Friday, July 9, 2010

Using OpenID

In developing the Templates Registry project, one of the problems we had to resolve was managing the identity of the various participants. We specified requirements to identify and authenticate users in the registry requirements project, and we also included requirements for password reset and identity related notifications. In actual development, I’m avoiding having to code for some of those elements by using a standard called OpenID.  I have about four different OpenIDs at present that I can count including:

OpenID is an HTTP-based standard for exchanging and verifying identity. Here’s how it works.

There are three main parties:
  1. The end user whose identity needs to be verified (me).
  2. The identity server who verifies the identity (
  3. The identity consumer who needs to use the identity (my application).
This is the essential process flow:
  1. The identity consumer (my application) displays a login page allowing the end user to specify their OpenID URL (see link jQueryOpenIdPlugin below).
  2. The user (me) specifies a URL ( that they control to the identity consumer.
  3. The identity consumer uses that URL to discover the identity server it needs to correspond with.
  4. The identity consumer passes an HTTP request to the identity server that includes a nonce and a return page.
  5. The identity server returns a user interface that allows the user to login.
  6. The user logs in.
  7. The identity server redirects the user to the return page with a few parameters indicating the success of the login request and the identity of the user (if successful).
There’s a lot more detail behind this. For example, steps 5 and 6 can basically be skipped altogether if the user authorizes the calling web page permanently with the identity server. There are also ways to request additional information from the user’s identity (e.g., e-mail address and other details).

Getting all of this to work with open source is about a days’ worth of effort. You need about half a day to locate the right OpenID library (I used openid4java) and a good login user interface (I used the jQueryOpenIdPlugin which also requires jQuery). A couple of hours of reading the specifications, and a couple more playing around, and you have a workable login page.  Having done it once, it will only take me an hour or two the next time around.  I could have spent days on this problem alone, but because of standards, I don't have to.

Using OpenID I've completely eliminated the need to deal with:
  • Identity Creation
  • Password Management
I may also be able to automate the user registration process by obtaining additional user information from the OpenId server.  I suspect that will probably take a bit longer to figure out completely, and will only work with some OpenID servers.


Post a Comment