Sunday, November 9, 2008

OpenID

This whole Blog thing has re-introduced me to OpenID. I remember reading about OpenID some time ago, and the big controversy that was going on about the big companies trying to take it over and having competing standards. That seems to be resolved now and several major players have been making it available for a while now.

The great thing about OpenID is that is allows for user authentication to your web site without the need for an SSL certificate. Obviously, this level of authentication is not suitable for financial transactions, and nowhere near what's needed for online banking. But, if you want to allow users to log into your web site, this is a great way to go.

Users need only supply their OpenID url. Nothing really secret there. Many users have the same url. The web site contacts the OpenID server through an encrypted connection - only MD5 but much better than having user ID's and passwords in clear text on the Internet. If the user does need to be authenticated, then the OpenID server can use an SSL connection for the user ID and password.

There seems be to quite a few major companies that currently support the OpenID standard, including Google, Yahoo, Sourceforge and OpenId. Look in the directory to see if your favorite sites already support it.

Now I need to figure out how to implement some of this code to make it work on my sites!

1 comment:

David said...

OK, that was more work than I expected. I installed the Coldfusion OpenIDConsumer.cfc on my host web site, only to find out that createObject() has been disabled on my host. I then had to re-write the code to authenticate using cfinvoke. The code also tried to create a java object which I had to replace with some native Coldfusion code as well. I can now authenticate an OpenID URI using OpenID 1.0. I plan to submit my changes back to the project.

Yahoo requires OpenID 2.0, so it rejects my servers requests. I wonder what it would take to implement OpenID 2.0?