Grokking OpenID and Blogger

I just created my first OpenID account!

If you don't know what OpenID, it is a single sign-on solution (sometimes also called login federation), which ensures that you can have a single login name / password using which you can authenticate in may (web-)places. It is similar to the Microsoft Passport initiative, the difference being (as usual) that it is based on open standards and you don't depend on Microsoft. Here are some resources for a more detailed description:

• The Hanselminutes podcast about OpenID
• A Boagworld (a very good - if not the best - webdesign podcast out there) episode which talks about OpenID (towards the end)
• A screencast about OpenID. You can download it from the Internet Archive or watch it at Google Video if your browser doesn't have a plugin capable of MP4 playback.

Here is a list of OpenID providers shamelessly lifted from simonwillison.net:

• MyOpenID
• LiveJournal
• Vox
• claimID
• VeriSign Personal Identity Provider
• List of identity providers on the OpenID wiki

I personally went with Verisign because they are a big company with other revenues, so it is fairly probable that they won't disappear overnight. However it is possible to use multiple OpenID providers, as this forum posting points out. But it is too complicated for me, I just go with Verisign for the moment. However I want to keep my options open, so I use my blog address as my identity (Google won't disappear soon either) and create a delegation to the Verisign server, which I can change any time to an other identity provider.

You can do this by editing your template, finding the <head> tag and inserting immediately after the following two lines:

<link href="https://pip.verisignlabs.com/server" rel="openid.server" />
<link href="http://CdMaN.pip.verisignlabs.com/" rel="openid.delegate" />

If you don't use Verisign as your identity provider, replace the https://pip.verisignlabs.com/server with the address of the server of your service (if the given service doesn't explicitly tell you the address of their server, check out this posting on simonwillison.net where he lists the servers for 4 OpenID providers. The second line should contain the ID the service assigned to you. Now save your template and go to any OpenID enabled site and try logging in with your blog address (hype-free.blogspot.com in my case).

Have fun and enjoy OpenID!

Update: Since I wrote this post, Blogger became both an OpenID consumer and provider. This means that you can comment on blogger blogs using OpenID accounts, and you can use your blogger blog as an openid account. However you can still use the method described above to redirect to an other OpenID provider.

Update 2: as pointed out in a comment on the stackoverflow blog, this does introduce a further security risk: now you have to worry about either your OpenID provider being hacked or your website being hacked. Because in the later case, the hacker can just redirect the OpenID authentication to an account/provider s/he controls and log into all the sites where you've signed into all the sites where your OpenID is your website. Just a thing to be aware of.