How OpenID works

[giza]

Explained in two simple pictures:


(Images courtesy of the Coding Horror blog)

Any questions?

Really, OpenID is merely a way for a third party (Google, Twitter, Facebook, etc.) to tell the site you are visiting that you are in fact a specific user on that service.

Want to try logging into a site with OpenID credentials to see how it works? You can try that out on Anthrocon's site. I've got OpenID working over on PA-Furry.org, too!

Comments

[shockwave77598.livejournal.com]

I do not trust OpenID and I will never use it. Yes, a simple cookie sets my ID. But suppose my laptop gets stolen. Now this guy not only has all my sites and bookmarks, but is automatically logged in as me without even having to try to hack a password. And how do I turn that OpenID off when someone steals my laptop so the thief cannot impersonate me?

[giza.livejournal.com]

How is this different from being left logged into regular sites and your laptop gets stolen?

In the above scenario you describe, you log out of Twitter/Facebook/etc. from another terminal which should (in theory) kill any sessions you have. You then log back in and change your password for good measure.

If you want to have the ability to turn off your own OpenID, set up delegation. View the source of the page at http://www.dmuth.org/openid/ for an example of how easy this is to do. I use that OpenID to log into sites with. If something happens to my computer or laptop, my "emergency escape hatch" would be to remove that page until I get things locked down.

[shockwave77598.livejournal.com]

Simple: I don't stay logged in to any sites, and I have the computer set to not automatically log me in. The user name is auto- the password is not.

And I'm afraid I don't understand the instructions. I looked at the source and followed the stackoverflow link which directs me to add something to my google profile. Um... what google profile? I have a google profile, like it or not?

[giza.livejournal.com]

Did you go to http://www.google.com/profiles and click "view my profile"? (assuming you were logged in)

[zeeth_kyrah]

If you have Gmail, or use another Google service where you login, you have a Google account and thus a Google profile. It doesn't have to be public or even used, it's there.

[neillparatzo.livejournal.com]

What if I don't want the site I'm visiting to know that I'm a user on Google, or more importantly, vice versa? They track me enough as it is.

[giza.livejournal.com]

Use another OpenID provider, such as LJ?

[neillparatzo.livejournal.com]

such as SUP Fabrik?

Not that OpenID isn't a neat system, from a site admin point of view - instantly gain a large set of users by honoring an offsite form of authentication. But the whole idea of integrated identity is anathema to privacy. In recent years I've been a lot more conscious as to how much data I'm allowing to leak to which companies.

[giza.livejournal.com]

Maybe there's market for companies that offer "disposable OpenIDs" much like some credit card companies offer disposable card numbers that are tied to your real credit card number.

[furahi.livejournal.com]

Wouldn't a more straightforward example be Livejournal? ;D

[greenreaper.livejournal.com]

LJ's OpenID implementation is kinda messed up. It advertises support for 2.0, but doesn't support items sent via POST, which breaks support in the Drupal OpenID module. I had to hack the module to only send OpenID 1.x GET requests for LJ.

[hartree.livejournal.com]

So...

You're saying that if I log in with OpenID, my computer's stack will overflow in an exploitable way, and all of my Visa, Plus, Mastercard, etc, accounts will be transferred to Google, Yahoo, AOL, etc?

I admit it's a more direct wealth transfer system, but the more obscure and more gradual current wealth transfer system is less disconcerting. Though it admittedly results in the same thing.

[greenreaper.livejournal.com]

The idea is that the initial site never gets your credentials, or access to your account elsewhere - just confirmation from the authenticating site that you're a valid user, and perhaps some information like your name and picture (if it is setup to do that). That way you don't have to be entering passwords into sites that you don't trust.

[hartree.livejournal.com]

There's an old usenet saying that no humor can be so blatant that someone on the net won't take it seriously. ;)

[greenreaper.livejournal.com]

Well, you are a fox - Is it right to assume you understand the intricacies of third-party authentication. ;-)

[hartree.livejournal.com]

Alice, Bob, Trent and Eve are all old friends of mine, yes. :)

[foxcutter.livejournal.com]

Funny you should bring up OpenID and the StackOverflow family of sites. I've been making a lot of use of one for the last... oh 6 or so days, and I've found the use of OpenID has made it rather easy to use, more so as I can set up my account with two possible providers. Makes management easier.