This week, Kevin Yank is reporting from OSCON 2006 in Portland, OR.
David Recordon (Six Apart, then Verisign) and Brian Ellin (JanRain) have had their fingers in OpenID since its inception. OpenID is an open user authentication system based on the premise that individuals own URLs. The system was originally developed to authenticate users that wish to comment on blog posts, in an attempt to reduce comment spam. It was designed to be very simple, so that users need only understand how to write HTML in order to make use of the system.
The OpenID 2.0 project (recently accepted into Apache incubator) extends on the original scope of OpenID to add facilities like messaging, but remains true to the original spirit of OpenID: simplicity and openness.
Importantly, OpenID does not deal with the issue of trust—OpenID will only allow a person to prove that he or she owns a particular URL, it does not give you any information about the trustworthiness of that person.
OpenID’s biggest distinguishing feature is its decentralized
nature. Anyone is free to set up their own OpenID server, which can
store user credentials and provide authentication services for those
users to any site or application that supports OpenID.
OpenID currently enjoys wide adoption among blogging services and software; however, there is an active push to see it adopted on a wider scale. There is even a bounty program instituted by interested companies that will pay $5,000 for an application that implements core support for OpenID.
Building OpenID support into your own web application means that you can spend less time implementing things like user authentication, and your users need not remember a new set of credentials just for your site.
As a user, setting up your own OpenID identity involves simply registering with such an OpenID server (e.g. MyOpenID provides a free OpenID server), and then include at your claimed URL the following HTML link elements that assert the OpenID server(s) with which you want sites to check your credentials:
<link rel="openid.delegate" href="http://brian.myopenid.com/" />
<link rel="openid.server" href="http://www.myopenid.com/server" />
An alternative XML format for providing these details without embedding them in a web page also exists.
Ellin went on to demonstrate the code involved in adding OpenID support to a Ruby on Rails application using the OpenID support library for Ruby developed by his company, JanRain.
OpenID can also be extended to include simple user registration information (e.g. email address, nickname, location, time zone, etc.), and Ellin showed a demo of this too.
The audience in this talk seemed very concerned that all the potential security concerns had been considered, and Recordon and Ellin answered those concerns with aplomb.
If you liked this blog, share the love:
July 31st, 2006 at 11:29 pm
The whole concept of OpenID eludes me.
We authenticate users on “what they know” basis. We assume that if somebody khows login details he has a right to use our services.
With OpenID all we get is clarification that the user indeed pointed us to a valid OpenID server.
Weeding out spammers is hard enough on a server with a thousand users. Imagine managing millions of OpenID URLs.
I’m not against OpenID I just don’t UNDERSTAND it. If somebody could clarify this I’d be more than happy. Their site just says that OpenID is not a trust system.
August 1st, 2006 at 12:42 am
RuinDweller,
Whatever anti-spam measures you normally use can be applied to OpenID logins as well. OpenID is not an anti-spam measure, nor does it interfere with your anti-spam measures.
OpenID doesn’t remove the “what they know” test. The OpenID server specified by the user still checks that the user knows his or her login details for you. The only difference with OpenID is that your site doesn’t have access to the user’s login credentials.
Precisely, what a successful OpenID login to your site tells you is that the user that logged in has control over the content of the URL they provided. Whether or not you trust the owner of that URL to not be a spammer is a separate issue, and one not handled by OpenID (nor is it handled by any other user authentication scheme).
August 12th, 2006 at 12:29 pm
[…] Before our week in Montreal, there was the cottage, which was four days of lakeside bliss with long-missed friends. After the lights finally came on, everything went perfectly up until the last hour before we all left, when Chris walked through a screen door and his girlfriend Lou dropped her car keys in the lake. My best guess is that they didn’t want to leave, and were doing their best to delay the inevitable.And before the cottage, there was my week at OSCON in Portland. I blogged the nitty gritties of that in detail at SitePoint, but in general it was an astonishing gathering of talent. Attendees routinely sat in sessions coding some personal project or other, or participating in the conference “back channel” on IRC. At one point during the final day, I walked into a men’s room behind a fellow toting an open laptop who proceeded to stand at a urinal and continue to surf the web with the laptop in his free hand. […]
May 17th, 2007 at 6:08 am
RuinDweller, also, using an OpenID, you can identify a user and track him, e.g. you could show all posts by that user.