Whether its for your blog, your email, or a news site, it's hard to get by on the Internet these days without encountering a login screen:
Whenever a site wants to make sure you are you (known as authentication), you have to sign in. Of course, this also means that you have to create a new account for each site. If you are like most people, you end up using the same username and password combination for almost every site. So, you go through the same process, with almost the same keystrokes every single time!
To put it concisely, each site has its own separate (but similar) process to identify and authenticate you. This is the problem.
How does OpenID solve this?
Well, it gives you a way to identify yourself across sites. That's right! You no longer have to create a separate account for each site that wants to authenticate you. You just have to create one OpenID for yourself and use this on every site that supports it.
Let's consider the login process for OpenID:
- We start out on a site which supports OpenID (here we are using Pibb). A site that supports OpenID will have a textbox for you to enter your OpenID. You enter your OpenID (mine is http://rchodava.myopenid.com, which I've entered) and click to sign in.
- The browser is now re-directed to a page where I enter the password for my OpenID. Since my OpenID is with myopenid.com, you will notice that the OpenID login page is somewhere on the myopenid.com server. So I enter my password and click to sign in again.
- Now I am brought back to Pibb, logged in using my OpenID!
Behind the scenes
Now that you have seen the typical sequence for logging in with OpenID, let's talk a bit about what's actually happening behind the scenes. First thing you should notice is that my OpenID, http://rchodava.myopenid.com, is actually a URL. This is a key point - with OpenID, you identify yourself with a URL just like you identify other resources on the web with a URL. Since your identity is a URL, you can actually go to it in a browser. Try it - go to my identity page: http://rchodava.myopenid.com. You'll see something like:
Why is an OpenID also being a URL such a big deal? Well, it is very important to what is going on behind the scenes. After I clicked sign in on Pibb in Step 1 above, the URL that Pibb redirected my browser to for the second step was my OpenID (http://rchodava.myopenid.com)! Of course, it added along a few special parameters when it redirected me. This is the same thing that would happen on any site that works with your OpenID.
At this point, let me talk about what myOpenID is. In OpenID jargon, it is an Identity Provider. Basically, it's a service which hosts my identity page, and keeps track of my password. When sites like Pibb (called a Consumer in OpenID jargon) redirect to my OpenID URL, the Identity Provider first asks me for my password. This is how I authenticate (prove its me) with my Identity Provider, and prove to it that I am the owner of http://rchodava.myopenid.com.
Once my Identity Provider has verified with me, it needs to in turn tell the Consumer (Pibb) that I own my OpenID. This is basically what happens between Steps 2 and 3 above when I am redirected from my Identity Provider (myOpenID) back to the Consumer (Pibb). Again, special parameters are passed along so that the Consumer knows I have been authenticated.
A bit of a correction and a bit on Delegation
I should make a bit of a correction to the description above because it is not exactly what happens. After I enter my OpenID in Pibb and sign on, it does not immediately redirect my browser to my OpenID URL. Instead, the Pibb server first connects to my OpenID URL to check a few things. It checks whether my identity page contains a tag like the following:
<link rel="openid.server" href="http://www.myopenid.com/server" />If it is present, this tag basically tells the Consumer (Pibb) that instead of redirecting the user to their identity page to login, redirect them to the URL given in that tag. In fact, this kind of tag is exactly what is present on my identity page at myOpenID. So, Pibb does not redirect me to http://rchodava.myopenid.com but rather to http://www.myopenid.com/server to do my login.
This is a good place to mention a second special tag that can be present on an identity page:
<link rel="openid.delegate"
href="http://someuser.somedomain.com/" />This tag, together with the other "openid.server" tag above allow you to do delegation of your OpenID. What does this mean? It means that you can take any web-page which you control and use it as your OpenID. For example, if I were to own a website like
http://ravi.chodavarapu.com, I can add the following two tags to the page at http://ravi.chodavarapu.com:<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid.delegate"
href="http://rchodava.myopenid.com" />After I have done this, I could now use
http://ravi.chodavarapu.com as my OpenID. That is, I could have typed that as my OpenID in Pibb. Once I clicked to sign in, the Pibb server would have seen those two tags, and known that it had to redirect me to http://www.myopenid.com/server and asked that server to log-in the user whose OpenID is http://rchodava.myopenid.com. The rest of the process works the same.Summing it up
Having gone through that long explanation, let me try to end by describing OpenID in the concise but loaded terms many other sites start with:
- OpenID is an identity system which lets you authenticate on the web
- Your OpenID is a URL, just like any other resource on the web
- OpenID is a single sign-on system (you sign on with your Identity Provider only)
- OpenID is open and decentralized. Pibb was just one example of a Consumer - anyone who implements a Consumer based on the specifications can support OpenID in their own right! Same with an Identity Provider - myOpenID is only one example of an OpenID provider. Anyone who implements the requirements of a provider as described in the specs can become a provider.
Where to go from here
The official site
I want my OpenID!
Note: In some of the screenshots above, the actual layout of the sites was changed a bit for brevity/bringing focus to the right areas.
0 comments:
Post a Comment