OpenID Delegation

OpenID is a great concept but what I don’t like is that I tie myself to a specific identity provider. Suppose the provider goes out of business or doesn’t support OpenID anymore. Of course, I could set up my own private identity provider but I’m lazy and I don’t want to run a security-critical service on my own server. Fortunately, there’s an alternative: OpenID’s authentication delegation.

Using my own domain, I can define a personal identifier (let’s say http://example.com/matthias/) that delegates to a real identity provider. All I need is an HTML page on the public internet with some OpenID metadata that refers to an identity provider. The relying party (OpenID speak for the service I want to authenticate to) associates me with http://example.com/matthias/ and I can switch identity providers as I see fit.

Let’s have a look at an example. I want to use my WordPress blog as my identity provider so I can use my existing Google account to log into OpenID-enabled services like Stackoverflow. All I need is a bit of metadata at http://example.com/matthias/:

 
<html>
<head>
  <link rel="openid.delegate" href="http://unmaintainable.wordpress.com/" />
  <link rel="openid.server" href="http://unmaintainable.wordpress.com/?openidserver=1" />
</head>
<body>
  <!-- ... -->
</body>
</html>

Wikipedia has a list of OpenID identity providers. For more information about the required metadata see the OpenID spec.

About these ads
This entry was posted in misc and tagged , . Bookmark the permalink.

One Response to OpenID Delegation

  1. Pingback: Delicious Bookmarks for July 16th through July 17th « Lâmôlabs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s