What is OpenID?

It is quite common to ask What is OpenID. OpenID is a decentralized authentication system to login using credentials from OpenID providers. Many years ago, we published a guide on How to use your domain name as OpenID. With time, many things has been changed, so we will start the topic on OpenID. Recently, we published another tutorial on LDAP Server. Together or alone they can be used for authentication. OpenID is a Foundation, OpenID allows a user to login with only so-called OpenID (that is an URL, in this context also called identifier), without a user name and password for all the supporting sites,relying parties to register.

Basic Principle To Understand What is OpenID

To Login with OpenID, an OpenID identity is required. Such identity is provided by an OpenID provider. Due to the decentralized architecture of OpenID there are many different OpenID providers. Since the protocol is open, implementations exist in many programming languages. Exclusively under open source license, the software can be installed on a dedicated server. Thus, it is possible for anyone to be the OpenID provider.

An OpenID is in the form of a URL. Usually, the user name is a subdomain of the OpenID provider: abhishek.thecustomizewindows.com. Some vendors also use the user name as a path in the URL : thecustomizewindows.com/abhishek. To be independent with OpenID from a specific provider, it is recommended that wherever possible a unique URL should be used as OpenID. This approach is called delegation. Websites which supports OpenID as a login process can continue to offer a classic login (user with password) in addition to OpenID login, or waive the classic logon. In the latter case, no functions have to be like “Forgot password” will be implemented, it represents on the part of the website operator that no longer usernames and passwords will be stored on the server. This is an effort for shifting the identity management to the OpenID provider, it is thus also decentralized.

Usage of OpenID

From small blogs and web portals to industry giants have implemented the standard and ensure a wide dissemination. Yahoo has implemented a support, other companies like Google, AOL, Blogger, Flickr, Hyves, LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, Orange, Sears, Sun, Universal Music Group, VeriSign, WordPress, Yahoo!, GitHub, Last.fm, Linkedin, and Twitter are also behind the standard and partially already use them. Thus, the number of active accounts rises to 368 million (January 2008). The current version of OpenID is OpenID 2.0, finalized and published in December 2007.

The technology of OpenID is vulnerable against phishing attacks. This is due to the fact that a redirection to the page of the OpenID provider is necessary. As the operator of a site that uses OpenID to login, one can easily create a redirection page that resembles the provider side, but as a proxy serves and passes the username and password to the operator.

However, for the user it is easier to validate a login page for authenticity using the OpenID architecture, because they have to remember only one login page. The OpenID provider also provide more security by about cookies, show an individual picture, compare the HTTP Referrer with the IP of the requester or by a client-side TLS certificate for authentication. Especially the latter is supported by more and more providers.

In February 2014 the OpenID Foundation released OpenID Connect as an authentication layer that sits on top of the OAuth 2.0 authorization framework. OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. The term REST-like manner indicates that the software architectural style within the distributed hypermedia system adheres to a coordinated set of architectural constraints applied to the components, connectors, and data elements. In technical terms, OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.