OpenID Centralizes Web Authentication

A few years ago, I came across an interesting open source authentication system called OpenID. At the time, it was just getting started, but today it has grown into fairly widespread use. OpenID is a Web-based technology designed to ease credential management for site operators and end users.

Typically, when you log onto a Web site, that site gathers your logon details and checks them against its own internal database of credentials. Using that technique means that every site needs to maintain its own set of logon information for its users. With OpenID, sites don't necessarily have to do that anymore because OpenID acts as a middleman between end users and the sites those users wish to access.

The logon flow basically works like this: A user lands on your OpenID-enabled logon page. The user enters a Uniform Resource Identifier (URI) that points to a Web page that contains information about the OpenID provider that handles the user's credentials. Your site then requests authentication from that provider. The authentication process can work by either redirecting the user to the provider's logon page or by using JavaScript on your site to do the logon. Upon authentication, your site can proceed as necessary based on the result. For example, if authentication was successful, you can allow the user access. If authentication failed, you can prevent access and proceed accordingly.

That probably sounds like a relatively simple and powerful authentication process, and it is. However, it can become more complex depending on the desires of site operators. Since OpenID decentralizes authentication away from the site a person wants to access, any OpenID provider that does perform authentication can impose a variety of different authentication requirements depending on what methods the provider supports and what requirements a site suggests.

The way the latter aspect works is by taking advantage of the OpenID Provider Authentication Policy Extension (PAPE). PAPE lets a Web site request various authentication techniques from the OpenID provider. For example, you can require that the user log on via HTTP Secure (HTTPS) or that the user log on using a digital certificate and a PIN. You can also require that the user provide some sort of token. If you require the use of a cryptographic token, but the user hasn't enabled that feature at his or her OpenID provider or the provider doesn't support that feature, then you can limit or deny the user's access at your site.

Overall, OpenID lets you integrate various levels of authentication without having to develop the technology yourselves. Instead, all you need to do is integrate OpenID into your Web application. And that process isn't so difficult either. When you visit the OpenID Foundation's Web site (at the URL below), on the developers' page you'll find many sets of sample code that you can use to get started with integration. Code is available for PHP, ColdFusion, Java, Ruby, Python, Perl, C++, and C#. Of course, the availability of sample code makes integration much faster.

OpenID technology is a very cool idea, and even industry big shots are taking notice. Yahoo!, Google, Microsoft, IBM, and VeriSign executives all have recently taken seats as new directors on the OpenID Foundation board. The foundation said that so far more than 10,000 Web sites have integrated OpenID and that over 250 million people have OpenID credentials. That's fairly widespread use already, and the numbers will surely grow quickly. I understand that Microsoft will also integrate OpenID into its Windows CardSpace technology.

You might already have your own OpenID as an end user but don't know it. If you have an account at AOL, LiveJournal,, Technorati, Orange, Livedoor, SmugMug, or Vox, then you certainly already have an OpenID. Visit the URL below to find out how to access your OpenID credentials from those providers. Also at the URL below you'll find a list of other companies that provide OpenIDs, so if you want an OpenID but don't have one, you can visit one of those sites to sign up.

Of course you can also establish your own OpenID provider on one of your servers or sites. Doing that is bit more complicated, however many of the code samples I mentioned previously include the ability to do that. So if you're interested, check it out.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.