This document outlines the OpenID authentication process. It shows how a user named Alex, with the OpenID http://alex.provider.com/, is able to log into their bank account at Big Bank by authenticating once with their OpenID provider. The OpenID provider verifies Alex's identity and sends authentication responses to Big Bank, allowing Alex to access the bank's site without needing to log in a second time.

1. This is the person
who desires to
access a web site.
Person has:
Name:
ID:
This is the browser
he is using to access
the web.
Alex
http://alex.provider.com/
Browser
(User-Agent)
This address
represents Alex
This is site that the
user really want to
access. For this
example he wants to
access his bank
called “Big Bank”.
Desired Site
(OpenID Consumer)
(Relying Party)
http://bigbank.com/
Identity Page
OpenID
Provider
http://provider.com/
This is site that is
going to prove that
Alex is really Alex.

2. Me!
Alex Allentown
Browser
(User-Agent)
http://alex.provider.com/
Identity Page

3. I will log
In ONCE
UserName:
aallen321
Password:
**************
LOGIN
Browser
(User-Agent)
http://alex.provider.com/
Identity Page
OpenID
Provider

4. OK!
OK,
You are
logged in to
the OpenID
service.
Browser
(User-Agent)
http://alex.provider.com/
Identity Page
OpenID
Provider

5. Need to access
the bank.
Big Bank
Enter your OpenID:
http://alex.provider.com
LOGIN
Browser
(User-Agent)
http://bigbank.com/
Desired Site
(OpenID Consumer)
(Relying Party)
Identity Page
OpenID
Provider

6. I clicked “Login”
Headers:
openid.server = http://provider.com/a.cgi
openid.delegate = http://provider.com/a.cgi
Browser
(User-Agent)
http://bigbank.com/
Desired Site
Identity Page
(OpenID Consumer)
(Relying Party)
http://alex.provider.com/

7. I am waiting
Parameters:
openid.mode = checkid_setup
openid.identity = http://alex.provider.com/
openid.return_to = http://bigbank.com/...
Browser
(User-Agent)
Send redirect
http://provider.com/a.cgi
Desired Site
(OpenID Consumer)
(Relying Party)
OpenID
Provider

8. I am waiting
Additional Parameters:
openid.mode = id_res
openid.identity = http://alex.provider.com/
openid.return_to = http://bigbank.com/...
openid.signed = mode,identity,return_to
openid.assoc_handle = XXXXX
openid.sig = YYYYY
Browser
(User-Agent)
http://bigbank.com/...
Send redirect
Desired Site
(OpenID Consumer)
(Relying Party)
OpenID
Provider

9. I am waiting
Same parameters as request except
openid.mode = check_authentication
Response in body:
is_valid:true
Browser
(User-Agent)
Desired Site
(OpenID Consumer)
(Relying Party)
OpenID
Provider

10. OK! Now I can
get things done.
Big Bank
You are logged in!
What would you like
to do?
Browser
(User-Agent)
Finally … generate
page for display
Desired Site
(OpenID Consumer)
(Relying Party)
Identity Page
OpenID
Provider