Reputation: 13565
Some questions about OpenId
I am researching about OpenId and seeing if it is a good solution for my website and some things confused me. Correct me if I am wrong.
"My understanding is that OpenID works in a way that user sends the credential to authorization server and that TRUSTED server will say whether this user is legitimate or not."
Now, let's take example of Stackoverflow. I see all these icons for Yahoo and Google and everything and I guess Stackoverflow says these are my trusted providers and if they trust you, I trust you.
Now, there is also one button which says OpenID and I can go ahead and register there as well. Now is that an independent authorization server? Who is the provider for that?
If I want to embed openID to my web project. Which authorization server should I be using? I am seeing this OAuth as an option whenever I search about OpenId; is it an authorization server?
Upvotes: 0
Views: 167
Answers (1)
Reputation: 957
OpenID is a standard, not an auth provider.
- An OpenID URI supplies enough information to go to the auth provider for authentication.
- The user enters their login credentials on the provider's site. This step relies on the user knowing what their provider's authorisation page looks like.
- The reply, coupled with the referrer header, is meant to be enough info to securely authenticate a user.
OAuth is supplementary to OpenID.
[ Google has a reasonably good flow explanation: https://developers.google.com/accounts/docs/OpenID ]
Many websites provide options for particular auth providers just to simplify the process. OpenID URIs are not uniform, so you can't tell (for example) what the URI would be from an email address.
Some auth providers (like Google) make it kind of hard to find out what your OpenID actually is, presumably in an effort to make the login more transparent for users (and subsequently add branding to relying parties' websites).
If you know what your OpenID URI is, you should be able to enter that on any compatible site, without going through the "select a known provider" step. Whether that option is available, however, is at the discretion of the author.
[ As for the "trustedness" of auth providers, there are some potential issues: http://en.wikipedia.org/wiki/OpenID#Security ]
[ The OpenID Foundation has the official answers: http://openid.net/get-an-openid/ ]
Upvotes: 3
Related Questions
- How does the DotNetOpenAuth OAuth 2.0 example work?
- DotNetOpenAuth 2, OAuth.net and Microsoft.OWIN.Security.oAuth
- How is OpenID implemented?
- DotNetOpenAuth / WebSecurity Basic Info Exchange
- Confused about OpenID and ASP.NET
- OpenId authentication vulnerability
- DotNetOpenAuth IAuthenticationRequest member explanation request
- DotNetOpenAuth and Google OpenID implementation
- OpendID security tips for Asp.net
- Limited Use OpenID