OpenID: The RESTful approach to Single Sign-On

December 7, 2006 § Leave a comment

Been spending a lot of time on
regular
work, but a friend recently
suggested I check out OpenID
— the de facto distributed authentication standard for Web 2.0. I think of it
as “Decentralized Kerberos for the Internet”, in that provides the ability to do
Single Sign-On without the need for everyone to agree on a single directory
server or implement a bunch of hairy
protocols.

If I understand
it correctly, all you need is:

? an account with an OpenID
Provider (usually, but not necessarily, a username and password)
? a publicly-reachable URL
with an autodiscovery link to one or more Providers (like the links to RSS/Atom
feeds)

If you’re
ambitious/paranoid, you can even be your own provider. The reason is that the
“principal” (globally unique identifier) is really the URL (or a weird mutant
threof, like an XRI).
All the Provider does is validate that you (as defined by your login information
with them) have access to that URL. That’s it — pure authentication, no
authorization whatsoever. All it is doing is ensuring that nobody else can claim
that URL.

To use it, you
just tell a Consuming website, “Hey, this is my URL: I’d like to use it as my
OpenID identifier on your website.” Then, they deference that URL, find its
Provider, and (if necessary) jump you over to the Provider’s website to
authenticate (and, optionally — if you allow — get your basic
name/email/contact data). Once that’s done, they can let you setup a local
‘nickname’ (not globally unique) to avoid the need for the complete URL.
Importantly, though, you never have to give a password (or any data you’d like
to keep private) to any Consuming site, and
they
never (really) need to trust the Provider; they just trust DNS and HTTP
(hopefully HTTPS) to ensure that you really have the right to claim that
link.

Now, in practice
there will probably be concerns about spoofing, so Consuming sites will have
whitelists, and which is why you may need multiple Providers to ensure they have
one that works everywhere they need it. But — crucially — all of that is an
out-of-band business opportunity. The protocol itself is (so I’m told) drop-dead
simple, so that (if you’re starting from scratch) you can get up and running in
a couple hours, especially if you leverage the pre-built libraries for PHP,
Ruby, Python, etc.

Most
importantly, it sounds like they really believe the “collaborative intelligence”
part of the Web 2.0 hype. They’re working with Dick of
Sxip,
Technorati,
and even some SAML
refugees. If they can keep everyone happy without falling prey to bloatware,
they may really have
something.

And oh yeah:
their protocol appears to be thoroughly RESTful,
so it plays nicely with the web.
Woot!

References
below.

http://en.wikipedia.org/wiki/OpenID
Ê
OpenID is a decentralized digital
identity system, in which any user’s online identity is given by URL … and can
be verified by any server running the
protocol.Ê
Ê
OpenID-enabled
sites… don’t need to create and manage a new account… they only need to be
able to authenticate with a trusted site that supports OpenID, called the
identity provider [who] can then confirm ownership of the user’s OpenID
identifier to other OpenID-enabled sites, called relying
parties…Ê
Ê
OpenID
is increasingly gaining adoption amongst large sites, with organizations like
Wikipedia and Technorati announcing that they will support
OpenID.Ê
Ê
Êhttp://openid.net/
An
open and decentralized identity system, designed “not to crumble if one company
turns evil or goes out of
business”.Ê
Ê
LiveJournal.com supports the OpenID distributed
identity system, letting you bring your LiveJournal.com identity to other sites,
and letting non-LiveJournal.com users bring their identity here.
Ê

The case for
OpenID

“as technology history has amply shown, just like it
is always possible to re-centralize a decentralized system and never the
reverse, it is always possible to add cost to a system, but exceedingly hard to
remove it from a system that was not built in an extremely light-weight way from
the very beginning. That puts OpenID into a unique position among identity
technologies.”
http://www.openidenabled.com
Ê
Places to start:Ê
? A Brief Introduction to
OpenIDÊ
? An illustrated overview of the OpenID
ProtocolÊ
? OpenID libraries in PHP, Python, Perl,
Ruby, C#, with more on the wayÊ
? OpenID
FAQÊ
Ê
http://www.myopenid.com/directory
Ê
a list of sites that are OpenID
enabledÊ

Proposed HTTP
LINK to avoid the need for HTML

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

«

»

What’s this?

You are currently reading OpenID: The RESTful approach to Single Sign-On at iHack, therefore iBlog.

meta

%d bloggers like this: