Tuesday, February 27, 2007


I was reading Tim Bray's post on OpenID this morning. It's interesting to start looking at something new, when you begin with someone pointing out the flaws. After watching Simon Willison's screencast on OpenID I decided this seemed pretty cool.

OpenID is essentially a decentralized single-sign-on system. I can sign in to any site that supports OpenID using my new OpenID from this blog. My new OpenID is http://raykrueger.blogspot.com/. That's right, it's just the URL for this blog.

This is why I think OpenID is cool. My 'REAL' OpenID is raykrueger.pip.verisignlabs.com, I set it up at verisignlabs because they are the only provider that uses TLS by default. In Tim's post he points out that a lack of TLS/SSL in this scenario is sketchy at best, and I agree. Encryption is a must.

Ok, so Versign provides the OpenID authentication, but when I log into sites that support OpenId, I tell them my OpenId is
http://raykrueger.blogspot.com/. When they come here to my blog they'll find a simple bit of html in the page that tells them where to go for the real authentication provider. Have a look; right click this page and 'view source', you'll see two tags in the head section of the page that look like this:
<link href='https://pip.verisignlabs.com/server' rel='openid.server'/>
<link href='http://raykrueger.pip.verisignlabs.com/' rel='openid.delegate'/>
This tells the site that I'm logging into that http://raykrueger.blogspot.com/ is not the real provider, and that they should go to versignlabs as the server, and use by delegate openid, raykrueger.pip.verisignlabs.com.

Why go through all this trickery? Why not just use versignlabs as my openId directly? Well, if versignlabs (which is beta) gets dropped, or (god forbid) becomes a paid service, I'm not screwed. I can change providers at any time, just by changing the html tags here at blogspot. If you're interested in setting up this up for yourself, have a look at Simon Willison's instructions.

Maybe we'll have to look into adding support into Acegi Security for it. I wonder what Tim O'Brien over at PresidentFeed thinks about using it there?

No comments: