschneider. You even could use your Flickr Account. | |||
Both companies (and others too), provide in addition various API's and extensions that developers can use. | |||
(2) It is probably a good bet to create an ID with an independent provider [https://www.myopenid.com/ MyOpenID.com], since you can't know what kind of information big companies like Yahoo and Google will keep. Since you already may use various Google, Yahoo etc. services and be tracked with respects to those, you don't necessarily want these companies to know where else you log in. | |||
* Example: http://DanielKSchneider.myopenid.com/ | |||
(3) A politically nice solution, is to create a [https://creativecommons.net/ Creative Commons Profile]. They give you a badge you can place on pages you create identifying you as a member of the Creative Commons Network. This badge not only gives visible notice that you support Free Culture, but allows to help identify you on license deeds. This service costs $50 and supports '''the''' [[open content]] license creating [http://creativecommons.org/ Creative Commons] Organization. | |||
* Example: https://creativecommons.net/DKS/ | |||
We suggest to create two different OpenIDs in case a service is down temporarily (or permanently) or not working. Many web portals now allow to register with more than a single OpenID. | |||
(4) Making your own OpenID for your organization or students is another option: | |||
* [http://siege.org/projects/phpMyID/ phpMyID] can help you make just your own. Some php knowledge is required. | |||
* Also read [http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers OpenID for non-SuperUsers] that will show you how to use an id that will point to your owned favorite web site (e.g. a blog). | |||
* If you have an [[LDAP]] server, you can use this technology, e.g. by using [http://www.openid-ldap.org/ OpenID-LDAP]. That's the kind of solution [[User:Daniel K. Schneider|DKS]] thinks is best for many academic institutions. However, given that large and stable companies offer OpenIDs for free, this is only worth the trouble if your institution will make a long-term commitment to OpenID. | |||
* Finally, there exist a bunch of [http://wiki.openid.net/Libraries open source libraries] for developers. | |||
== In education == | == In education == | ||
Since all sorts of [[web 2.0]] and [[social software]] applications are increasingly popular in education (see the [[list of web 2.0 applications]]), students have a real problem managing their logins. | Since all sorts of [[web 2.0]] and [[social software]] applications are increasingly popular in education (see the [[list of web 2.0 applications]]), students have a real problem managing their logins on the Internet. It also is good a idea to support [[single sign-on]] when ever possible. | ||
OpenID seems to be currently (2008) the best solution. OpenID directories list an ever increasing amount of OpenID enabled web sites: | |||
* [https://www.myopenid.com/directory OpenID Site Directory | * [https://www.myopenid.com/directory OpenID Site Directory] | ||
* [http://openiddirectory.com/ OpenIDDirectory] | * [http://openiddirectory.com/ OpenIDDirectory] | ||
Also, some applications already implicitly provide users with an OpenID, e.g. Blogger, Yahoo or Flicker. | Also, some applications already implicitly provide users with an OpenID, e.g. Blogger, Yahoo or Flicker. | ||
Note: OpenID is not meant to be used for local logins, but you may | |||
combine local single-sign on with [[LDAP]] and OpenID for Internet logins. | |||
== Links == | == Links == | ||
Line 38: | Line 74: | ||
* [http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia) | * [http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia) | ||
[[Category: | |||
[[ | [[Category:Identity and authentication]] | ||
[[fr:OpenID]] |
Latest revision as of 18:26, 22 August 2016
Definition
OpenID is probably the most popular light-weight digital identity system. It also may support single sign-on (SSO) for some Internet applications that combine services, e.g. a webtop that provide an interface to social software applications. It is the answer to "can't remember my login and password" for all those web sites, for which you never should use the same id + password...
“OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.”(OpenID (Wikipedia, retrieved 19:27, 21 August 2008 (UTC))
OpenID can be complemented by other services, e.g. digital identity portals, i-cards, i-names etc. that can manage several aspects of a digital identity. OAuth is a standard that allows you allow some webservice to access a restricted set of information on another webservice.
The system
An OpenID is in the form of a URL. This URL can be the domain name of your own website, or the URL of an OpenID Identity Provider. When you log in with an OpenID, you have to log in to the Identity Provider for validation.
Using OpenID-enabled sites, web users do not need to remember traditional items of identity such as username and password. Instead, they only need to be registered with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.(OpenID (Wikipedia, retrieved, 21 August 2008 (UTC))
Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In the OpenID framework, one can according to the specification, distinguish:
- The identifier of a user: a "http" or "https" URI
- The relying party: A Web application that wants proof that the end user controls an Identifier. (User provides a website with an OpenID URL like http://XYZ@myopenid.com).
- OpenID Provider (OP): An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. This provider has
- an OP identifier (e.g. http://myopenid.com)
- a OP Endpoint URL: accepts OpenID Authentication protocol messages.
In simplified terms: The end user presents an identifier to the relying party. The Relying party then discovers an OP Endpoint URL from the identifier URL and both the relying party and the OP create a cypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.
This workflow can be represented by the following figure:
OpenID providers may include extra services like management of "personas" for Simple Registration and Attribute Exchange data. “Simple Registration is a way to use OpenID to skip the registration step when signing in to web sites. When you sign in to a site that supports Simple Registration, myOpenID will ask you which registration information you want to use so you don't have to fill out a registration form.” “OpenID Attribute Exchange is a newer, more flexible (compared to Simple Registration) way to share information when signing in to an OpenID-enabled site. Attribute Exchange has many data types defined already, and it's easy to define new ones.” (MyOpenID Help, retrieved 21:04, 23 February 2010 (UTC).).
How to get an OpenID
See How do I get an OpenID? or Wikipedia. There exist several solutions.
(1) Basically you either get an account with some web sites and services that already provide OpenIDs, e.g. Blogger, Yahoo or Flicker or there exist providers that just provide the ID.
- If you already have a Google account then you also have an OpenID, click on Settings->Edit Profile. Then scroll down and you will see your Profile URL which you can use as an OpenID URL. E.g. http://www.google.com/profiles/DanielKSchneider. If you just see a number, then you can change your nickname in the profile.
- Similar for Yahoo. As for Google, you often actually don't need to know your OpenID. On many websites click on the "Yahoo button", then login in through yahoo, using your Yahoo! ID (login). Otherwise you can find the OpenID URL through openid.yahoo.com or your Account. The default name is something like http://me/yahoo.com/very_long_number. You can change this default through the customization options (bottom of openid.yahoo.com) and have something like https://me.yahoo.com/danielkschneider. You even could use your Flickr Account.
Both companies (and others too), provide in addition various API's and extensions that developers can use.
(2) It is probably a good bet to create an ID with an independent provider MyOpenID.com, since you can't know what kind of information big companies like Yahoo and Google will keep. Since you already may use various Google, Yahoo etc. services and be tracked with respects to those, you don't necessarily want these companies to know where else you log in.
(3) A politically nice solution, is to create a Creative Commons Profile. They give you a badge you can place on pages you create identifying you as a member of the Creative Commons Network. This badge not only gives visible notice that you support Free Culture, but allows to help identify you on license deeds. This service costs $50 and supports the open content license creating Creative Commons Organization.
- Example: https://creativecommons.net/DKS/
We suggest to create two different OpenIDs in case a service is down temporarily (or permanently) or not working. Many web portals now allow to register with more than a single OpenID.
(4) Making your own OpenID for your organization or students is another option:
- phpMyID can help you make just your own. Some php knowledge is required.
- Also read OpenID for non-SuperUsers that will show you how to use an id that will point to your owned favorite web site (e.g. a blog).
- If you have an LDAP server, you can use this technology, e.g. by using OpenID-LDAP. That's the kind of solution DKS thinks is best for many academic institutions. However, given that large and stable companies offer OpenIDs for free, this is only worth the trouble if your institution will make a long-term commitment to OpenID.
- Finally, there exist a bunch of open source libraries for developers.
In education
Since all sorts of web 2.0 and social software applications are increasingly popular in education (see the list of web 2.0 applications), students have a real problem managing their logins on the Internet. It also is good a idea to support single sign-on when ever possible.
OpenID seems to be currently (2008) the best solution. OpenID directories list an ever increasing amount of OpenID enabled web sites:
Also, some applications already implicitly provide users with an OpenID, e.g. Blogger, Yahoo or Flicker.
Note: OpenID is not meant to be used for local logins, but you may combine local single-sign on with LDAP and OpenID for Internet logins.