OpenID

OpenID is a decentralized single sign-on system. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. Instead, they only need to be previously registered on a website with an OpenID "identity provider", sometimes called an i-broker. Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in; OpenID solves the problem without relying on any centralized website to confirm digital identity.

OpenID is increasingly gaining adoption among large sites, with organizations like AOL acting as a provider. In addition, integrated OpenID support has been made a high priority in Firefox 3^[1] and Microsoft is working on implementing OpenID 2.0 in Windows Vista.^[2]

OpenID was originally developed by Brad Fitzpatrick of LiveJournal, but the term now also includes the Light-Weight Identity, Yadis, Sxip DIX protocol that was proposed at IETF, and XRI/i-names. Future OpenID specifications are being developed in a meritocratic fashion on openid.net, involving many technology companies, user companies and open-source developers.

To help spawn additional deployment, a group of vendors announced a $50,000 USD developer bounty program in August of 2006, offering $5,000 USD each to the first ten large-scale Open Source projects to implement OpenID support.^[3]

Currently work is underway developing OpenID Authentication 2.0, which will use the Yadis service discovery protocol. OpenID is now developing into a much more complete framework that will support other identity services besides authentication.

A basic glossary of the terms used with OpenID:

• end user — The person who wants to assert his or her identity to a site.
• identifier — The URL or XRI chosen by the End User as their OpenID identifier.
• identity provider or OpenID provider— A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services). Note that the OpenID specifications use the term "OpenID provider" or "OP".
• relying party — The site that wants to verify the end user's identifier.
• server or server-agent — The server that verifies the end user's identifier. This may be the end user's own server (such as their blog), or a server operated by an identity provider.
• user-agent — The program (such as a browser) that the end user is using to access an identity provider or a relying party.
• consumer — An obsolete term for the relying party.

A website, such as example.com, which wants to enable OpenID logins for its visitors, places a login form somewhere on the page. Unlike a typical login form, which prompts the user for a user name and password, there is only one field - for the OpenID identifier. The site may choose to display a small OpenID logo next to the field. This form is connected to an implementation of an OpenID client library.

If a user named Alice wants to log in to example.com using the OpenID identifier alice.openid-provider.org that she has registered with the identity provider openid-provider.org, she simply goes to example.com and types alice.openid-provider.org in the OpenID login box.

If the identifier is a URL, the first thing the relying party (example.com) does is transform into a canonical form, e.g., http://alice.openid-provider.org/. With OpenID 1.0, the relying party then requests the web page located at that URL and, via an HTML link tag, discovers that the provider server is, say, http://openid-provider.org/openid-auth.php. It also discovers whether it should use a delegated identity (see below). Starting with OpenID 2.0, the client does discovery by requesting the XRDS document (also called the Yadis document) with the content type application/xrds+xml that may be available at the target URL and is always available for a target XRI.

There are two modes in which the relying party can communicate with the identity provider:

• checkid_immediate, which is machine-oriented and in which all communication between the two servers is done in the background, without the user's knowledge;
• checkid_setup, in which the user communicates with the provider server directly using the very same web browser used to access the relying party site.

The second option is more popular on the Web; also, checkid_immediate can fallback to checkid_setup if the operation cannot be automated.

First, the relying party and the provider (optionally) establish a shared secret - an associate handle, which the relying party then stores. If using checkid_setup, the relying party redirects the user's web browser to the provider. In this case, Alice's browser is redirected to openid-provider.org so Alice can authenticate herself with the provider.

The method of authentication may vary, but typically, an OpenID provider asks for a password (and then possibly stores the user's session using cookies, as many websites with password-based authentication do). Alice may be prompted for her password if she was not logged in on openid-provider.org, and then asked whether she trusts, say, http://example.com/openid-return.php - the page designated by example.com as the one where the user should return after completing authentication - to receive details about her identity. If she answers positively, OpenID authentication is considered successful and the browser is redirected to the designated return page with credentials given. If Alice decides not to trust the relying party site, the browser is still redirected - however, the relying party is notified that its request was rejected, so example.com refuses to authenticate Alice in turn.

However, the login process is not over yet because at this stage, example.com cannot decide whether the credentials received really came from openid-provider.org. If they had previously established a shared secret (see above), the relying party can validate the shared secret received with the credentials against the one previously stored. Such a relying party is called stateful because it stores the shared secret between sessions. In comparison, a stateless or dumb relying party must make one more background request (check_authentication) to ensure that the data indeed came from openid-provider.org.

After Alice's identifier has been verified, she is considered logged in to example.com as alice.openid-provider.org. The site may then store the session or, if this is her first logon, prompt Alice to enter some information specific to example.com, in order to complete registration.

OpenID does not provide its own form of authentication, but if an identity provider uses strong authentication, OpenID can be used for secure transactions such as banking and e-commerce.

Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.

There are two ways to obtain an OpenID-enabled URL that can be used to login on all OpenID-enabled websites.

1. To use an existing URL that one's own control (such as one's blog or home page), and if one knows how to edit HTML, one can insert the appropriate OpenID tags in the HTML code following instructions at the OpenID specification.
2. The second option is to register an OpenID identifier with an identity provider. They offer the ability to register a URL (typically a third-level domain) that will automatically be configured with OpenID authentication service.

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms -- i-names and i-numbers -- that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.

This section needs expansion. You can help by adding to it. (March 2007)

America Online provides (brokers) OpenIDs, in the form "openid.aol.com/screename". Idproxy.net provides OpenIDs for Yahoo! users via Yahoo!'s authentication API (BBAuth); idproxy.net was created by a former Yahoo! developer but is not otherwise related to the company.

Six Apart blogging hosts LiveJournal and Vox both support OpenID; Vox as a provider and LiveJournal as both a provider and a relying party.

Other services accepting OpenID as an alternative to registration include Wikitravel, photo sharing host Zooomr, linkmarking host Ma.gnolia, identity aggregator ClaimID, icon provider IconBuffet, Basecamp and Highrise by 37signals, and Jyte. Open ID Enabled lists many more sites, services, and platforms.

The OpenID Foundation is currently being formed to help manage intellectual property, marketing efforts and other activities related to the success of the OpenID community. The singular goal of the OpenID Foundation is to protect OpenID so that it may be used by any and all that want to.

The European counterpart OpenID Europe^[4], has been created in 2007. It is a non-profit organization, supporting and promoting the OpenID framework in Europe.

R-Objects Inc. filed for the OpenID trademark (serial 78899244) on 2 June 2006^[5] which was published for opposition on 9 January 2007, claiming a first use date of 17 May 2005 and a first use in commerce date of 18 April 2006. Sxip Identity Corporation subsequently filed for the OpenID trademark (serial 77041930) on 11 November 2006^[6] but abandoned it on 23 November 2006^[7]. Randy "ydnar" Reddig claimed ownership of the OpenID logo on 29 June 2005 and announced plans to transfer it to Six Apart (or some OpenID.org).

There is a pending USPTO patent application with PCT priority from Denmark of March 9 2001 that covers the central aspects of OpenId.

Six Apart Ltd. are the registrant for the 'official' openid.net domain, which was transferred from David I. Lehn on 16 June 2005.

The official site currently states:

Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.

Both Sun Microsystems and VeriSign have issued patent non-assertion covenants covering OpenID 1.1 specifications. These covenants ^{[8] [9]} state that neither company will assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.

Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.^[10]

• Identity Centric Architecture
• Identity 2.0
• Light-Weight Identity
• Windows CardSpace
• Liberty Alliance
• Shibboleth (Internet2)
• Extensible Name Service
• SAML
• WS-Federation

• OpenID official site
• identity.eastmedia.com — OpenID and Identity info at eastmedia
• OpenID Enabled — resource for OpenID users and developers
• Directory of OpenID Providers (Servers)
• Directory of OpenID enabled Websites (Consumers)
• eoo European OpenID Organization (OpenID Europe Foundation).
• Openid Authentication Service for India — Provides a .in OpenId
• OpenID servers - Distributions you can download and install.
• OpenID protocol overview and OpenID4Java library example
• OpenID Book by Rafeeq Rehman
• An interview with Simon Willison about Open Id
• DotNetOpenID OpenID implementation in .NET, including ASP.NET controls.