Monday, June 14, 2010

OpenID integration to website

I started using my openid for different websites a while ago. Recently, I was curious to check how that can be integrated with any of the websites. In this post I will just put some of the points which would give a basic understanding of what is openID is all about.


As a common internet user, many times we walk away form the website just because we have to register. Registering in all the sites and remembreing login info is major tasks especially who already have many accounts. Another problem is that we many not be able to use unique username and password in all the websites and it may not be a good idea as well. When we share our password with some website how do we trust the party that our password is secure and noone can misuse it? these are all the problems can be avoided when we use openId.

What is OpenID?

OpenID is an open, decentralized standard for authenticating users

Allows users to log on to different services with the same digital identity where these services trust the authentication body.

OpenID replaces the common log on process that uses a login-name and a password, by allowing a user to log in once and gain access to the resources of multiple software systems.

You may choose to associate information with your OpenID that can be shared with the websites you visit, such as a name or email address.

With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit.

Other than your provider, no website ever sees your password, so you don’t need to worry about an unscrupulous or insecure website compromising your identity.

OpenID is rapidly gaining adoption on the web, with over one billion OpenID enabled user accounts and over 50,000 websites accepting OpenID for logins. Several large organizations either issue or accept OpenIDs, including Google, Yahoo!, Microsoft, AOL and many more

OpenID protocol overview:
The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent.

After normalizing (Normalization) the User-Supplied Identifier, the Relying Party performs discovery (Discovery) on it and establishes the OP Endpoint URL that the end user uses for authentication

The Relying Party and the OP establish an association (Establishing Associations) -- a shared secret established using Diffie-Hellman Key .The OP uses an association to sign subsequent messages and the Relying Party to verify those messages; this removes the need for subsequent direct requests to verify the signature after each authentication request/response.

The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication).

The OP establishes whether the end user is authorized to perform OpenID Authentication and wishes to do so.

The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions).

The Relying Party verifies (Verifying Assertions) the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association or by sending a direct request to the OP

Users can use single identity among different trusted sites

Provides a single sign on, in particularly for people who are having many accounts

The openId server provides basic info about the user, saving the need to write down the usual basic info every time (depends on user’s settings with their providers)

Moves trust of honesty from multiple parties to only one

Minimize in re-registration and forgot password situations

For the user who keep the same password among all the sites, they don’t need to share password with many people. They can choose their trusted provider and use their identity.

We still have to provide normal registration for those who are not willing to go with openID

If the people register in our site is more than the size of people who use openID, this idea would just go away

The OpenID provider can track user’s habits as they receive all auth requests.

I have created a sample application to try this and it works fine even when I run an application with localhost. I have tried with Google, Yahoo and myopenid accounts. Will post my sample application and also compare openID with SAML in coming posts.

No comments:

Post a Comment