A look at OpenID [LWN.net]

October 4, 2006

This article was contributed by Jake Edge.

The OpenID project is an effort to produce a decentralized, open, user-centric identity management framework. The main benefit for users will be a 'single sign on' to websites that support it. The project provides open source libraries for both websites requiring authentication (relying parties) and for the servers that provide the authentication (identity providers, IdPs). One of the main goals is to allow anyone to run a server that authenticates their own or others' identities and avoid the centralized model of other identity frameworks.

At its core, OpenID allows a user to associate a URL with his or her identity; a server can then authenticate that the user is the owner of that URL. Giving users control of their own identity makes OpenID a user-centric identity management system. To use OpenID authentication, the username is the URL and the password is stored on the identity provider. Thus, the same password is used to authenticate multiple accounts on various websites.

There are different ways to use OpenID, depending on what the user's requirements and capabilities are. In the simplest case, one can sign up for a free account at a provider like MyOpenID and it will generate a URL for you to use (the author's test account was jake.edge.myopenid.com). After that, you can submit that URL at any OpenID enabled website and authenticate it. If you have not visited the site before, you will be redirected to MyOpenID to enable that site to authenticate you. You may also need to login to MyOpenID if you have not established a session there recently. Once you have enabled authentication, you are redirected back to the original site and MyOpenID will have authenticated you. If you have a valid MyOpenID session and have previously enabled the site you are visiting, you can be authenticated behind the scenes when you provide your URL and will be able to log in without providing a password.

Another way to use a service like MyOpenID is by using a URL under your control as your identity. By putting some HTML into the HEAD section of the index document served from that URL, you can delegate the authentication to another server and gain the benefits of using your own URL without running your own OpenID server. If you do that, the URL for OpenID logins becomes the URL under your control. Over time, you could change the server that you delegate to while still retaining the identity associated with your URL. In addition, various OpenID server implementations exist for those who wish to fully control their identity and can run their own server.

OpenID implements the authentication by using (but not requiring) strong encryption on the messages that are exchanged between relying parties and identity providers (IdPs). When a user enters a URL into an OpenID login, the relying party makes a GET request to the URL and expects to find some extra OpenID specific markup in the HEAD section. It uses this markup to find the IdP and can negotiate an association between the relying party and IdP, but does not have to. The association is an agreement on cryptographic protocols to use to sign the requests and responses. A relying party can then cache that information to use when contacting that IdP for any other user that might share the server.

After that, the relying party redirects the user to the IdP which allows any IdP specific cookies to be delivered. The IdP may decide to require the user to authenticate with it, but that is outside of the scope of the OpenID specification. As described above, the IdP may also require the user to make a decision about whether to allow the relying party to authenticate them. Once that is complete, the IdP returns the user to the relying party site with an assertion about whether the authentication succeeded or failed.

The most recent OpenID specification adds some additional capabilities. A nonce (a unique identifier) value was added as an option to the success response to thwart replay attacks. Also, support for Yadis discovery was added. Yadis allows relying parties to determine what authentication protocol to use so that sites can transparently support other protocols such as LID.

From a security standpoint, there are a few different attack vectors that are described in the specification. Eavesdropping and man-in-the-middle attacks can be circumvented by using HTTPS (SSL). Unless the IdP is compromised, the identity itself is secure, though it could be spoofed on a particular site using those vectors.

OpenID simply makes the connection between a URL and an identity, it asserts that the two are associated, it does not provide any trust information about the identity. Users of OpenID will still have to prove they are not programs at registration time because nothing in the protocol prevents programs from having identities. It is a starting point, as any kind of trust system must be based on an authenticated identity. A trust layer that uses OpenID identities could provide protection against blog spam and the like. Since OpenID identities can be anonymous, this will allow for anonymous, but authenticated, users; one can verify that the identity wrote a particular message without making a connection to the real life person behind it.

There seems to be a growing number of sites that support OpenID; there is even a bounty for adding support to open source programs. Overall, it seems that OpenID provides a fairly painless route for digital identity management for both users and websites. It is probably worth a look for anyone that might be interested in such a thing.

(Log in to post comments)

A look at OpenID

Posted Oct 5, 2006 17:13 UTC (Thu) by iabervon (subscriber, #722) [Link]

Trust is actually too vague a concept to implement in this sort of system. It should be possible for a URL to list the certificates it has, in case somebody cares, but there are no issuing authorities which everybody should trust about anything, which implies that the system cannot automatically use any certificates (as least, without special configuration).

LWN could certainly use OpenID as it is, in any case, by simply allowing users to optionally have an OpenID (hosted elsewhere) which grants access to the site. This is no less or more secure or trustworthy than the current scheme of having a password. If anything, this allows LWN to trust users slightly more, because it could verify that the mingo here (for example) is able to use the identity that the mingo on kernel.org claims to control, and therefore, if the mingo on kernel.org does something interesting, whatever the local mingo says about it is authoritative (at worst, it is written by an authorized ghostwriter).

The thing that OpenID is lacking, in my opinion, is a way for relying sites to submit transactions of standard types to the authorizing site (which presumably checks them with the user outside the scope of the system) for certification. That is, there is no way for LWN to prove to me that it verified the ID of the client which posted a comment as being that of the mingo on kernel.org; I have to decide whether LWN can be trusted to do this particular check to my satisfaction, rather than getting proof that the purported well-known author is satisfied.

Problems with trust

Posted Oct 6, 2006 15:17 UTC (Fri) by copsewood (subscriber, #199) [Link]

Trust is a very difficult thing to automate in a decentralised manner other than in very narrow contexts. Consider the kind of trust questions an identity user site might be interested in:

a. Can this user be trusted to interact accountably and responsibly with children under the age of 16 ?

b. Can this person be trusted to order goods on-line to be delivered to the home address on the bank card used to a value of less than $100 ?

c. Can this entity be trusted to deliver an email to my inbox which will not waste a couple of seconds of my limited lifespan ?

d. Can this person identified by an organisation I have a support contract with be trusted not to have any conflict of interest through operating the root account on my supported server in connection with support access they have recently had to confidential data of specified competitors in my industry ?

e. Can this person be trusted as being a recent line manager within the organisation identifying him or her of a job applicant to provide a reference as their recent line manager ?

These trust relevant questions are so different in their requirements that I think each would require entirely seperate protocols. Having a common protocol that authenticates the players' identities is only the first step.

I don't get it ...

Posted Oct 5, 2006 13:07 UTC (Thu) by steffen (subscriber, #23586) [Link]

After entering your identity URL on site A you will be redirected to a site hosted by your identity provider. On this site you have to be logged in to confirm the request from site A.

I don't get it ...

Posted Oct 11, 2006 10:26 UTC (Wed) by samj (guest, #7135) [Link]

right, which is why it's interesting they enforce the syntax '$firstname.$lastname.myopenid.com' when in fact they do nothing to validate the name. presumably different IdP's could have different policies regarding this eventually... for example Thawte could set up an IdP based on their WoT which could potentially be trusted to provide this information, depending on the transaction.

I don't get it ...

Posted Oct 12, 2006 20:40 UTC (Thu) by Acapnotic (guest, #869) [Link]

It's true that the example text next to the Name field in myopenid's signup is "John Doe", but really you may put whatever you like in there. It doesn't "enforce" $firstname.$lastname by any means.

Bug tracker

Posted Oct 5, 2006 18:57 UTC (Thu) by bronson (subscriber, #4806) [Link]

I had thought that Launchpad intended to be this: a great, decentralised P2P bug network. Projects everywhere would run their own copy of Launchpad and the days of manually chasing bugs upstream and downstream would be over! Talk about progress!

Alas, Launchpad is still totally proprietary, will continue to be proprietary, and Canonical is trying to convince people to just host their own projects on Canonical servers. Blah.

I still use Ubuntu even though Launchpad has been a bitter disappointment and Canonical the company doesn't appear to believe in open source methodologies. I'm conflicted. It's a shame Ubuntu works so well. :)

Bug tracker

Posted Nov 16, 2006 16:01 UTC (Thu) by nealmcb (subscriber, #20740) [Link]

From https://launchpad.net/faq

Our goal is to release all of Launchpad as free software, though it will take some time (potentially, years) before that happens.

We are doing so in a piecemeal approach. Parts of Launchpad have already been released as free software where they would be particularly useful to other projects.

Bug tracker

Posted Nov 16, 2006 19:37 UTC (Thu) by bronson (subscriber, #4806) [Link]

But why? Perhaps LaunchPad contains intellectual property owned by other companies? Maybe the FCC prevents it due to regulatory issues? Maybe they need to cleanse it of swear words? (are there any other general-purpose excuses used by companies who claim to want to release code but do not?)

Canonical, if you want to release it, then just release it! Uncommented source drops are fine. Closed-door, XGL-style "because we know what's best for you" development is a bad idea but that's OK too as long as you're honest about it. This, "we want to, believe us!" lip service just doesn't make any sense.

Besides, could additional hackers possibly make LaunchPad any MORE confusing to use? :-)

Supporting OpenID for LWN logins

Posted Oct 9, 2006 14:58 UTC (Mon) by corbet (editor, #1) [Link]

It's on the list. As I often tell people, though...the list is long. So I can't make any promises about when we'll be able to implement OpenID logins.

Supporting OpenID for LWN logins

Posted Oct 9, 2006 15:04 UTC (Mon) by madhatter (subscriber, #4665) [Link]

thanks, jon - i'm impressed it's on the list at all, long or otherwise.

A look at OpenID

Posted Oct 11, 2006 10:29 UTC (Wed) by samj (guest, #7135) [Link]

Agreed, being able to log in using OpenID would be cool.

A look at OpenID

Posted Oct 17, 2006 19:02 UTC (Tue) by tmk (guest, #40799) [Link]

> without my having to register with livejournal myself. It works well.

Hey but you *do* have a LJ account!

A real world example...

Posted Oct 11, 2006 10:51 UTC (Wed) by samj (guest, #7135) [Link]

I recently set up a site for hosting Citrix employees ('Citrites') blogs at http://citrite.org/blogs/ using WordPress MU. I subsequently set up Drupal at the root: http://citrite.org/ and thanks to (fairly immature) plugins for both Wordpress and Drupal I should be able to have Wordpress users logging in to Drupal (and vice versa) using the URL of their blog (eg http://citrite.org/blogs/samj/) or Drupal user (eg http://citrite.org/user/samj/). They could also use these URLs to authenticate with other sites (eg to post comments at other blogs using their own blog url) and if this were to become a mainstream service I could use friendly urls like 'samj.citrite.org'.

Also, by adding some tags to my (otherwise blank) site at http://samj.net I can now log in to OpenID sites (including citrite.org) as 'samj.net', which I think is pretty cool (especially if I want to have a few different centrally managed IDs for say work and play).

I see a fair bit of room for building on this system, for example by using different authenticators for different sites (eg my IdP could require a simple, low level password to submit a blog comment, a stronger password to administer a blog and perhaps even 2 factor authentication by way of a token or client side certificate to access sensitive data).

I know there are alternatives out there which are far more feature complete (Shibboleh, Liberty, etc.) but if you get OpenID for free out of the box with common open source software like Wordpress and Drupal and it's 'good enough' for what you're doing (eg blog posts and comments) then why bother setting up dedicated infrastructure. There's no reason this can't be secure either - after all it is in many ways like Microsoft's Passport which has been used to secure sensitive content for years (eg Hotmail).

I'd like to see a decent security review of the OpenID protocol(s) as they stand though before I trusted it with anything particularly important.