Many Pies

Many Pies

Friday, August 20, 2010

Lazyweb request - help me understand OpenID

I have some questions about OpenID that I plan to find the answers to one day, but maybe someone will heed my lazyweb request and supply them.
Here are the questions:
1. Does it matter which provider you use?
2. What if the provider goes out of business? Are you stuck?
3. If I switch OpenIDs what do the sites I've logged in on the old one need to do to help me switch to the new one?
4. Is that part of the spec or does it depend on what the sites do with my OpenID?
5. When I log in what information is my OpenID provider passing on to them?
6. What implications does it have if I tick the "log me in automatically" option available on

As well as finding out the answers to those, I may put in something about Microsoft Hailstorm on wikipedia, as it doesn't have its own page.


Anonymous said...

1) Yes, it makes a difference that you'll log in via a different website depending on the OpenID provider, but the receiving website won't care which provider you have.

2) Yes, you'd be stuck. For that reason, it can be worth using an OpenID proxy, which is quite simple to set up, or simply risk it. It'll happen so infrequently that it's probably no hard task to reattach your accounts to a different OpenID if it happens.

3) They'll probably keep a record of your e-mail address, so as long as you haven't changed that, chances are that it'll understand that you're the same person. You could test that out by setting up two OpenIDs and trying them both.

4) It depends how much information you provide to your OpenID provider. I think e-mail is required. Probably not much more.

5) It means that when you enter your OpenID on an OpenID-enabled website, your provider won't prompt you for your password before telling the website you're authenticated. There'll be a session token stored in a cookie by your provider. You'd normally get directed to a login form, but the provider will read the cookie and redirect you straight back to the client website. Obviously you'll need to log in properly the first time for this to work, and the cookie will expire after a reasonable amount of time.

Paul Morriss said...

Thanks very much for that. Some more comments:
1. The question was more about how you choose which one to use if you have several. Whichever one is likely to remain in business longest maybe? Who you trust the most?

2. That explains the openid.delegate I saw at someone's personal site.

3. seem to allow you to do this, I wondered if it was common.

Thanks once again. It saves me having to do the research, not that I wouldn't enjoy it, but it's just not a priority.

Joseph Anthony Pasquale Holsten said...

You want to use the OpenID Provider you trust the most. The trouble is deciding which bits of trust are most important to you. Do you want the best security infrastructure? Do you want the one that will probably be around the longest? The one that you trust enough but has the most nifty features? That's the nice (and annoying) thing about the market of OPs, you get to decide how much security you want to trade for niftiness.

I should mention that different OpenID Relying Parties have different requirements from OpenID Providers, so not every RP will work at every site. There's nothing we can do about it any more than we can keep sites from blocking registration with certain email domains (like mailinator). And when we start having government sites accept OpenIDs, you can bet they won't let me log into anything important with my self-hosted wordpress openid server.