Whenever I want to access some of the services like slideshare, zoomin etc on Internet, it requires me to signup for a new account without which I will not be able to use their services to the fullest. If I register to all of these online services I will end up having several hundreds users account & passwords to remember. Nowadays, these online service gives you a flexibility to use your e-mail id as username. This gives you some relief to use your e-mail id as username in all of these online services and saves you with the trouble with multiple usernames.
Now as I am human being, I tend to use the same single password to all of these different online accounts with my personnel e-mail account. That's basically means I am sharing my e-mail/username & password to these online services whom we really do not trust much. To safe your identity on internet, it not a good practice to use your personnel e-mail id password on various online services that you do not trust. So eventually, I am sharing my personnel e-mail id & its password to these services which might cause hazardous results in the password is compromised.
Now what do I do ? Can't I really login to these services without sharing my password ? The answer is YES and is achieved by a technology called OpenID. Using OpenID authentication I can login to these online services (slideshare, zoomin) using my Facebook account or Google(Gmail) account or any other preferred OpenID provider in the market and do not really have to share my password with these online services.
OpenID is an Open standard for authentication & and based of the concept of Federated Identity solution. Federated Identity allows a Service Provider (SP) to offer a service without implementing its own authentication system, and to instead trust another entity—an Identity Provider (IdP)—to provide authenticated users to them.
Some of the benefits of using OpenID are :
You do not have remember hundred username/passwords. It also eliminate the Sign Up Process at Your Favorite Websites. From the application developers perspective it does saves time and effort of developing and maintaining a log-in system(Authentication).
OpenID provides a framework for the communication between Identity Provider and the Identity Consumer (Service Provider). OpenID provides a decentralized authentication which means you can provide your identity to choosing multiple Identity Providers. It uses only standard HTTP(S) requests and responses for the communication between Service Provider & Identity Provider. Some of the industry leading Identity Providers are Google, Yahoo, AOL, LiveJournal, MySpace, Facebook, Twitter etc..
Some of the terminology used when talking about OpenID technology:
User-Agent: User's Web browser
Relying Party (RP): A Web application(aka Service Provider) that accepts OpenID authentication
OpenID Provider (OP): A trusted Identity Provider which provides OpenID Authentication on which a Relying Party relies for to authenticate the user
OpenID Provider (OP) Endpoint URL: URL of OpenID provider which is obtained by performing discovery on User-Supplied Identifier
OpenID Provider (OP) Identifier: An Identifier for an OpenID Provider.
User-Supplied Identifier: An Identifier that was presented by user to Relying Party while selecting it preferred OpenID provider.
Claimed Identifier: An Identifier that user claims to possess; the overall aim of the protocol is verifying this claim. The Claimed Identifier is either:
• The User-Supplied Identifier, if it was an URL.
• The CanonicalID (XRI and the CanonicalID Element), if it was an XRI(Extensible Resource Identifier)
OpendID Authentication flow basically involves communication between User, Relying Party (Service Provider) & OpenID provider. The basic flow is as per below.
1. User access Relying Party web application URL
2. User selects its preferred OpenID Provider out of the list provided by Relying Party and present the User-Supplied Identifier which represent the selected OpenID Provider.
3. After normalizing the User-Supplied Identifier, the Relying party perform discovery of OpenID provider URL based on the identifier supplied by user by requesting XRDS document
4. OpenID provider respond with xml based XRDS document which contains one or more set of OpenID endpoint URL & Protocol version.
5. Relying Party redirect the user to the selected OpenID Provider Endpoint URL
6. The user access the OpenID Provider Endpoint URL
7. The user provides its credential in the form of username/password
8. OpenID Provider verifying the credentials for the user
9. Once the credentials are validated, OpenID provider will redirect the user to Relying Party URL including user credentials in the URL
9. User access Relying Party with the credentials
10. Relying Party reads the credentials & allow the user to access its services
OpenID peformas three major operations during the authentication flow. They are Initiation, Normalization & Discovery.
Initiation - Its a process where Relying Party initiate an authentication process by presenting a form to User with a field to enter user's preferred OpenID Provider. The form field's "name" attribute should have the value "openid_identifier", so that User-Agents (typically browsers) can automatically determine that this is an OpenID form.
Normalization - User's input regarding its preferred OpenID Provider must be normalized by Relying Party by retrieving its content & redirecting the request to OpenID provider and finally applying the syntax rules to the final destination URL.
Discovery - User's selection about the preferred OpenID Provider allows Relying Party to redirect the request to specific OpenID Provider. Since, Replying Party does not keep OpenID Provider URLs with them, they need to discover the Identity provider of-the-fly. Based on the OpenID Provider name, Replying Party Provider perform discovery of the URL by requesting XRDS document that contains the necessary information. This is XML based document which contains one or more set of OpenID endpoint URL & Protocol version.
These three operations by Relying Party plays a major role in achieving this whole process called OpenID authentication flow.