OSCON 2006: Practical OpenID

This week, Kevin Yank is reporting from OSCON 2006 in Portland, OR.

David Recordon (Six Apart, then Verisign) and Brian Ellin (JanRain) have had their fingers in OpenID since its inception. OpenID is an open user authentication system based on the premise that individuals own URLs. The system was originally developed to authenticate users that wish to comment on blog posts, in an attempt to reduce comment spam. It was designed to be very simple, so that users need only understand how to write HTML in order to make use of the system.

The OpenID 2.0 project (recently accepted into Apache incubator) extends on the original scope of OpenID to add facilities like messaging, but remains true to the original spirit of OpenID: simplicity and openness.

Importantly, OpenID does not deal with the issue of trust—OpenID will only allow a person to prove that he or she owns a particular URL, it does not give you any information about the trustworthiness of that person.

OpenID’s biggest distinguishing feature is its decentralized
nature. Anyone is free to set up their own OpenID server, which can
store user credentials and provide authentication services for those
users to any site or application that supports OpenID.

OpenID currently enjoys wide adoption among blogging services and software; however, there is an active push to see it adopted on a wider scale. There is even a bounty program instituted by interested companies that will pay $5,000 for an application that implements core support for OpenID.

Building OpenID support into your own web application means that you can spend less time implementing things like user authentication, and your users need not remember a new set of credentials just for your site.

As a user, setting up your own OpenID identity involves simply registering with such an OpenID server (e.g. MyOpenID provides a free OpenID server), and then include at your claimed URL the following HTML link elements that assert the OpenID server(s) with which you want sites to check your credentials:

  <link rel="openid.delegate" href="http://brian.myopenid.com/" />
<link rel="openid.server" href="http://www.myopenid.com/server" />

An alternative XML format for providing these details without embedding them in a web page also exists.

Ellin went on to demonstrate the code involved in adding OpenID support to a Ruby on Rails application using the OpenID support library for Ruby developed by his company, JanRain.

OpenID can also be extended to include simple user registration information (e.g. email address, nickname, location, time zone, etc.), and Ellin showed a demo of this too.

The audience in this talk seemed very concerned that all the potential security concerns had been considered, and Recordon and Ellin answered those concerns with aplomb.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • RuinDweller

    The whole concept of OpenID eludes me.

    We authenticate users on “what they know” basis. We assume that if somebody khows login details he has a right to use our services.

    With OpenID all we get is clarification that the user indeed pointed us to a valid OpenID server.

    Weeding out spammers is hard enough on a server with a thousand users. Imagine managing millions of OpenID URLs.

    I’m not against OpenID I just don’t UNDERSTAND it. If somebody could clarify this I’d be more than happy. Their site just says that OpenID is not a trust system.

  • http://www.sitepoint.com/ Kevin Yank

    RuinDweller,

    Whatever anti-spam measures you normally use can be applied to OpenID logins as well. OpenID is not an anti-spam measure, nor does it interfere with your anti-spam measures.

    OpenID doesn’t remove the “what they know” test. The OpenID server specified by the user still checks that the user knows his or her login details for you. The only difference with OpenID is that your site doesn’t have access to the user’s login credentials.

    Precisely, what a successful OpenID login to your site tells you is that the user that logged in has control over the content of the URL they provided. Whether or not you trust the owner of that URL to not be a spammer is a separate issue, and one not handled by OpenID (nor is it handled by any other user authentication scheme).

  • Pingback: Leaving Canada at Yes, I’m Canadian

  • Vincent

    RuinDweller, also, using an OpenID, you can identify a user and track him, e.g. you could show all posts by that user.