OpenID is a great concept but what I don’t like is that I tie myself to a specific identity provider. Suppose the provider goes out of business or doesn’t support OpenID anymore. Of course, I could set up my own private identity provider but I’m lazy and I don’t want to run a security-critical service on my own server. Fortunately, there’s an alternative: OpenID’s authentication delegation.
Using my own domain, I can define a personal identifier (let’s say http://example.com/matthias/) that delegates to a real identity provider. All I need is an HTML page on the public internet with some OpenID metadata that refers to an identity provider. The relying party (OpenID speak for the service I want to authenticate to) associates me with http://example.com/matthias/ and I can switch identity providers as I see fit.
Let’s have a look at an example. I want to use my WordPress blog as my identity provider so I can use my existing Google account to log into OpenID-enabled services like Stackoverflow. All I need is a bit of metadata at http://example.com/matthias/:
<html> <head> <link rel="openid.delegate" href="http://unmaintainable.wordpress.com/" /> <link rel="openid.server" href="http://unmaintainable.wordpress.com/?openidserver=1" /> </head> <body> <!-- ... --> </body> </html>