0

I am researching about OpenId and seeing if it is a good solution for my website and some things confused me. Correct me if I am wrong.

"My understanding is that OpenID works in a way that user sends the credential to authorization server and that TRUSTED server will say whether this user is legitimate or not."

Now, let's take example of Stackoverflow. I see all these icons for Yahoo and Google and everything and I guess Stackoverflow says these are my trusted providers and if they trust you, I trust you.

Now, there is also one button which says OpenID and I can go ahead and register there as well. Now is that an independent authorization server? Who is the provider for that?

If I want to embed openID to my web project. Which authorization server should I be using? I am seeing this OAuth as an option whenever I search about OpenId; is it an authorization server?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Lost
  • 12,007
  • 32
  • 121
  • 193

1 Answers1

3

OpenID is a standard, not an auth provider.

  • An OpenID URI supplies enough information to go to the auth provider for authentication.
  • The user enters their login credentials on the provider's site. This step relies on the user knowing what their provider's authorisation page looks like.
  • The reply, coupled with the referrer header, is meant to be enough info to securely authenticate a user.

OAuth is supplementary to OpenID.

[ Google has a reasonably good flow explanation: https://developers.google.com/accounts/docs/OpenID ]

Many websites provide options for particular auth providers just to simplify the process. OpenID URIs are not uniform, so you can't tell (for example) what the URI would be from an email address.

Some auth providers (like Google) make it kind of hard to find out what your OpenID actually is, presumably in an effort to make the login more transparent for users (and subsequently add branding to relying parties' websites).

If you know what your OpenID URI is, you should be able to enter that on any compatible site, without going through the "select a known provider" step. Whether that option is available, however, is at the discretion of the author.

[ As for the "trustedness" of auth providers, there are some potential issues: http://en.wikipedia.org/wiki/OpenID#Security ]

[ The OpenID Foundation has the official answers: http://openid.net/get-an-openid/ ]

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Kazuaki
  • 947
  • 6
  • 8
  • OpenId still is a concept where for example, Google acts as OpenID provider and on stackoverflow, we can see Yahoo and Google as OpenID providers. But as I asked before there is also a link for OpenID. is it for the people who do not have any Yahoo or Google account or may be have it but still don't want to use them to authenticate themselves, they can go ahead and store their credentials at OpeinID.net's database and now OpenId.net will work as their authorization server? I think I am confusing OpenID the concepth with OpenID.net the authorization server. Is that correct? – Lost Apr 11 '12 at 22:52
  • There is no centralized OpenId database. Any web site could be a provider if they wanted to do so. As the person answered above, the additional textbox in StackOverflow is so that you can go to any OpenId provider and not just the commonly used ones. – pdwetz Apr 13 '12 at 17:41
  • Also, if you know your URI for Google or Yahoo!, you should be able to just enter it in the text box, and end up with the same workflow :) – Kazuaki Apr 27 '12 at 03:04