Using OpenID Delegation


OpenID Logo

In a comment on my post about OpenID being an official lifehack now, Richard Miller asks "which OpenID provider do you suggest?" The good news is that OpenID has a layer of indirection builtin, so it's not critical that you choose correctly. Here's how it works.

First, you need pick a URL to serve as your OpenID. It doesn't need to be an OpenID provider and you don't need to install a server at that URL. I'd recommend choosing one that you believe you'll be able to hold onto for a good long time. That's going to be the URL you use as your OpenID. I use http://phil.windley.org

Next, install link tags in the header of the HTML that gets returned from that page specifying your OpenID server and delegate. The server is the URL of the actual server that will process any OpenID requests. The delegate is your ID on that server. So, for example, if I want to use myopenid.com as my server, I add these two tags to the page at phil.windley.org:

<link rel="openid.server" 
      href="https://www.myopenid.com/server">
<link rel="openid.delegate" 
      href="http://windley.myopenid.com">

Now, suppose that I decide to use AOL, as my OpenID server, I just change the preceding two tags to look like this:

<link rel="openid.server" 
      href="https://api.screenname.aol.com/auth/openidServer" >
<link rel="openid.delegate" 
      href="http://openid.aol.com/pjwindley" >

I still use phil.windley.org as my OpenID, just like before, but instead of logging into myopenid.com when I want to authenticate using my OpenID, I will be sent to openid.aol.com.

There's no limitation on using delegation for the same OpenID with other URLs. For example, I also have link tags on www.windley.com, so if I want to use that as my OpenID, I can. This gives me the option of using different OpenIDs for different purposes. Note: These URLs are not independent identities; if you use two different URLs that both delegate to the same server/delegate pair, those identities can be linked by the relying party.

Delegation is a neat feature and one I'd recommend OpenID users take advantage of. Delegation gives you a certain amount of freedom in changing OpenID identity providers depending on feature set, price (all are free right now), and other considerations. So which OpenID provider should you use? Just pick one. The choice isn't critical--you can always switch later with almost no consequence.

OpenID Bonus Links: