An in-depth look at what it is, and how you can use it

What is OpenID?
• \"OpenID is an open, decentralized, free
framework for user-centric digital identity.
OpenID takes advantage of already existing
internet technology (URI, HTTP, SSL, Diffie-
Hellman)”
• An ID is a URI or XRI
• Federated, not delegated SSO (Facebook
Connect, Sign-In with Twitter)

History
• 1.0 (5/2005) Original specification by Brad Fitzpatrick
• 1.1 (5/2006) First revision by Brad Fitzpatrick and David
Recordon
• 2.0 (12/5/2007) Significant Changes
• Added directed identity, extensions, nonces, SHA256
support
• Versioned
• Yadis for discovery

Terminology
• Identifier (URI or XRI)
• End User (EU)
• Relying Party (RP, Consumer)
• OpenID Provider (OP, Identity Provider, IdP, Server)
• OP Endpoint URL

Simple Overview
• End User presents an identifier to a RP, claiming to own it
• RP directs the end user to the OP to log in and authorize
• End User is directed back to RP, who verifies the claim

A closer look
• EU supplies identifier to RP
• RP performs discovery on EU supplied identifier
• RP optionally creates an association (shared secret) with
OP
• RP Builds auth request URL and redirects EU to it
• EU logs in to OP, authorizes the request, is redirected back
to RP
• RP receives auth response, and verifies the assertion

HTML Discovery

Yadis Discovery
(yet another discovery protocol)

Discovery History
• 1.x: HTML
• 2.0:Yadis/XRDS, HTML
• Future: LRDD/XRD

OpenID Protocol
Messages
• All OpenID messages are key/value pairs
• Indirect Requests are GET parameters
• Direct Requests use POST
• Response KV format for direct requests is \"key:value\\n\"
• Keys contain 'openid.' prefix, as in “openid.claimed_id”

OpenID Modes
• associate (direct communication)
• Optional, but recommended
• Establish a shared secret between RP and OP
• checkid_immediate (indirect communication)
• OP should not interact with EU
• checkid_setup (indirect communication)
• OP should interact with EU
• check_authentication (direct communication)
• Verify an assertion directly with OP (no association)

Associations
• Uses Diffie-Hellman protocol for establishing shared
secrets over unencrypted transports (HTTP)
• sha1 or sha256
• Can use “no-encryption” if the connection is over
HTTPS

Extensions
• Officially supported in 2.0
• Does not require an identifier
• Popular extensions
• Simple Registration (SREG)
• Attribute Exchange (AX)
• OpenID OAuth Extension (OAUTH)
• Provider Authentication Policy Extension (PAPE)
• User Interface (UI)

OpenID Libraries
• PHP
• JanRain (openidenabled.com) Very Complete
• PEAR (RP support only as of this writing)
• Zend Framework
• CakePHP
• Python
• JanRain (openidenabled.com)
• Ruby, C#, C++, Perl, Java, ColdFusion, Apache 2

Outsourcing OpenID
• RPX (JanRain)
• Vidoop Connect