OpenID is Just Too Easy
Posted by Trejkaz Sat, 12 Aug 2006 14:47:03 GMT
First, I should add a little background for people not already in the know.
OpenID is a decentralised identity system, the general idea being that different sites can authenticate with each other, so that as a user, you need only ever login to a single web site. It has been designed to keep things simple, at least from the user’s point of view. Although a lot of clever cryptography happens under the hood, the user is never exposed to it (although concerned users can certainly go and read the specs if they are worried about how it’s implemented.
The protocol was created by Brad Fitzpatrick of LiveJournal fame, and indeed, LiveJournal was the first major service to support the protocol.
Whereas protocols such as Passel may be more flexible by supporting proof of identity using multiple means – whether it be email, instant messaging, or whatever – OpenID has the immediate benefit of being implementable today, without modifying the web browser itself.
A while back, there was mention on the Typo mailing list that someone was adding support for users to authenticate using OpenID when leaving comments on the weblog. There was also some talk about how awesome it would be if Typo could also act as an OpenID server in its own right. It would mean that every separate deployment of Typo would have its own OpenID service built-in – this is the sort of true decentralisation which OpenID was designed to permit.
But instead of waiting until the code ended up in Typo, I was actually considering setting up my own OpenID service. If I put it on some sensibly-chosen URL, it may even turn out to be the same as the URL Typo came up with. One such URL might be http://trypticon.org/users/trejkaz, which might also serve as a page showing the user’s profile and contact information – it may even list articles written by that user. If I were to set up a server, then as Typo weblogs started rolling out support for OpenID commenting, I would be able to use the feature on other people’s blogs without having to wait for the server to be implemented in Typo itself (a much more complex task, or so I’m led to believe.)
Unfortunately, it turned out to be a bit difficult to set one up because when I went looking, there was no simple, ready-to-use OpenID server that I could find bundled up in a friendly fashion. But the good news is, I discovered that you can achieve the same sort of effect with much less work, and all you have to do is sacrifice some of the decentralised nature of the service.
I’ll present my guide to getting this working as a tutorial in three steps. It’s much easier than you might imagine.
Step 1: Sign up for an OpenID service
The first thing you need is an OpenID service – any OpenID service. Aside from LiveJournal, there are a multitude of other services to pick from (isn’t choice great?) Here are but a few of your options if you don’t want to use LiveJournal:
- MyOpenID – a simple, no frills OpenID service;
- GetOpenID – another simple OpenID service;
- TypeKey – originally just a centralised identity system, but added OpenID support later on so now it’s a legitimate OpenID service;
- Videntity – a somewhat interesting service which also supports generating a VCard from your profile.
There are many other options, a larger list of which can be found on the OpenID wiki.
I ended up choosing MyOpenID, because I didn’t particularly need any extra features as long as the service was secured by TLS (which most will be – beware of ones which are not). When choosing between MyOpenID and GetOpenID, I chose purely on the basis that the “My” felt more “personal” at the time.
Hint: If you want to get through these instructions with the minimal amount of work, choose MyOpenID for yourself as well. If you do this, you won’t need to think so often while performing the next step in the instructions.
Once you have chosen the service you wish to use, signup should be pretty straight-forward – it will most likely work just like every other web-based registration form you’ve already used.
Step 2: Modify your web site
The second thing you need to do is modify your web site.
You will need to pick a URL for the service to work on. This URL will be your OpenID “Identity URL” (get familiar with this term – you’ll be seeing it a lot.) In my case, I made the changes to my theme layout, which is then applied to every page on my entire weblog. If you do something similar to this, all URLs on your site will be valid identity URLs, but they will all delegate to the same user account on your OpenID service. It may not be a very elegant solution, but it does work.
Once you have located the page which needs to be modified, you will want to insert some extra <link/> tags into its header. Let’s take a look at how that looks, using a simplified version of my own site’s markup as an example:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Trypticon</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link href="/stylesheets/theme/default.css" media="screen" rel="Stylesheet" type="text/css" />
<link href="/stylesheets/theme/local.css" media="screen" rel="Stylesheet" type="text/css" />
<!-- Begin added headers -->
<link rel="openid.server" href="https://www.myopenid.com/server" />
<link rel="openid.delegate" href="https://trejkaz.myopenid.com/" />
<!-- End added headers -->
</head>
<body>
<!-- The rest of your content will be in here. I cut it out for brevity. -->
</body>
</html>
Surrounded by comments for the purpose of labelling, I have added two <link/> elements above, which together perform the delegation to my preferred OpenID service. I will briefly explain these link tags now, as you will need to make some changes for your own site.
<link rel=”openid.server” href=”https://www.myopenid.com/server” />
If you are using MyOpenID, you don’t need to modify this and can ignore the next two paragraphs.
The “openid.server” link points at the URL on the OpenID service which all requests will go through. In fact, this element always needs to be present, even when not using delegation – it’s how the sites you’re commenting on know which URL to use to ask for authentication.
The URL will of course be different depending on the OpenID service you have chosen (this is why I wrote earlier that if you want to keep things simplest for yourself, you should choose the same service I chose.) If you have chosen a different service you will need to find out what its server URL is. A common way to go about this is to go to your true identity URL (see the explanation of “openid.delegate” below) in a web browser, and view the source of that page. You will find the “openid.server” link tag there, which can be copied into your HTML in its entirety. Alternatively, the service you have chosen may have documentation detailing which URL should go here.
<link rel=”openid.delegate” href=”https://trejkaz.myopenid.com/” />
This is where the real magic happens. The “openid.delegate” link points to your true OpenID identity (remember, an OpenID identity is, usually, just a URL.) When a site encounters this, it will authenticate you as this URL instead of the URL you entered.
If you are using MyOpenID, then all you need to do is replace the username (here it’s “trejkaz”) with whatever your username is on MyOpenID. If you have chosen a different OpenID service, you will need to insert your identity URL here.
Step 3: Test it
That’s right, there are really only two steps to actually set up this delegation, but it’s always good to confirm that everything works as expected.
The easiest way to do this is probably to go straight to a site like LiveJournal and try to leave a comment.
Note: While we’re at this stage, it’s probably a good idea to make a quick note regarding privacy. If just any site in the world could determine who is sitting at the computer, what you would end up using would be the world’s best, decentralised tracking cookie! As you don’t want to be tracked everywhere you go, you have to first tell your OpenID service that you wish to allow the site to confirm your identity. This only needs to be done once per site (any more would be cumbersome), however many OpenID services also allow you to let a site check your identity once and once only. It may seem a little inconvenient at first to have to tell each site about the other, but trust me, it’s a good thing.
Once you have given the site permission to check your identity, everything should work.
If it doesn’t work, try commenting again but this time, use your true identity URL. If this works, then you may have mistyped the “openid.delegate” URL. Another possibility is that the service you tried to comment on doesn’t yet support delegation – this is the case with many OpenID demo applications, so using simple demos is a bad idea if you want to perform this test. If your true identity URL doesn’t work, then there is a problem with your OpenID service itself, and you will need to contact your respective service to see what’s going on (or, I suppose, find another service.)
Done!
And there you have it, a nice URL which you control, which you can use to login on almost any OpenID-capable web site in the world. The number of sites is slowly growing as more and more software adds support for the protocol.
You can move from service to service, and as long as you update the “openid.delegate” link to point to your new identity URL, everything will work as expected. It’s almost as good as running your own OpenID service, but much simpler to set up, even if it somewhat defeats the purpose of having a decentralised system. :-)