OpenID
Encyclopedia
OpenID is an open standard
that describes how users can be authenticated
in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities
. Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the ‘relying party’). An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).
The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart card
s or biometrics
).
The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique URI
, and are managed by some 'OpenID provider' that handles authentication.
OpenID authentication is now used and provided by several large websites. Providers include AOL
, BBC
, Google
, IBM
, MySpace
, Orange, PayPal
, VeriSign
, LiveJournal
, and Yahoo!
.
or XRI
chosen by the end-user to name the end-user's identity. An Identity provider or OpenID provider (OP) , which is a service that specializes in registering OpenID URLs or XRIs, provides the OpenID authentication (and possibly other identity services). The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.
The relying party typically transforms the OpenID into a canonical URL form (e.g.
There are two modes in which the relying party may communicate with the OpenID provider:
The
First, the relying party and the OpenID provider (optionally) establish a shared secret
, referenced by an associate handle, which the relying party then stores. If using the
The method of authentication may vary, but typically, an OpenID provider prompts the end-user for a password or an InfoCard
, and then asks whether the end-user trusts the relying party to receive the necessary identity details.
If the end-user declines the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party with a message indicating that authentication was rejected; the relying party in turn refuses to authenticate the end-user.
If the end-user accepts the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party along with the end-user's credentials. That relying party must then confirm that the credentials really came from the OpenID provider. If the relying party and OpenID provider had previously established a shared secret, then the relying party can validate the identity of the OpenID provider by comparing its copy of the shared secret against the one received along with the end-user's credentials; such a relying party is called stateful because it stores the shared secret between sessions. In contrast, a stateless or dumb relying party must make one more background request (
After the OpenID has been verified, authentication is considered successful and the end-user is considered logged in to the relying party under the identity specified by the given OpenID (e.g.
that can be used to log into OpenID-enabled websites,
a user needs to register an OpenID identifier with an identity provider. Identity providers offer the ability to register a URL (typically a third-level domain, e.g. username.example.com) that will automatically be configured with OpenID authentication service.
Once they have registered an OpenID, a user can also use an existing URL under their own control (such as a blog or home page) as an alias or "delegated identity". They simply insert the appropriate OpenID tags in the HTML
or serve a Yadis
document.
Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.
XRIs are a new form of Internet
identifier
designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-name
s and i-number
s—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.
Community Members
Corporate Members
The OpenID logo was designed by Randy "ydnar" Reddig, who in 2005 had expressed plans to transfer the rights to an OpenID organization.
Since the original announcement of OpenID, the official site has stated:
Sun Microsystems
, VeriSign
and a number of smaller companies involved in OpenID have issued patent non-assertion covenants covering OpenID 1.1 specifications. The covenants state that the companies will not assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.
attacks. For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.
In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party. This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used."
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.
Another important vulnerability is present in the last step in the authentication scheme: the redirect-URL from the Identity Provider to the Relying Party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user. Some of the Identity Providers use nonces (number used once) to allow a user to log into the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows the required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers but cannot prevent active attackers from executing the replay attack.
, creator of popular community website LiveJournal
, while working at Six Apart
. Initially referred to as Yadis (an acronym for "Yet another distributed identity system"), it was named OpenID after the openid.net domain name
was given to Six Apart
to use for the project. OpenID support was soon implemented on LiveJournal
and fellow LiveJournal engine
community DeadJournal for blog post comments and quickly gained attention in the digital identity community. Web developer
JanRain
was an early supporter of OpenID, providing OpenID software libraries and expanding its business around OpenID-based services.
In late June, discussions started between OpenID users and developers from enterprise software
company NetMesh, leading to collaboration on interoperability between OpenID and NetMesh's similar Light-Weight Identity
(LID) protocol. The direct result of the collaboration was the Yadis
discovery protocol, adopting the name originally used for OpenID. The new Yadis was announced on October 24, 2005. After a discussion at the 2005 Internet Identity Workshop a few days later, XRI/i-name
s developers joined the Yadis project, contributing their Extensible Resource Descriptor Sequence (XRDS
) format for utilization in the protocol.
In December, developers at Sxip Identity began discussions with the OpenID/Yadis community after announcing a shift in the development of version 2.0 of its Simple Extensible Identity Protocol (SXIP) to URL-based identities like LID and OpenID. In March 2006, JanRain developed a Simple Registration (SREG) extension for OpenID enabling primitive profile-exchange and in April submitted a proposal to formalize extensions to OpenID. The same month, work had also begun on incorporating full XRI
support into OpenID. Around early May, key OpenID developer David Recordon left Six Apart, joining VeriSign to focus more on digital identity and guidance for the OpenID spec. By early June, the major differences between the SXIP 2.0 and OpenID projects were resolved with the agreement to support multiple personas in OpenID by submission of an identity provider URL rather than a full identity URL. With this, as well as the addition of extensions and XRI support underway, OpenID was evolving into a full-fledged digital identity framework, with Recordon proclaiming "We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication and a messaging services layer that sits atop and this entire thing has sort of been dubbed 'OpenID 2.0'. " In late July, Sxip began to merge its Digital Identity Exchange (DIX) protocol into OpenID, submitting initial drafts of the OpenID Attribute Exchange (AX) extension in August. Late in 2006, a ZDNet
opinion piece made the case for OpenID to users, web site operators and entrepreneurs.
On January 31, 2007, Symantec
announced support for OpenID in its Identity Initiative products and services. A week later, on February 6 Microsoft
made a joint announcement with JanRain, Sxip, and VeriSign to collaborate on interoperability between OpenID and Microsoft's Windows CardSpace
digital identity platform, with particular focus on developing a phishing-resistant authentication solution for OpenID. As part of the collaboration, Microsoft pledged to support OpenID in its future identity server products and JanRain, Sxip, and VeriSign pledged to add support for Microsoft's Information Card
profile to their future identity solutions. In mid-February, AOL
announced that an experimental OpenID provider service was functional for all AOL and AOL Instant Messenger
(AIM) accounts.
In May, Sun Microsystems
began working with the OpenID community, announcing an OpenID program, as well as entering a non-assertion covenant with the OpenID community, pledging not to assert any of its patents against implementations of OpenID. In June, OpenID leadership formed the OpenID Foundation, an Oregon-based public benefit corporation
for managing the OpenID brand and property. The same month, an independent OpenID Europe Foundation was formed in Belgium by Snorri Giorgetti. By early December, non-assertion agreements were collected by the major contributors to the protocol and the final OpenID Authentication 2.0 and OpenID Attribute Exchange 1.0 specifications were ratified on December 5.
In mid-January 2008, Yahoo!
announced initial OpenID 2.0 support, both as a provider and as a relying party, releasing the provider service by the end of the month. In early February, Google, IBM, Microsoft, VeriSign and Yahoo! joined the OpenID Foundation as corporate board members. Around early May, SourceForge, Inc.
introduced OpenID provider and relying party support to leading open source software development website SourceForge.net
. In late July, popular social network service
MySpace
announced support for OpenID as a provider. In late October, Google launched support as an OpenID provider and Microsoft announced that Windows Live ID
would support OpenID. In November, JanRain announced a free hosted service, RPX Basic, that allows websites to begin accepting OpenIDs for registration and login without having to install, integrate and configure the OpenID open source libraries.
In January 2009, PayPal joined the OpenID Foundation as a corporate member, followed shortly by Facebook in February. The OpenID Foundation formed an executive committee and appointed Don Thibeau as executive director. In March, MySpace launched their previously announced OpenID provider service, enabling all MySpace users to use their MySpace URL as an OpenID. In May, Facebook launched their relying party functionality, letting users use an automatic login-enabled OpenID account (e.g. Google) to log into Facebook.
Open standard
An open standard is a standard that is publicly available and has various rights to use associated with it, and may also have various properties of how it was designed . There is no single definition and interpretations vary with usage....
that describes how users can be authenticated
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities
Digital identity
Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
. Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the ‘relying party’). An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).
The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s or biometrics
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
).
The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique URI
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...
, and are managed by some 'OpenID provider' that handles authentication.
OpenID authentication is now used and provided by several large websites. Providers include AOL
AOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...
, BBC
BBC
The British Broadcasting Corporation is a British public service broadcaster. Its headquarters is at Broadcasting House in the City of Westminster, London. It is the largest broadcaster in the world, with about 23,000 staff...
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
, IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
, MySpace
MySpace
Myspace is a social networking service owned by Specific Media LLC and pop star Justin Timberlake. Myspace launched in August 2003 and is headquartered in Beverly Hills, California. In August 2011, Myspace had 33.1 million unique U.S. visitors....
, Orange, PayPal
PayPal
PayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....
, VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
, LiveJournal
LiveJournal
LiveJournal is a virtual community where Internet users can keep a blog, journal or diary. LiveJournal is also the name of the free and open source server software that was designed to run the LiveJournal virtual community....
, and Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
.
Technical Overview
OpenID enables an End-user, the entity that wants to assert a particular identity, to communicate with a Relying party, the site that wants to verify the end-user's identifier. Other terms for this party include "service provider" or the now obsolete "consumer". This communication is done through the exchange of an Identifier or OpenID, which is the URLUniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
or XRI
Extensible Resource Identifier
Extensible Resource Identifier is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the at OASIS...
chosen by the end-user to name the end-user's identity. An Identity provider or OpenID provider (OP) , which is a service that specializes in registering OpenID URLs or XRIs, provides the OpenID authentication (and possibly other identity services). The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.
Logging in
The end-user interacts with a relying party (such as a website) that provides a means by which to specify an OpenID for the purposes of authentication; an end-user typically has previously registered an OpenID (e.g.alice.openid.example.org) with an OpenID provider (e.g. openid.example.org).The relying party typically transforms the OpenID into a canonical URL form (e.g.
http://alice.openid.example.org/ - With OpenID 1.0, the relying party then requests the HTML resource identified by the URL and reads an HTML link tag to discover the OpenID provider's URL (e.g.
http://openid.example.org/openid-auth.php - With OpenID 2.0, the relying party discovers the OpenID provider URL by requesting the XRDS document (also called the YadisYadisYadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
document) with the content typeapplication/xrds+xml; this document may be available at the target URL and is always available for a target XRI.
There are two modes in which the relying party may communicate with the OpenID provider:
-
checkid_immediate, in which the relying party requests that the OpenID provider not interact with the end-user. All communication is relayed through the end-user's user-agent without explicitly notifying the end-user. -
checkid_setup, in which the end-user communicates with the OpenID provider via the same user-agent used to access the relying party.
The
checkid_immediate mode can fall back to the checkid_setup mode if the operation cannot be automated.First, the relying party and the OpenID provider (optionally) establish a shared secret
Shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes....
, referenced by an associate handle, which the relying party then stores. If using the
checkid_setup mode, the relying party redirects the user's user-agent to the OpenID provider so the end-user can authenticate directly with the OpenID provider.The method of authentication may vary, but typically, an OpenID provider prompts the end-user for a password or an InfoCard
Windows CardSpace
Windows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
, and then asks whether the end-user trusts the relying party to receive the necessary identity details.
If the end-user declines the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party with a message indicating that authentication was rejected; the relying party in turn refuses to authenticate the end-user.
If the end-user accepts the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party along with the end-user's credentials. That relying party must then confirm that the credentials really came from the OpenID provider. If the relying party and OpenID provider had previously established a shared secret, then the relying party can validate the identity of the OpenID provider by comparing its copy of the shared secret against the one received along with the end-user's credentials; such a relying party is called stateful because it stores the shared secret between sessions. In contrast, a stateless or dumb relying party must make one more background request (
check_authentication) to ensure that the data indeed came from the OpenID provider.After the OpenID has been verified, authentication is considered successful and the end-user is considered logged in to the relying party under the identity specified by the given OpenID (e.g.
alice.openid.example.org). The relying party typically then stores the end-user's OpenID along with the end-user's other session information.Identifiers
To obtain an OpenID-enabled URLUniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
that can be used to log into OpenID-enabled websites,
a user needs to register an OpenID identifier with an identity provider. Identity providers offer the ability to register a URL (typically a third-level domain, e.g. username.example.com) that will automatically be configured with OpenID authentication service.
Once they have registered an OpenID, a user can also use an existing URL under their own control (such as a blog or home page) as an alias or "delegated identity". They simply insert the appropriate OpenID tags in the HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
or serve a Yadis
Yadis
Yadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
document.
Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.
XRIs are a new form of Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
identifier
Identifier
An identifier is a name that identifies either a unique object or a unique class of objects, where the "object" or class may be an idea, physical [countable] object , or physical [noncountable] substance...
designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-name
I-name
I-names are one form of an XRI — an OASIS open standard for digital identifiers designed for sharing resources and data across domains and applications. I-names are human readable XRIs intended to be as easy as possible for people to remember and use. For example, a personal i-name could be =Mary...
s and i-number
I-number
i-numbers are a type of Internet identifier designed to solve the problem of how any resource can have a persistent identity that never changes even when the resource moves or changes its human-friendly name...
s—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.
Adoption
, there are over 1 billion OpenID enabled accounts on the Internet (see below) and approximately 9 million sites have integrated OpenID consumer support.OpenID Foundation
The OpenID Foundation is a 501(c)(3) non-profit organization incorporated in the United States. The OpenID Foundation was formed to help manage copyright, trademarks, marketing efforts and other activities related to the success of the OpenID community.People
The OpenID Foundation's board of directors has eight community members and seven corporate members:Community Members
- John Bradley (Independent)
- Mike Jones (MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
) - Brian Kissel (JanRainJanRainJanrain Inc. is a privately held technology company based in Portland, Oregon. Janrain offers software as a service solutions for commercial businesses and websites to connect their sites to the social web...
) - Chris Messina (GoogleGoogleGoogle Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
) - Axel Nennker (Deutsche TelekomDeutsche TelekomDeutsche Telekom AG is a telecommunications company headquartered in Bonn, Germany. It is the largest telecommunications company in Europe....
) - Nat Sakimura (Nomura Research InstituteNomura Research InstituteNomura Research Institute, Ltd. , often called NRI, was established in 1965, now employs about 4,700 people, and is Japan's largest Consulting and IT consulting firm....
) - Allen Tom (Yahoo!Yahoo!Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
) - Kick Willemse (Evidos)
Corporate Members
- FacebookFacebookFacebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
- David RecordonDavid RecordonDavid Recordon , aka daveman692, is an open standards advocate currently residing in San Francisco. Recordon was formerly employed as an Open Platforms Tech Lead at blogging company Six Apart... - GoogleGoogleGoogle Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
- Eric Sachs - MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
- Anthony Nadalin - PayPalPayPalPayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....
- Farhang Kassaei - Ping Identity - Pamela Dingle
- SymantecSymantecSymantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
- Nico Popp - Yahoo!Yahoo!Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
- Raj Mata - BioID - Ho Chang
Legal issues
The OpenID trademark in the United States was assigned to the OpenID Foundation in March 2008. It had been registered by NetMesh Inc. before the OpenID Foundation was operational. In Europe, as of August 31, 2007, the OpenID trademark is registered to the OpenID Europe Foundation.The OpenID logo was designed by Randy "ydnar" Reddig, who in 2005 had expressed plans to transfer the rights to an OpenID organization.
Since the original announcement of OpenID, the official site has stated:
Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
, VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
and a number of smaller companies involved in OpenID have issued patent non-assertion covenants covering OpenID 1.1 specifications. The covenants state that the companies will not assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.
Security and phishing
Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishingPhishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks. For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.
In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party. This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used."
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.
Another important vulnerability is present in the last step in the authentication scheme: the redirect-URL from the Identity Provider to the Relying Party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user. Some of the Identity Providers use nonces (number used once) to allow a user to log into the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows the required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers but cannot prevent active attackers from executing the replay attack.
History
The original OpenID authentication protocol was developed in May 2005 by Brad FitzpatrickBrad Fitzpatrick
Bradley Joseph "Brad" Fitzpatrick , is an American programmer. He is best known as the creator of LiveJournal and is the author of a variety of free software projects such as memcached....
, creator of popular community website LiveJournal
LiveJournal
LiveJournal is a virtual community where Internet users can keep a blog, journal or diary. LiveJournal is also the name of the free and open source server software that was designed to run the LiveJournal virtual community....
, while working at Six Apart
Six Apart
Six Apart Ltd., sometimes abbreviated 6A, is a software company known for creating the Movable Type blogware, TypePad blog hosting service, and Vox. The company also is the former owner of LiveJournal. Six Apart is headquartered in Tokyo and is planning to open a new, U.S.-based office in New York...
. Initially referred to as Yadis (an acronym for "Yet another distributed identity system"), it was named OpenID after the openid.net domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
was given to Six Apart
Six Apart
Six Apart Ltd., sometimes abbreviated 6A, is a software company known for creating the Movable Type blogware, TypePad blog hosting service, and Vox. The company also is the former owner of LiveJournal. Six Apart is headquartered in Tokyo and is planning to open a new, U.S.-based office in New York...
to use for the project. OpenID support was soon implemented on LiveJournal
LiveJournal
LiveJournal is a virtual community where Internet users can keep a blog, journal or diary. LiveJournal is also the name of the free and open source server software that was designed to run the LiveJournal virtual community....
and fellow LiveJournal engine
Software engine
In computer science, a software engine refers to the core of a computer program. Software engines drive the functionality of the program, and are distinct from peripheral aspects of the program, such as look and feel.- Elucidation :...
community DeadJournal for blog post comments and quickly gained attention in the digital identity community. Web developer
Web developer
A web developer is a software developer or software engineer who specializes in, or is specifically engaged in, the development of World Wide Web applications, or distributed network applications that are run over HTTP from a web server to a web browser....
JanRain
JanRain
Janrain Inc. is a privately held technology company based in Portland, Oregon. Janrain offers software as a service solutions for commercial businesses and websites to connect their sites to the social web...
was an early supporter of OpenID, providing OpenID software libraries and expanding its business around OpenID-based services.
In late June, discussions started between OpenID users and developers from enterprise software
Enterprise software
Enterprise software, also known as enterprise application software , is software used in organizations, such as in a business or government, contrary to software chosen by individuals...
company NetMesh, leading to collaboration on interoperability between OpenID and NetMesh's similar Light-Weight Identity
Light-Weight Identity
LID is a management system for online digital identities developed in part by . It was first published in early 2005, and is the original URL-based identity system, later followed by OpenID. LID uses URLs as a verification of the user's identity, and makes use of several open-source protocols...
(LID) protocol. The direct result of the collaboration was the Yadis
Yadis
Yadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
discovery protocol, adopting the name originally used for OpenID. The new Yadis was announced on October 24, 2005. After a discussion at the 2005 Internet Identity Workshop a few days later, XRI/i-name
I-name
I-names are one form of an XRI — an OASIS open standard for digital identifiers designed for sharing resources and data across domains and applications. I-names are human readable XRIs intended to be as easy as possible for people to remember and use. For example, a personal i-name could be =Mary...
s developers joined the Yadis project, contributing their Extensible Resource Descriptor Sequence (XRDS
XRDS
XRDS is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery...
) format for utilization in the protocol.
In December, developers at Sxip Identity began discussions with the OpenID/Yadis community after announcing a shift in the development of version 2.0 of its Simple Extensible Identity Protocol (SXIP) to URL-based identities like LID and OpenID. In March 2006, JanRain developed a Simple Registration (SREG) extension for OpenID enabling primitive profile-exchange and in April submitted a proposal to formalize extensions to OpenID. The same month, work had also begun on incorporating full XRI
Extensible Resource Identifier
Extensible Resource Identifier is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the at OASIS...
support into OpenID. Around early May, key OpenID developer David Recordon left Six Apart, joining VeriSign to focus more on digital identity and guidance for the OpenID spec. By early June, the major differences between the SXIP 2.0 and OpenID projects were resolved with the agreement to support multiple personas in OpenID by submission of an identity provider URL rather than a full identity URL. With this, as well as the addition of extensions and XRI support underway, OpenID was evolving into a full-fledged digital identity framework, with Recordon proclaiming "We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication and a messaging services layer that sits atop and this entire thing has sort of been dubbed 'OpenID 2.0'. " In late July, Sxip began to merge its Digital Identity Exchange (DIX) protocol into OpenID, submitting initial drafts of the OpenID Attribute Exchange (AX) extension in August. Late in 2006, a ZDNet
ZDNet
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic and SmartPlanet. The brand was founded on April 1, 1991 as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET...
opinion piece made the case for OpenID to users, web site operators and entrepreneurs.
On January 31, 2007, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
announced support for OpenID in its Identity Initiative products and services. A week later, on February 6 Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
made a joint announcement with JanRain, Sxip, and VeriSign to collaborate on interoperability between OpenID and Microsoft's Windows CardSpace
Windows CardSpace
Windows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
digital identity platform, with particular focus on developing a phishing-resistant authentication solution for OpenID. As part of the collaboration, Microsoft pledged to support OpenID in its future identity server products and JanRain, Sxip, and VeriSign pledged to add support for Microsoft's Information Card
Information Card
Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
profile to their future identity solutions. In mid-February, AOL
AOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...
announced that an experimental OpenID provider service was functional for all AOL and AOL Instant Messenger
AOL Instant Messenger
AOL Instant Messenger is an instant messaging and presence computer program which uses the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. It was released by AOL in May 1997...
(AIM) accounts.
In May, Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
began working with the OpenID community, announcing an OpenID program, as well as entering a non-assertion covenant with the OpenID community, pledging not to assert any of its patents against implementations of OpenID. In June, OpenID leadership formed the OpenID Foundation, an Oregon-based public benefit corporation
Public benefit corporation
A public-benefit corporation is a public corporation chartered by a state designed to perform some public benefit.A public authority is a type of public-benefit corporation that takes on a more bureaucratic role, such as the maintenance of public infrastructure, that often has broad powers to...
for managing the OpenID brand and property. The same month, an independent OpenID Europe Foundation was formed in Belgium by Snorri Giorgetti. By early December, non-assertion agreements were collected by the major contributors to the protocol and the final OpenID Authentication 2.0 and OpenID Attribute Exchange 1.0 specifications were ratified on December 5.
In mid-January 2008, Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
announced initial OpenID 2.0 support, both as a provider and as a relying party, releasing the provider service by the end of the month. In early February, Google, IBM, Microsoft, VeriSign and Yahoo! joined the OpenID Foundation as corporate board members. Around early May, SourceForge, Inc.
SourceForge, Inc.
Geeknet, Inc. is a Mountain View, California company that owns several computer tech-related websites and the online retailer ThinkGeek. Formerly known as VA Research, VA Linux Systems, VA Software, and SourceForge, Inc., it was founded in 1993.-VA Research:VA Research was founded in November...
introduced OpenID provider and relying party support to leading open source software development website SourceForge.net
SourceForge.net
SourceForge is a web-based source code repository. It acts as a centralized location for software developers to control and manage open source software development. The website runs a version of SourceForge Enterprise Edition, forked from the last open-source version available...
. In late July, popular social network service
Social network service
A social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities. A social network service consists of a representation of each user , his/her social...
MySpace
MySpace
Myspace is a social networking service owned by Specific Media LLC and pop star Justin Timberlake. Myspace launched in August 2003 and is headquartered in Beverly Hills, California. In August 2011, Myspace had 33.1 million unique U.S. visitors....
announced support for OpenID as a provider. In late October, Google launched support as an OpenID provider and Microsoft announced that Windows Live ID
Windows Live ID
Windows Live ID is a single sign-on web service developed and provided by Microsoft that allows users to log in to many websites using one account...
would support OpenID. In November, JanRain announced a free hosted service, RPX Basic, that allows websites to begin accepting OpenIDs for registration and login without having to install, integrate and configure the OpenID open source libraries.
In January 2009, PayPal joined the OpenID Foundation as a corporate member, followed shortly by Facebook in February. The OpenID Foundation formed an executive committee and appointed Don Thibeau as executive director. In March, MySpace launched their previously announced OpenID provider service, enabling all MySpace users to use their MySpace URL as an OpenID. In May, Facebook launched their relying party functionality, letting users use an automatic login-enabled OpenID account (e.g. Google) to log into Facebook.
OpenID vs. Pseudo-Authentication using OAuth
The following drawing highlights the differences between using OpenID vs. OAuth for authentication. Note that with OpenID, the process starts by the application asking the user for their identity (typically a openid URI), whereas in the case of OAuth, the application directly request a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.See also
- Athens access and identity managementAthens access and identity managementAthens is an Access and Identity Management service based in the United Kingdom that is supplied by Eduserv to provide single sign-on to protected resources combined with full user management capability...
- Central Authentication ServiceCentral Authentication ServiceThe Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...
- DataPortabilityDataPortabilityData portability is the ability for people to reuse their data across interoperable applications - the ability for people to be able to control their identity, media and other forms of personal data...
- Identity 2.0Identity 2.0Identity 2.0, also called digital identity, is set of methods for identity verification on the internet using emerging user-centric technologies such as Information Cards or OpenID. Identity 2.0 stems from the Web 2.0 theory of the World Wide Web transition...
- Information CardInformation CardInformation Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
- Liberty AllianceLiberty AllianceThe Liberty Alliance was formed in September 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for identity management...
- Light-Weight IdentityLight-Weight IdentityLID is a management system for online digital identities developed in part by . It was first published in early 2005, and is the original URL-based identity system, later followed by OpenID. LID uses URLs as a verification of the user's identity, and makes use of several open-source protocols...
- List of OpenID Providers
- OAuthOAuthOAuth is an open standard for authorization. It allows users to share their private resources stored on one site with another site without having to hand out their credentials, typically username and password.OAuth allows users to hand out tokens instead of credentials to their data hosted by a...
- SAMLSAMLSecurity Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
- Shibboleth (Internet2)Shibboleth (Internet2)Shibboleth is an Internet2 project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language . Federated identity allows for information about users in one security domain...
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
- WebID
- Windows CardSpaceWindows CardSpaceWindows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
- Windows Live IDWindows Live IDWindows Live ID is a single sign-on web service developed and provided by Microsoft that allows users to log in to many websites using one account...
- WS-FederationWS-FederationWS-Federation is an Identity Federation specification, developed by BEA Systems, BMC Software, CA Inc., IBM, Layer 7 Technologies, Microsoft, Novell, Ping Identity, and VeriSign...
- XRI