OpenID is a great concept but what I don't like is that I tie myself to a specific identity provider. Suppose the provider goes out of business or doesn't support OpenID anymore. Of course, I could set up my own private identity provider but I'm lazy and I don't want to run a security-critical service on my own server. Fortunately, there's an alternative: OpenID's authentication delegation.

Using my own domain, I can define a personal identifier (let's say http://example.com/matthias/) that delegates to a real identity provider. All I need is an HTML page on the public internet with some OpenID metadata that refers to an identity provider. The relying party (OpenID speak for the service I want to authenticate to) associates me with http://example.com/matthias/ and I can switch identity providers as I see fit.

Let's have a look at an example. I want to use my Wordpress blog as my identity provider so I can use my existing Google account to log into OpenID-enabled services like Stackoverflow. All I need is a bit of metadata at http://example.com/matthias/:

<html>
<head>
  <link rel="openid.delegate" href="http://unmaintainable.wordpress.com/" />
  <link rel="openid.server" href="http://unmaintainable.wordpress.com/?openidserver=1" />
</head>
<body>
  <!-- ... -->
</body>
</html>

Wikipedia has a list of OpenID identity providers. For more information about the required metadata see the OpenID spec.