OpenID Delegation

OpenID is a great concept but what I don’t like is that I tie myself to a specific identity provider. Suppose the provider goes out of business or doesn’t support OpenID anymore. Of course, I could set up my own private identity provider but I’m lazy and I don’t want to run a security-critical service on my own server. Fortunately, there’s an alternative: OpenID’s authentication delegation.

Using my own domain, I can define a personal identifier (let’s say that delegates to a real identity provider. All I need is an HTML page on the public internet with some OpenID metadata that refers to an identity provider. The relying party (OpenID speak for the service I want to authenticate to) associates me with and I can switch identity providers as I see fit.

Let’s have a look at an example. I want to use my WordPress blog as my identity provider so I can use my existing Google account to log into OpenID-enabled services like Stackoverflow. All I need is a bit of metadata at

  <link rel="openid.delegate" href="" />
  <link rel="openid.server" href="" />
  <!-- ... -->

Wikipedia has a list of OpenID identity providers. For more information about the required metadata see the OpenID spec.

This entry was posted in misc and tagged , . Bookmark the permalink.

1 Response to OpenID Delegation

  1. Pingback: Delicious Bookmarks for July 16th through July 17th « Lâmôlabs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s