The great promise of the OpenID specification is that it can
simplify identity management on the 'net. At its best, OpenID provides
three great features:
Unified Identity
A single account (identity) with which you can log in to many sites,
removing the need to create and remember a separate username/login for
every web site you interact with.
Openness
A decentralized authentication system with multiple providers. This
means that you can choose a provider (or even a few) from the many
options available to vouch for your identity, and switch providers if
you find a better one. Or you can even be your own provider.
Delegation
I think Delegation is the most attractive feature of OpenID because it
means your own web site can act as your identity, while delegating the
authentication process to one (or more) OpenID providers.
In short, with delegation you can log in to sites using a URL you own
like james.murty.co, while taking advantage of the strong
authentication options offered by providers such as Verisign's PIP.
Although my Verisign PIP identity happens to be
jmurty.pip.verisignlabs.com, I can use my own web site as an alias for
this provider-specific identity.
By decoupling your identity from your OpenID provider you can take
advantage of the fact there are many providers and easily switch
providers later on without losing your identity, and without having to
update your associated OpenID identity on every web site. After all, if
you had to do that you might as well have created your own
username/password on every site in the first place.
But...
Unfortunately, the complexity of OpenID and the challenge ordinary
people can have getting it to work properly is preventing widespread
adoption of the system in general, and of the Openness and Delegation
features in particular. Although big players like Google and Yahoo are
supporting (parts of) the specification, they are understandably
encouraging people to adopt their branded OpenID identities rather than
extolling the advantages of controlling your own identity.
After all, every web company would love to take on the "burden" of
managing your unified web identity. It's the ultimate in vendor lock-in.
Setup OpenID delegation for your web site
If you have your own web site or blog and are able to edit the HTML
pages directly, you can set up delegation by adding special
link
tags to the head
section of one of your
site's pages. You will most likely want to do this on the site's home
page so you can use a short URL like james.murty.co instead of
james.murty.co/my-openid-page.html.
Below are the link
tags I use on my site to delegate to my
jmurty Verisign PIP identity. You will need to use your own
provider-specific identity URL in your links, and the format could vary
quite a lot depending on the OpenID provider you choose so check your
provider's documentation. Also, I'm not sure that all OpenID providers
actually support delegation, so you should research this before you sign
up with a provider.
<link rel="openid.server"
href="http://pip.verisignlabs.com/server" />
<link rel="openid.delegate"
href="http://jmurty.pip.verisignlabs.com/" />
<link rel="openid2.provider"
href="http://pip.verisignlabs.com/server" />
<link rel="openid2.local_id"
href="http://jmurty.pip.verisignlabs.com/" />
It is important that these link
tags be included inside a
valid HTML head
section in your web page, or many web sites
will be unable to find your delegate settings.
More Complexity, aka Taming Blogger.com
You may have noticed that the OpenID information is provided twice, once
for the original OpenID specification (openid.*
tags) and
again for version 2 of the spec (openid2.*
tags).
I don't know why the second lot of settings is necessary, since
presumably the spec is supposed to be backwards-compatible, but I have
found that some sites won't work properly unless the version 2 settings
are provided.
One example of version incompatibility quirks is Google's Blogger.com,
which allows you to comment on blog posts after logging in with an
OpenID. Prior to adding the openid2.*
tags I found that
although Blogger would allow me to authenticate and post comments, it
would replace my delegating identity james.murty.co with the delegated
version jmurty.pip.verisignlabs.com. This meant that the delegation
was essentially useless, since anyone clicking on the nickname for my
comment would end up at an empty Verisign PIP landing page instead of my
own site.
I'm not sure if this is Google's fault, or a fault in the OpenID spec.
Either way it was annoying having to track down and fixing this issue.
It just serves as yet another example where OpenID is not quite living
up to the promise of simplifying identity management.
There are comments.