OpenID - An in depth look at what it is, and how you can use it


Published on

A "Brown Bag Tech Talk" I gave at Digg, Inc. Thursday, May 20, 2009. It covers technical background on OpenID, as well as some screen shots of what some current user interface implementations look like.

Published in: Technology
1 Comment
1 Like
  • I had to Embed this in my blog hoping to spread the word a little more. I hope this becomes more popular. Forums , Boards and other crap are really bugging me with registering for something that i only wish to use once. I hope these crappy sites Get out of my Google So I can find or ask for what i need. These Forums and their interface are lost in the Y2K era
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

  • OpenID - An in depth look at what it is, and how you can use it

    1. 1. An in-depth look at what it is, and how you can use it
    2. 2. What is OpenID? • quot;OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie- Hellman)” • An ID is a URI or XRI • Federated, not delegated SSO (Facebook Connect, Sign-In with Twitter)
    3. 3. History • 1.0 (5/2005) Original specification by Brad Fitzpatrick • 1.1 (5/2006) First revision by Brad Fitzpatrick and David Recordon • 2.0 (12/5/2007) Significant Changes • Added directed identity, extensions, nonces, SHA256 support • Versioned • Yadis for discovery
    4. 4. Terminology • Identifier (URI or XRI) • End User (EU) • Relying Party (RP, Consumer) • OpenID Provider (OP, Identity Provider, IdP, Server) • OP Endpoint URL
    5. 5. Simple Overview • End User presents an identifier to a RP, claiming to own it • RP directs the end user to the OP to log in and authorize • End User is directed back to RP, who verifies the claim
    6. 6. A closer look • EU supplies identifier to RP • RP performs discovery on EU supplied identifier • RP optionally creates an association (shared secret) with OP • RP Builds auth request URL and redirects EU to it • EU logs in to OP, authorizes the request, is redirected back to RP • RP receives auth response, and verifies the assertion
    7. 7. HTML Discovery
    8. 8. Yadis Discovery (yet another discovery protocol)
    9. 9. Discovery History • 1.x: HTML • 2.0:Yadis/XRDS, HTML • Future: LRDD/XRD
    10. 10. OpenID Protocol Messages • All OpenID messages are key/value pairs • Indirect Requests are GET parameters • Direct Requests use POST • Response KV format for direct requests is quot;key:valuenquot; • Keys contain 'openid.' prefix, as in “openid.claimed_id”
    11. 11. OpenID Modes • associate (direct communication) • Optional, but recommended • Establish a shared secret between RP and OP • checkid_immediate (indirect communication) • OP should not interact with EU • checkid_setup (indirect communication) • OP should interact with EU • check_authentication (direct communication) • Verify an assertion directly with OP (no association)
    12. 12. Associations • Uses Diffie-Hellman protocol for establishing shared secrets over unencrypted transports (HTTP) • sha1 or sha256 • Can use “no-encryption” if the connection is over HTTPS
    13. 13. Extensions • Officially supported in 2.0 • Does not require an identifier • Popular extensions • Simple Registration (SREG) • Attribute Exchange (AX) • OpenID OAuth Extension (OAUTH) • Provider Authentication Policy Extension (PAPE) • User Interface (UI)
    14. 14. OpenID Libraries • PHP • JanRain ( Very Complete • PEAR (RP support only as of this writing) • Zend Framework • CakePHP • Python • JanRain ( • Ruby, C#, C++, Perl, Java, ColdFusion, Apache 2
    15. 15. Outsourcing OpenID • RPX (JanRain) • Vidoop Connect