OpenID, which describes itself as "an open, decentralized, free framework for user-centric digital identity", has been gaining momentum and getting press in the Identity 2.0 space. The fundamental idea of OpenID is that a URI is necessarily unique and thus a good way to identify users. If you say you own a URI and can properly authenticate with the URI, then you must be who you say you are.

Admittedly, this can be tricky to understand at first. Perhaps the best analogy is an open version of Passport, where you can download and run your own Passport server. When you go to Microsoft.com or MSDN, you don't log in to a "local" account - you are instead redirected to a Passport (now Windows Live ID) screen to enter your username and password. From a user perspective, OpenID is not that different as Simon Willison showed in this his screencast (embedded below).

Scott Hanselman also discussed OpenID on a recent Hanselminutes and has a number of good resources (including the screencast) linked in the show notes.

Importantly, OpenID specifications do not specify how authentication happens, but only the communication between the requesting site and the identity provider. An OpenID provider can authenticate users however they want - e.g., by password, thumbprint, voice recognition, or rotating single-use token. Significantly, Microsoft recently announced that it will support OpenID in CardSpace  (and presumably in the recently-launched Windows Live ID service).

The other important element in the spec is the ability to delegate authentication. In other words, "the host of the HTML document is NOT REQUIRED to also be the End User's Identity Provider; the Identifier URL and Identity Provider can be fully decoupled services." This allows me to have my OpenID point to, say, http://timmarman.com or http://slashstar.com/blogs/tim, while using MyOpenId to authenticate behind the scenes. To accomplish this, I put two lines in my blog template:

     <link rel="openid.server" href="http://www.myopenid.com/server">
     <link rel="openid.delegate" href="http://tmarman.myopenid.com/">

As Simon discussed, this is important when an identity provider goes away or if you stop trusting a particular provider - because you own the identifying URL, you can simply repoint it to a different provider.

From a programming perspective, OpenID is pretty easy to work with and there are already a number of libraries to further simplify the process.


blog comments powered by Disqus