OpenID is an open standard for decentralized authentication on the internet that allows users to log in to multiple websites using a single digital identity. It works by allowing a user to log in with their OpenID and granting websites temporary access to basic profile data, without sharing their password. When a user wants to log into a new website, they can choose to log in with OpenID and will be redirected to confirm login and which profile details to share with that website.
2. What is OpenID?
• quot;OpenID is an open, decentralized, free
framework for user-centric digital identity.
OpenID takes advantage of already existing
internet technology (URI, HTTP, SSL, Diffie-
Hellman)”
• An ID is a URI or XRI
• Federated, not delegated SSO (Facebook
Connect, Sign-In with Twitter)
3. History
• 1.0 (5/2005) Original specification by Brad Fitzpatrick
• 1.1 (5/2006) First revision by Brad Fitzpatrick and David
Recordon
• 2.0 (12/5/2007) Significant Changes
• Added directed identity, extensions, nonces, SHA256
support
• Versioned
• Yadis for discovery
4. Terminology
• Identifier (URI or XRI)
• End User (EU)
• Relying Party (RP, Consumer)
• OpenID Provider (OP, Identity Provider, IdP, Server)
• OP Endpoint URL
5. Simple Overview
• End User presents an identifier to a RP, claiming to own it
• RP directs the end user to the OP to log in and authorize
• End User is directed back to RP, who verifies the claim
6. A closer look
• EU supplies identifier to RP
• RP performs discovery on EU supplied identifier
• RP optionally creates an association (shared secret) with
OP
• RP Builds auth request URL and redirects EU to it
• EU logs in to OP, authorizes the request, is redirected back
to RP
• RP receives auth response, and verifies the assertion
10. OpenID Protocol
Messages
• All OpenID messages are key/value pairs
• Indirect Requests are GET parameters
• Direct Requests use POST
• Response KV format for direct requests is quot;key:valuenquot;
• Keys contain 'openid.' prefix, as in “openid.claimed_id”
11. OpenID Modes
• associate (direct communication)
• Optional, but recommended
• Establish a shared secret between RP and OP
• checkid_immediate (indirect communication)
• OP should not interact with EU
• checkid_setup (indirect communication)
• OP should interact with EU
• check_authentication (direct communication)
• Verify an assertion directly with OP (no association)
12. Associations
• Uses Diffie-Hellman protocol for establishing shared
secrets over unencrypted transports (HTTP)
• sha1 or sha256
• Can use “no-encryption” if the connection is over
HTTPS
13. Extensions
• Officially supported in 2.0
• Does not require an identifier
• Popular extensions
• Simple Registration (SREG)
• Attribute Exchange (AX)
• OpenID OAuth Extension (OAUTH)
• Provider Authentication Policy Extension (PAPE)
• User Interface (UI)
14.
15.
16.
17. OpenID Libraries
• PHP
• JanRain (openidenabled.com) Very Complete
• PEAR (RP support only as of this writing)
• Zend Framework
• CakePHP
• Python
• JanRain (openidenabled.com)
• Ruby, C#, C++, Perl, Java, ColdFusion, Apache 2