« Leaving Arkansas | Main | Beautiful and Disturbing »
Using OpenID Delegation
In a comment on my post about OpenID being an official lifehack now, Richard Miller asks “which OpenID provider do you suggest?” The good news is that OpenID has a layer of indirection builtin, so it’s not critical that you choose correctly. Here’s how it works.
First, you need pick a URL to serve as your OpenID. It doesn’t need to be an OpenID provider and you don’t need to install a server at that URL. I’d recommend choosing one that you believe you’ll be able to hold onto for a good long time. That’s going to be the URL you use as your OpenID. I use http://phil.windley.org
Next, install link tags in the header of the HTML that gets returned from that page specifying your OpenID server and delegate. The server is the URL of the actual server that will process any OpenID requests. The delegate is your ID on that server. So, for example, if I want to use myopenid.com as my server, I add these two tags to the page at phil.windley.org:
<link rel="openid.server"
href="https://www.myopenid.com/server">
<link rel="openid.delegate"
href="http://windley.myopenid.com">
Now, suppose that I decide to use AOL, as my OpenID server, I just change the preceding two tags to look like this:
<link rel="openid.server"
href="https://api.screenname.aol.com/auth/openidServer" >
<link rel="openid.delegate"
href="http://openid.aol.com/pjwindley" >
I still use phil.windley.org as my OpenID, just like before, but instead of logging into myopenid.com when I want to authenticate using my OpenID, I will be sent to openid.aol.com.
There’s no limitation on using delegation for the same OpenID with other URLs. For example, I also have link tags on www.windley.com, so if I want to use that as my OpenID, I can. This gives me the option of using different OpenIDs for different purposes. Note: These URLs are not independent identities; if you use two different URLs that both delegate to the same server/delegate pair, those identities can be linked by the relying party.
Delegation is a neat feature and one I’d recommend OpenID users take advantage of. Delegation gives you a certain amount of freedom in changing OpenID identity providers depending on feature set, price (all are free right now), and other considerations. So which OpenID provider should you use? Just pick one. The choice isn’t critical—you can always switch later with almost no consequence.
OpenID Bonus Links:
- OpenID and the Value of Connected Identity from Fred Stutzman
- Digg Will Support OpenID
Posted by windley on February 24, 2007 8:41 PM
Comment from Richard K Miller at February 26, 2007 1:47 PM
Thanks Phil -- this is great information.
Comment from Toby Baier at February 28, 2007 1:26 PM
Great info, I didn't know about this feature of OpenID before. Seems like it's really breaking through. I'm still concerned about security... not because of TLS or something, but because the user get's redirected by the service. It could redirect to whatever fake openid provider... so I need to trust the service, or have a close look at the url in my browser before I enter my password. Maybe hope is in Cardspace to verify the IdP for me?
Comment from Dara at October 19, 2007 6:51 PM
I like this article also. I'm only just these last days reading about openid and getting to understand it (i hope).
Yes, the redirection exploit is a worry Toby.
You can use a certificate in your browser to login to your openid provider, and this would fail for any fake site.
Key point here, you may need a password to lock you local certificate, but you don't need to enter it in to a web form and so are protected from that type of theft you mention.
I also like that this article is clearly saying that OpenId is transferable ONLY in the case that you use a URI under -your own control- as your openid, and delegate the authentication to another provider.
There is too much information out there saying OpenId is not tying you to a provider, is transferable, etc, but not mentioning the caveat that this is only so when you own the URI you use as your id.
I think a lot of people are taking a providor URI and using it, and not worrying about transfer down the line because they haven't read the fine print.
Maybe their providor will dissappear, or start to charge. Lots of potential for pain there....
We need more articles highlighting this imo
Leave a comment
I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.