You need to upgrade your Flash Player

Express install of the flash player can be done so by following the link provided below.

Download Flash Player

You need to upgrade your Flash Player

Express install of the flash player can be done so by following the link provided below.

Download Flash Player


                                 
Our Specialties
  • Cloud Computing
  • Server Virtualization
  • Infrastructure Load balancing
  • Multi-server clusters
  • Automated system administration
  • Dynamic server configuration
  • Content Management
  • Digital Asset Management
                                 
OpenID decentralized user-centric digital identity system
11-12-06 00:17
Age: 2 yrs


Category: Open Source News

OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.


How OpenID works

A website, such as example.com, which wants to enable OpenID logins for its visitors places a login form somewhere on the page. Unlike a typical login form, which prompts the user for a user name and password, there is only one field - for the OpenID identifier. The site may choose to display a small OpenID logo next to the field. This form is connected to an implementation of an OpenID client library.

If a user named Alice wants to log in to example.com using the OpenID identifier alice.openid-provider.org that she has registered with the identity provider openid-provider.org, she simply goes to example.com and types alice.openid-provider.org in the OpenID login box. Starting with OpenID Authentication 2.0 (and supported in some OpenID 1.1 implementations), Alice could also login by typing an i-name such as =example.alice or =example.community*alice.

If the identifier is a URL, the first thing the relying party (example.com) does is transform into a canonical form, e.g., alice.openid-provider.org. With OpenID 1.0, the relying party then requests the web page located at that URL and, via an HTML link tag, discovers that the provider server is, say, openid-provider.org/openid-auth.php. It also discovers whether or not it should use a delegated identity (see below). Starting with OpenID 1.1, the client does discovery by requesting the XRDS document (also called the Yadis document) with the content type application/xrds+xml that may be available at the target URL and is always available for a target XRI.

There are two modes in which the relying party can communicate with the identity provider:

    * checkid_immediate, which is machine-oriented and in which all communication between the two servers is done is the background, without the user's knowledge;
    * checkid_setup, in which the user communicates with the provider server directly using the very same web browser used to access the relying party site.

The second option is more popular on the Web; also, checkid_immediate can fallback to checkid_setup if the operation cannot be automated.

First, the relying party and the provider (optionally) establish a shared secret - an associate handle, which the relying party then stores. If using checkid_setup, the relying party redirects the user's web browser to the provider. In this case, Alice's browser is redirected to openid-provider.org so Alice can authenticate herself with the provider.

The method of authentication may vary, but typically, an OpenID provider asks for a password (and then possibly stores the user's session using cookies, as many websites with password-based authentication do). Alice may be prompted for her password if she was not logged in on openid-provider.org, and then asked whether she trusts, say, example.com/openid-return.php - the page designated by example.com as the one where the user should return after completing authentication - to receive details about her identity. If she answers positively, OpenID authentication is considered successful and the browser is redirected to the designated return page with credentials given. If Alice decides not to trust the relying party site, the browser is still redirected - however, the relying party is notified that its request was rejected, so example.com refuses to authenticate Alice in turn.

However, the login process is not over yet because at this stage, example.com cannot decide whether the credentials received really came from openid-provider.org. If they had previously established a shared secret (see above), the consumer can validate the shared secret received with the credentials against the one previously stored. Such a consumer is called stateful because it stores the shared secret between sessions. In comparison, a stateless or dumb consumer must make one more background request (check_authentication) to ensure that the data indeed came from openid-provider.org.

After Alice's identifier has been verified, she is considered logged in to example.com as alice.openid-provider.org. The site may then store the session or, if this is her first logon, prompt Alice to enter some information specific to example.com, in order to complete registration.


Links:

openid.net







<- Back to: {en}BLOG : Open Source Insights

{en}BLOG : Open Source Insight

+ Login to leave your comments   +  Syndicated News   + Jobs   + Search

stardevelop.com Live Help Accept Decline Close