OSCON 2006: Practical OpenID
This week, Kevin Yank is reporting from OSCON 2006 in Portland, OR.
David Recordon (Six Apart, then Verisign) and Brian Ellin (JanRain) have had their fingers in OpenID since its inception. OpenID is an open user authentication system based on the premise that individuals own URLs. The system was originally developed to authenticate users that wish to comment on blog posts, in an attempt to reduce comment spam. It was designed to be very simple, so that users need only understand how to write HTML in order to make use of the system.
The OpenID 2.0 project (recently accepted into Apache incubator) extends on the original scope of OpenID to add facilities like messaging, but remains true to the original spirit of OpenID: simplicity and openness.
Importantly, OpenID does not deal with the issue of trust—OpenID will only allow a person to prove that he or she owns a particular URL, it does not give you any information about the trustworthiness of that person.
OpenID’s biggest distinguishing feature is its decentralized
nature. Anyone is free to set up their own OpenID server, which can
store user credentials and provide authentication services for those
users to any site or application that supports OpenID.
OpenID currently enjoys wide adoption among blogging services and software; however, there is an active push to see it adopted on a wider scale. There is even a bounty program instituted by interested companies that will pay $5,000 for an application that implements core support for OpenID.
Building OpenID support into your own web application means that you can spend less time implementing things like user authentication, and your users need not remember a new set of credentials just for your site.
As a user, setting up your own OpenID identity involves simply registering with such an OpenID server (e.g. MyOpenID provides a free OpenID server), and then include at your claimed URL the following HTML link elements that assert the OpenID server(s) with which you want sites to check your credentials:
<link rel="openid.delegate" href="http://brian.myopenid.com/" />
<link rel="openid.server" href="http://www.myopenid.com/server" />
An alternative XML format for providing these details without embedding them in a web page also exists.
Ellin went on to demonstrate the code involved in adding OpenID support to a Ruby on Rails application using the OpenID support library for Ruby developed by his company, JanRain.
OpenID can also be extended to include simple user registration information (e.g. email address, nickname, location, time zone, etc.), and Ellin showed a demo of this too.
The audience in this talk seemed very concerned that all the potential security concerns had been considered, and Recordon and Ellin answered those concerns with aplomb.