Saturday, May 16, 2009

Your OpenID sucks

Now that OpenID is finally picking up I keep seeing people use lame URLs like http://username.myopenid.com/ to authenticate. This sucks because:

  • You are a unique snowflake!
  • It ties your identity to your OpenID provider.
  • It's only as permanent as your chosen provider (or your patience for it). You can't switch providers while keeping your existing ID.

Furthermore, this profile page usually just contains a single link forwarding to a user's homepage.

So instead of settling for an ugly URI, just use your existing homepage. There's no need to do any complicated set up or install OpenID software, because OpenID supports delegation natively.

Open up your OpenID provider's profile page and copy the OpenID related link and meta tags. On my myopenid page it looks like this:


<meta http-equiv="x-xrds-location" content="http://nothingmuch.myopenid.com/?xrds=1" />

<link rel="openid.server"    href="http://www.myopenid.com/server" />
<link rel="openid2.provider" href="http://www.myopenid.com/server" />

Paste that into your homepage, and add the following:


<link rel="openid.delegate" href="http://nothingmuch.myopenid.com/" />
<link rel="openid2.local_id" href="http://nothingmuch.myopenid.com/" />

Obviously the href of the delegate link should point to your own OpenID provider's profile page.

This lets me use a URL that is truly my own, http://nothingmuch.woobling.org/, as a fully functioning OpenID. I didn't have have to install or configure anything. This also allows me freely switch providers while retaining my chosen identity, all OpenID authentication really needs to prove for authentication is that the user entering the URL is also in control of the URL, making providers swappable.

Setting up proper Yadis/XRDS discovery headers is left as an excercise for the user. I was lazy and only used a meta tag ;-)

16 comments:

nothingmuch said...

Yay!

Sartak said...

Thanks boss!

nothingmuch said...

To see if it's working: http://openidenabled.com/resources/openid-test/

davecardwell said...

Thanks, nothingmuch.

I noticed that it failed to login when trying the openidenabled.com test, but in doing so found the following documentation that did work: https://www.myopenid.com/help#own_domain

Jeremiah said...

Thanks boss!


Oh wait. I don't work for you.

kroiz said...

ok ok I will go google that openid up shhoooosh

veggiebelly.com said...

This is great info, very useful, thanks! How do I change my settings so that I can comment as "veggiebelly" and not the current "veggiebelly.com"?

nothingmuch said...

The OpenID server is apparently providing that as the display name, so check if you can configure it differently.

leto.net said...

Thanks for the gentle prod. Still figuring out how to get my display name the way I want.

nothingmuch said...

It should be possible to specify it in MyOpenID's persona stuff, or perhaps it's the metadata on http://dukeleto.myopenid.com/ that's being used (that should be editable when you are logged in)

stephen said...

Your prodding finally convinced me to use a tuit to set this up. Hooray, I'm a unique snowflake! :-)

nothingmuch said...

Yatta!

szabgab.com said...

thanks

Shawn M Moore said...

I still direct people to this post all the time. Thanks again Yuval!

and in a nice display of irony, while I try to post this comment I get "OpenID error"

jarsonmar.org said...

Sweet, works for me too! ++

Polet said...

I'm having problems with this delegation system
I have my blog on WP.
I installed the XRDS plugin, the OpenID plugin (and delegated myopeid account to my blog url) + I put the code you mentioned in the header.
Still I can't login to OpenId using my site URL - what can be the problem???