Open ID is here

I didn’t have anything thrilling to write about, so I decided to play with the site infrastructure. Now, with some help from the Geeklog gang, this site supports OpenID login. Considering the low level of audience participation here, this is probably more of a learning experience for me than a major benefit for others. But it’s here if you want to use it. And if you don’t know what it is, don’t feel bad, neither did I until recently. But it’s cool.

According to its creators, OpenID “is an open, decentralized, free framework for user-centric digital identity.” Got it? In layman’s terms, it’s a system to avoid the need for a separate userid/password for every website you visit. If you have a userid on a system that provides OpenID service, you can login to that site and then use your OpenID URI to login to other OpenID-savvy sites without additional credentials.

So how do you get this magic OpenID URI? First you need to register with an OpenID provider. If you look at this list of providers, you may find that you’re already signed up. For example, some of the best-known providers are Livejournal, AOL, and WordPress. Also, for Yahoo customers, there is a proxy system which allows a Yahoo account to be used as an OpenID.

The format of your OpenID URI is dependent on the service that provides it, but it’s usually pretty simple. In many cases, it’s the same as the address that people use to access your site. Example:

  • LiveJournal – http://userid.livejournal.com
  • AOL/AIM – http://openid.aol.com/screenname

If you have an OpenID URI, just enter (or paste) it in the “Login with OpenID” box on the left, and click the arrow, and if you are already logged in to your OpenID source, you will be logged into this site. If you are not currently logged in to your OpenID source, you will be transferred to that site to login, and then transferred back here. Way Cool!

One minor syntax detail, which has apparently confuzzled at least one user: Note that the OpenID URI must include the http:// prefix, but note that the prefix is already entered in the box. When entering or pasting your URI, make sure that http:// appears once and only once. I’ve seen one example of a complete URI, including the http://, entered after the http:// that was already there, so the URI that actually got entered was http://http://some.blog.name, which didn’t work.

8 Replies to “Open ID is here”

  1. As for the first suggestion, you simply can’t expect people to supply their e-mail addresses to servers tell them in bold letters that it’s optional and only needed for server messages. If Geeklog does do it, the “http://” box should also say “(be warned: servers that do not have your e-mail address will NOT be accepted)”.

    As for the second suggestion, I see your point, but it’s illogical to reject the most recommended Open ID server in the world. And once again, if it doesn’t require an e-mail address, I bet so don’t other popular Open ID servers.

  2. Hi, I’m LWC from Geeklog trying Open ID.
    Congratulations, in 2 minutes you made me understand how does Open ID work in itself and with Geeklog. I’m glad you wrote that trackback in Geeklog.
    You should know though it took me to your main page and deleted the comment I started writing before clicking log in. The main Open ID site says logging in should take me back right into my half written comment.
    Now tell me this, what should happen if you click my name and e-mail me? After all, Geeklog has no idea what’s my e-mail address since I’m a remote user! I’ve tried e-mailing myself here and it was supposedly sent.
    Finally, can you tell me what will happen if I create this username in another 100 Open ID servers? Or do they do a live check on every Open ID server in the world for existing users?

  3. The only Openid server that is checked is the one in the URL you provide. In your case, you used the URL bugmenot.openid.com. So that URL would be checked. No other servers will be checked.

    The email address may be a bug in the Geeklog implementation. When I logon with my OpenID, I get a verification page from my OpenID server saying that the requesting site requires the email address associated with my openid. If your openid accout doesn’t have an email address associated with it, the server obviously can’t provide it. I’m not sure why you are allowed to login without one.

  4. First of all, this is a Geeklog bug that it allows sending e-mail to people without one.

    Secondly, myopenid.com, which is Geeklog’s official recommendation, says an e-mail address is only optional. But even if I did supply one, what if I changed it later? Would Geeklog update its own database with the new address?

    If each OpenID server is a world of its own, imagine what if I registered to hundreds of sites using, say, myopenid.com and then it goes out of business. I would have to join another server and lose my login in hundreds of sites. Not to mention that if it gets hacked, someone else would own all of those logins.

  5. Re: the email address issue

    OpenID certainly raises some new questions for Geeklog. Prior to OpenID, anybody who registered with a Geeklog site had to provide a working email address, and that address had to be verified before the userid was created. So the Geeklog email function apparently assumes that any userid has an email address which was functional when the userid was created (although it may no longer be functional). So it apparently doesn’t bother to check for the existence of an email id when providing the option to email a user.

    With OpenID, things get more fuzzy. Geeklog apparently “requires” the OpenID server to provide an email address, but then apparently doesn’t check to see if one was actually provided. It probably should do that. But then should it require confirmation to verify that the address is valid, like it does for local users? That would certainly be more reliable, but it also reduces some of the convenience of OpenID. Obviously, it’s not safe to assume that the OpenID server has validated the address, because anybody can set up an Openid server that behaves however they want it to.

    I wasn’t aware that openid.com was Geeklog’s “official recommendation”. It seems that recommending a specific server is contrary to the purpose of OpenID. It also seems that recommending a server which allows IDs to be created without email addresses, when Geeklog “requires” them, is even worse.

    The possibility of losing your openid if your server goes out of business, or gets hacked, is a good reason to be choosy about your server. It’s really similar to choosing an email provider. If you have an email address, and give it out to hundreds of people, and then that service goes out of business or gets hacked, you have a major problem. That’s why I run my own email server and my own openid server.

    You can reduce the risks by using the “delegation” feature of OpenID. It’s really cool. It allows you to use a URL for your Openid logons, and then have that URL delegate the actual identification process to another service. So you could set up a webpage anywhere you want to use as your openid URL. It doesn’t matter whether that site actually has an openid server, as long as you are allowed to update the HTML on your page to include a delegation. For example, you have a webpage at bugmenot.dummysite.com. You use that for your openid URL. Inside that page, you include code that says openid service is delegated to bugmenot.realopenidserver.com (see the Openid doc for exact syntax). If something happens to realopenidserver.com, you can set up a new account at newopenidserver.com. Then you just change your page at dummysite.com to point to newopenidserver.com and voila, all the sites where you registered with the dummysite.com URL will now query newopenidserver.com when you login.

  6. It’s so annoying the login takes me to your main page.

    Wow, you really know a lot about Open ID, don’t you? Are you involved with its coding in Geeklog? I sure hope you are.

    As for the “official” recommendation, that’s the only link they have in their story about Open ID…but I think it’s only because that site is perhaps the most recognized Open ID server in the world. It’s at least the first on the list in openid.net . So according to your very own logic, it’s exactly the reason to stick with it! I think it’s safe to assume most Geeklog users would use this site (unless they change the story and urge everyone to “use anything but…”). There is a downside for not having a central figure to control Open ID and for example enforce e-mail addresses.

    So if even this most mainstream server lets the e-mail address’ field be optional, it’s probably the norm and there’s nothing you and Geeklog can do about it, except boycott Open ID altogether.

    You haven’t told me what happens if I change my full name or address in the server. Will Geeklog check for that in my next log in and always be kept updated?

  7. I don’t really know a lot aboud Open ID. I’m just somebody who thought it seemed like a cool idea and read enough about it to get it working with a lot of code written by others.
    I’m not involved with its coding in Geeklog. I’m an aging dinosaur struggling to learn just enough about new technology to keep up with the stuff the whizkids are cranking out. If I write 10 lines of PHP, I have to consult the reference documentation 20 times.
    There are actually lots of things that Geeklog, or any other Openid "consumer", could do about the lack of valid email address provided by the Openid server. Whether or not any of those things actually get done depends on the people writing the code.
    One obvious possibility would be to reject any id which does not contain the required information. Based on my own observation (which is not always 100% accurate), the protocol seems to allow for the consumer to tell the server what information it would like to have, and what is required. It would seem logical for the consumer to then reject any id which does not contain the required info. The Geeklog consumer code, as currently written, does not seem to do that. It says it "requires" email address, and then accepts an id without one. In my opinion, that should change.
    But requiring an email address just means you’ll get something that looks like an email address. It does not necessarily mean it will be correct. A possible solution to that would be a confirmation email, as is currently done for local users. Again, that’s something that Geeklog COULD do about the problem. Whether they WILL is up to them.
    Another possible solution is to set up a list of "trusted" OpenID providers, ones who are well-known to require valid information from their users. Requests from these providers could be accepted. Requests from others could be rejected, or held for review. This would be similar to the SSL certificate system, where browsers have a list of trusted certificate authorities, and certificates issued by them are accepted, and others are questioned.
    And complaining that I "haven’t told you" something irritates me just a little. It’s not my job to know everything about how this works. I would suggest reading the code and/or doing some testing if you need to know more than I am able to tell you.

  8. I now have a CAPTCHA plugin that should support OpenID (any remote user). If you want to give it a try, grab the latest development snapshot from http://www.gllabs.org (Source menu link). This version also does away with PHP sessions and uses an custom DB solution, so it seems to play nicer with folks that have cookies disabled.

    Thanks!
    Mark

Leave a Reply

Your email address will not be published. Required fields are marked *