OpenID Programming: Learn to Handle Universal Logins
OpenID is an intentionally free decentralized authentication protocol. It provides a way for secure authentication systems, such as Google Sign-In, to authenticate users when they access third-party websites and applications. Thanks to OpenID and other decentralized authentication systems, personal blogs, small business websites, and mobile apps can use secure authentication systems that have been designed and implemented by industry leaders.
History of OpenID
OpenID was born in May of 2005 when Brad Fitzpatrick, founder of LiveJournal, announced a new distributed identity system called Yadis (Yet Another Distributed Identity System). The original announcement made clear that Brad envisioned Yadis as a method of authenticating LiveJournal users to third-party websites. Just a few days later, Yadis was renamed OpenID when the domain openid.net was gifted for use with the project.
OpenID 1.0 was a conceptual framework with limited real-world utility. However, development moved along at a rapid clip and OpenID 2.0 was announced approximately one year after the project was launched. Adoption of OpenID 2.0 was widespread and rapid, and by early 2007, Symantec, Microsoft, AOL, and Sun Microsystems were on board.
In 2014, OpenID Connect was born. This new generation of OpenID offers two noteworthy improvements when compared to OpenID 2.0:
- It is built on top of the robust communication and authorization protocols of OAuth 2.0.
- It is more developer-friendly and easier to integrate with mobile applications than its predecessors.
Who Uses OpenID?
OpenIDs are issued by many popular websites including Google, Yahoo!, Microsoft, and PayPal. When you register with one of these sites, you are assigned an OpenID. As a result, you probably have one, two, or a handful of OpenIDs already, even if you don’t realize it.
Websites of all types — ecommerce sites, blogs, social networks, and more — use OpenID to authenticate users. As a matter of fact, there are more than one billion registered OpenIDs and more than one million websites and applications that accept OpenIDs for user authentication.
How Does OpenID Work?
There are three parties involved in OpenID user authentication:
- End-user: The individual seeking to authenticate themselves — that is, sign-in — to a website or application.
- Relying part (RP): A website or application that requires user authentication and relies on the OpenID protocol to communicate with a third-party to authenticate end-users.
- Identity provider (IDP): A third-party service, such as Google, that registers OpenIDs and provides OpenID authentication services.
With those three parties defined, here’s how OpenID works:
- An end-user claims an OpenID by registering an account with an IDP.
- The IDP creates an OpenID URL for the end-user. This URL is unique to the end-user and claiming ownership of the URL requires the end-user to sign in to the IDP’s system. For example, if you use Google as an IDP, they create a Google+ URL on your behalf which serves as your OpenID URL, and you have to sign in to your Google account to verify ownership of that URL.
- The end-user visits an OpenID RP and selects the option to register an account by logging in with a third-party IDP, such as Google.
- The end-user is redirected to the third-party IDP and asked to confirm ownership of the OpenID URL by logging in.
- If the end-user is successfully authenticated by the IDP, then the IDP sends back the end-users unique OpenID URL to the RP, and the RP registers the new user with that URL.
At no point does the RP receive the end-users password. As a result, RPs don’t have to worry about securely storing user passwords. The IDP handles authentication and then confirms the end user’s identity for the RP using the end user’s OpenID URL.
Create Your Own OpenID URL with phpMyID
So far, we’ve used examples of well-known OpenID providers. However, OpenID is intentionally free. That means that anyone — even you — can register OpenIDs and serve as an IDP. Setting up and offering public OpenID registration is definitely a bad idea unless you are a web security expert. However, if you want to set up an OpenID IDP for your own personal use and education, it really isn’t all that difficult.
phpMyID is a simple script you can use to set up any URL you control as your own personal OpenID. The original project was abandoned back in 2008 and did not work with PHP 5.4. However, with a few updates and security enhancements, the project was brought up to speed with PHP 5.4 and 5.6, and you can get it from GitHub.
It’s worth noting that phpMyID does not meet OpenID Connect specifications. However, you can use it to generate OpenID 2.0 URLs.
Keep in mind that phpMyID is only as secure as the version of PHP running the script, the password security measures you put in place, and the security measures protecting the server where it’s hosted. As a result, setting up your own OpenID with phpMyID is an interesting project to tackle, but ultimately a risky endeavor unless you have the necessary expertise to ensure it’s secure. In other words, use phpMyID to learn about OpenID, but don’t use it for general user authentication.
If you want to incorporate OpenID authentication into your next project there a number of resources available to help you get started.
Before diving into implementation, you will want to have a solid high-level understanding of how OpenID works. The following resources provide the high-level overview you need:
- OpenID Connect FAQ and Q&As: the offical FAQ of the OpenID Foundation. Refer to this page for a detailed introduction to OpenID.
- Developer Tips from OpenID Explained: if you’re implementing OpenID for the first time, read through these tips to avoid common pitfalls.
- OpenID Connect in a nutshell by Nat Sakimura: if you’re feeling a bit intimidated by implementation of OpenID, this short article provides an overview of how relying partners and identity providers interact.
- Write an OpenID Connect Server in Three Simple Steps by Nat Sakimura: there’s no better way to learn than by doing. If you’re already up-to-speed with OAuth 2.0, then this tutorial will walk you through the process of quickly setting up an OpenID Connect server on top of OAuth 2.0 authentication.
If you’re ready to move beyond introductions and overviews and dive into implementation, here are the technical specifications and libraries you will need access to.
- Welcome to OpenID Connect: this official homepage for OpenID Connect includes links to the OpenID Specifications. Available documents include the OpenID Connect Core specification, a Basic Client Implementer’s Guide, an Implicit Client Implementer’s Guide, and much more.
- OpenID Provider Resources: some OpenID providers offer extensive documentation so developers can use their OpenID systems for user authentication.
Well-reviewed books that introduce OpenID and explain authentication implementation are also available.
- OAuth 2.0: Getting Started in API Security (2015) by Matthias Biehl: a short introduction to OAuth 2.0 and OpenID Connect that will provide the foundation for tackling more advanced materials.
- Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE (2014) by Prabath Siriwardena: a thorough introduction to API authentication that covers the most popular authentication standards today including OAuth 2.0 and OpenID. At over 250 pages, this is not a quick read.
- Getting Started with OAuth 2.0 (2012) by Ryan Boyd: a brief introduction to implementation of OAuth 2.0 for user authentication. This results-oriented text introduces OAuth 2.0 and explains how OpenID Connect makes authentication possible without the need to build an authentication system.
OpenID Connect isn’t a stand-alone authentication protocol. To use it, you’ll also need a working knowledge of OAuth 2.0 because all OpenID Connect systems are built on top of it. The learning curve for getting started with OpenID Connect is steep. There’s a lot to learn. Once you’ve mastered it, you’ll be able to integrate highly-secure user authentication into your website or application with relatively minimal fuss.
Further Reading and Resources
We have more guides, tutorials, and infographics related to coding and development:
- OAuth Introduction and Resources: a closely related system that allows two applications on a user’s behalf.
- OpenSSL Introduction, Tutorials, and Resources: get started creating secure webpages with SSL.
- Swift Introduction and Resources: this is one of the newest C-like languages. The future of programming? Find out here!
What Code Should You Learn?
Confused about what programming language you should learn to code in? Check out our infographic, What Code Should You Learn? It not only discusses different aspects of the languages, it answers important questions such as, “How much money will I make programming Java for a living?”