OpenID

Most of this page was written when the OpenID standard was still in use, OpenID and OpenID 2 are now depreciated, you should now use OpenID Connect.

What is OpenID?

OpenID is an open, decentralized standard for user authentication and access control, allowing users to log onto many services with the same digital identity. As such, it replaces the common login process that uses a login-name and a password, by allowing a user to log in once and gain access to the resources of multiple software systems.

An OpenID is in the form of a unique URL, and is authenticated by the user's 'OpenID provider' (that is, the entity hosting their OpenID URL). The OpenID protocol does not rely on a central authority to authenticate a user's identity. Since neither the OpenID protocol nor web sites requiring identification may mandate a specific type of authentication, non-standard forms of authentication can be used, such as smart cards, biometrics, or ordinary passwords.

You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.

OpenID has arisen from the open source community to solve the problems that could not be easily solved by other existing technologies. OpenID is a lightweight method of identifying individuals that uses the same technology framework that is used to identify websites. As such, OpenID is not owned by anyone, nor should it be. Today, anyone can choose to be an OpenID user or an OpenID Provider for free without having to register or be approved by any organization.

OpenID or OAuth

• https://blog.runscope.com/posts/understanding-oauth-2-and-openid-connect

OpenID Providers

For a list of more OpenID Providers, you may with to check the OpenID Directory. We don’t make any guarantees about the providers listed nor do we maintain this list.

Roll Your Own

OpenID (Depreciated)

Of course, you can always use your own URI, blog URL, website, etc as your OpenID. Delegation is the simplest way to get up and running with OpenID and Sam Ruby wrote a great tutorial. Delegation requires nothing more than an OpenID Provider and some basic HTML. If you’re wanting to host your own OpenID Provider, you’ll also need some coding experience. phpMyID is a simple open source PHP script that lets you fully host your own Provider. If you’re wanting to do something more complex, check out our page on OpenID for Developers.

Open ID Connect

A good library for running your own OpenID Connect provider is https://github.com/panva/node-oidc-provider.

A example project using this library can be found here.

• Getting Started with oidc provider

Debugging

• https://oidcdebugger.com/
• https://openidconnect.net/

For testing your own code setup I recommend using https://oidcdebugger.com/ and go through that process then:

curl -X POST \
	<TOKEN ENDPOINT> -H \
	'Content-Type: application/x-www-form-urlencoded' \
	-d 'grant_type=authorization_code&code=<THE RETURNED CODE>&client_id=<YOUR CLIENT ID>&client_secret=<YOUR CLIENT SECRET>&redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug'

That should return a access token what you put into the following command:

curl -X POST \
	<USER DATA ENDPOINT> \
	-H 'Content-Type: application/x-www-form-urlencoded' \
	-d 'access_token=<ACCESS TOKEN>'

If that returns the details requested then it is all set to go!

Express

If you are using express it can be helpful to log the requests as they come in so you can check the client is performing the right requests:

const logRequest = (req, res, next, type="GET") => {
	const requester = req.headers['x-forwarded-for'] || req.connection.remoteAddress;

	console.log(`${type} Request made by: `, requester);
	console.log("Resource requested: ", req.originalUrl);
	console.log("BODY: ", type === "GET" ? req.query : req.body);

	next();
};
app.get(/.*/, logRequest);

app.post(/.*/, bodyParser, (req, res, next) => logRequest(req, res, next, "POST"));

LDAP account management with GOsa²

GOsa² provides a powerful GPL'ed framework for managing accounts and systems in LDAP databases. Using GOsa² allows system administrators to easily manage users and groups, fat and thin clients, applications, phones and faxes, mail distribution lists and many other parameters. In conjunction with FAI (Fully Automatic Installation), GOsa² allows the highly automated installation of preconfigured systems. GOsa² therefore provides a single, LDAP-based point of administration for large and small environments, thus making the administration of users and systems and all related parameters manageable and easy.

• GOsa home page

See also

• Wikipedia:OpenID
• Understanding OAuth2 and OpenID Connect
• OpenID.net
• OpenID Foundation
• http://en.wikipedia.org/wiki/Openid
• OpenID Directory
• http://www.webmonkey.com/tutorial/OpenID_for_Dummies
• http://arstechnica.com/news.ars/post/20081028-windows-live-to-become-an-open-id-provider.html
• OAuth & OExchange