TechCafeteria

What is OpenID?

Per the OpenId Homepage: "OpenID is an open, decentralized, free framework for user-centric digital identity". You could call it "single sign-on for the world wide web", since OpenID provides a method for authenticating to web sites without creating a new login and password for every site. While similar initiatives have come up in the past (most notable Microsoft's "Passport"), this is not a proprietary system, but a standard.

The official F.A.Q. on OpenID is at http://openid.net/wiki/index.php/FAQ. Another good F.A.Q. is on PHPBB's website.

Is this a big deal?

I'd say yes - while it's in the nascent stage, much as blogging was in 2002, it's going to see wide adoption in the next two years. Like RSS, OpenID saw early adoption by bloggers, because it offers a very simple way for users to leave comments on blogs without going to all of the trouble of setting up an account. Now Sun, Microsoft, AOL and Yahoo! have all joined the bandwagon, so, like RSS, it will grow out of the hardcore blogging community into standard adoption.

Where can I get an OpenID?

OpenID's are available from any site that offers them, such as Techcafeteria. A fairly good list of established providers is at IWantMyOpenID.org.

How does it work?

Detailed instructions for setting up an OpenID account here at Techcafeteria are at http://techcafeteria.com/openid_howto.htm. But here are the basics:

• Each person has a URI (aka URL, aka web address, aka the thing you type in the browser's address bar to get to a web site) designated to them. That URI will look something like:
  

  http://openid.server.com/?user=yourname

• The URI is established by registering with an OpenID provider. OpenID providers include anyone who has installed an OpenID server and made it available for you to use.
• When you establish your URI, you also provide profile data to the server, such as your full name, email address, date of birth, etc. This is not mandatory, but many OpenID-enabled sites require some of this information before they'll give you access.
• To use your OpenID, you visit any OpenID-enabled site, such as a Livejournal blog; a Wordpress blog that has installed the plugin (like mine); or a web-based community or application that supports OpenID (Drupal and Ma.gnolia.com are two examples).
• When you sign in by typing your URI in the OpenID login box, you are redirected to a page at your OpenID provider's site confirming your request. There, you can review the profile data requested or required, and you can choose whether to send them or cancel the authentication request. You can also specifdy whether this is a one-time request or a trust relationship that you want to establish.
• If you accept, then, depending on how the service has set things up, you will either have an account established or be required to provide more information or complete more steps in order to establish the account. But you will not have to create a login and password for the service.

Where can I use my OpenID?

Many places, and the list will start growing phenomenally. Currently, OpenID is a native function of Livejournal blogs,a nd an add-in function for Drupal, Joomla, Wordpress, PHPBB and other blogging/community platforms. Microsoft, Sun, Yahoo! and AOL have all committed to the platform. Upcoming releases of many of these web-based platforms will incorporate OpenID natively. A OpenID directly, which is by no means complete, lives at http://openiddirectory.com/.

Is this anonymous surfing?

Not inherently. It can be, if the service doesn't require any verification of your identity. But so can signing up for any service that will let you input inaccurate information in order to establish an account.

Is this secure?

For the user, this has the security benefits of not having to trust every service on the internet that you want to use to manage your authentication. They don't ask for your password or store it - that is all handled solely by your provider. But any other issues, such as what this web site will do with your email address, if you provide it (and it might well be required still for access), or whetrher their application is secure, is all the same as if you hadn't used OpenID.

What if my OpenID provider shuts down their system?

That's a good question. While you need to establish your URL with an OpenID provider, you can use an alternate URL from any web server that you can edit pages on - the server doesn't have to know the first thing about OpenID. All you need to do is create a page that includes two lines in the meta section of the header that will refer back to your OpenID provider. Then, if that provider goes down, you just quickly establish a new account with another provider and update your web page. Since the sites you've registered with all know the ID from your server, not the providers, this is fairly seamless.

So, if I run a service, and I enable OpenID as an authentication method, how do I stop spammers from establishing accounts?

The same way you do today (OpenID is not gping to help much with this problem). For example, there's nothing stopping you from requiring that a user respond to a Captcha after they have authenticated via OpenID.

How do I get email addresses so I can verify them before allowing access?

When you set up your OpenID login, you require that the email address be submitted with the profile information. Then you email them to verify the request before establishing the account.

I'd like to be an OpenID provider. How do I do that?

If you have a server that you control (e.g., have root or full administrative access to), and a decent knowledge of how to install software on the server, there are a number of ways to do it, all detailed at OpenIDEnabled.com.