Open ID

We know you have an opinion on how things should be run around here. These are suggestions for the forums, and the website.This forum is not a place to ask for suggestions to your own coding (or otherwise) problems.

Moderator: General Moderators

Should Open ID be one of the available login options for DevNet?

Poll ended at Sat Jun 16, 2007 2:46 pm

Yes
3
75%
No
1
25%
 
Total votes: 4

User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Okay, it's like this:

You sign up with an OpenID Identity Provider. This gets you a URI which is essentially your core Identity. You can attach other details to the URI Identity such as email address, preferred nickname, real name, etc. If you want, you can create an infinite number of Alias Identities - other URIs which simple redirect to the core URI (using some funky <head> meta information).

If you don't like the Identity Provider, you can set up your own OpenID Server and control your identity yourself (this obviously assumes you can maintain a domain indefinitely since the core URI Identity is permanent!).

OpenID is decentralised - you can operate your own server. There is no central authority. Any Identity Provider can server any Identity for which it hosts a dedicated URI. You just need to stick to a specific common protocol (e.g. OpenID 2.0 which incorporates the Yadis Specification 1.0).

When you login using a URI (core or alias) and a password, the host will locate the core URI (so your aliases are never permanent, you can login into any account using any of your valid aliases - if you can't, the host has a dodgy implementation ;)). It will then proceed to authenticate you. You get redirected to your Identity Provider, approve the request, and approve whatever data the host might want about you (e.g. nickname, email, etc.). The host then creates your account, and/or authenticates you locally. You then run off and start posting stuff ;).

The communication between Host and Identity Provider is always encrypted. There's a raft of algorithms used including Diffie (which is a total screwballs algorithm to implement in PHP natively by the way). It's quite secure even without SSL. The only network sniffer weakness is on your side since you NEVER provide a password to the Host - only your Identity Provider when approving the Host's requests. Hence the password is centralised. You only need the one :).

There are two main PHP libraries. Only one supports OpenID 2.0 fully (JanRain PHP OpenID library), the other (haven't checked it recently) was a lighter library but still quite useable (and nope, can't remember the exact name - check Google). It's not in PEAR. A third alternative will arise this summer, coded entirely in PHP5. Three guesses for who might be writing it ;).
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I thought I understood it, and then you lost me.

What's the purpose? Is this created to make logging in simpler, or make signing up simpler?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Signing up, for the most part.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

So, websites have to implement the support for this? What about the security measures taken to keep passwords encrypted? Does OpenID generate different passwords for each site?
Post Reply