Identity management on the web with Open ID
ID Check
OpenID offers an open standard for logging on to closed-door websites.
Web 2.0 is not everybody's idea of a good thing. One problem is the multitude of password-protected websites. Personal blogs, virtual communities from Xing to Facebook, and sites that manage workflow, expenses, and vacation planning often rely on web-based applications with private user accounts. This overload of passwords and login boxes is causing some hapless users to lose track of all the options. As long as users work on a single, local, physical device (or can access a server in the vicinity), tools such as the password managers offered by most web browsers, as well as alternatives such as KDE wallet, are useful aids. But the Web 2.0 paradigm assumes the user can move about and log in from different locations.
Community Approach
Identity management solutions provide a more mobile and flexible solution for simplifying web login. These tools often employ the principle of a trusted third party. A few large global players have stepped up with services that offer single-source, trusted third party login solutions. Microsoft's Passport system was created in line with this belief. Today, Microsoft markets Passport as "Windows Live ID" [1]. Many users, however, are wary of becoming dependent on proprietary applications.
An early alternative known as the Liberty Alliance Project [2] offered a more open approach, but it was widely regarded as an overspecified dinosaur, and the Liberty Alliance still has not found widespread acceptance despite a seven-year effort. The OpenID project, under the auspices of the OpenID Foundation [3], relies on simpler functionality that can be integrated more easily into online authentication systems.
Users who choose the OpenID alternative do not enter a user name but, instead, identify themselves with a URI (Uniform Resource Identificator) that can be displayed in a web browser. The URI can be a web address offered by an OpenID service, such as http://nilsmagnus.myopenid.com with Myopenid [4]. The type of identity is not important as long as a browser can access the page. The page needs to add a tag that points to the service provider:
<link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href= "http://nilsmagnus.myopenid.com/" />
The provider-side server specifies the first relation; the second restates the name of the identity. The provider will typically set up a page to make this information available to websites that request login information. However, a user could alternatively integrate the necessary details into a personal homepage or blog. In that case, your own address would serve as your OpenID.
Logging In
An application that supports OpenID will display an OpenID login field in addition to the traditional login page. For instance, Figure 1 shows the OpenID authentication page for the Amarok wiki.
When a user enters the URI-based ID, the web application, which is known as a consumer in OpenID speak, retrieves the server portion of the URI. OpenID refers to the server as the identity provider.
The consumer (the Amarok wiki, in this case) asks the provider for the name associated with the URI. To do so, it redirects to the provider's website, and the provider indicates who has issued the request. The user then agrees to the request by entering a password. The provider redirects the browser back to the consumer site, where the user is now logged in.
One practical feature of OpenID is that you can store several attributes for a single identity with a provider, for example, your full name, your preferred language, or your date of birth (see Figure 2). A user who receives a consumer request can specify which data the provider should disclose to the consumer and which data to keep secret.
This approval process is important for preventing the misuse of a critical parameter, such as a bank PIN, which you can actually store along with your ID. Some providers let the user create multiple personae, each with a separate set of attributes.
This approach is also known as User-Centric Identity Management, in that every user can individually define the information the provider supplies to inquiring consumers.
Some identity providers issue identities for free. It is up to the user to decide which provider to trust. In contrast to the centralized approach used by Passport, a decentralized collection of OpenID providers compete with each other to offer services. Users are even free to set up their own provider.
If you are interested in developing your own solution, open source packages are available in programming languages such as Perl, PHP, Ruby, Python, and Java [7].
Security Concerns
You might be asking yourself how secure OpenID is if anybody can act as a provider. Can an attacker spoof or hijack an identity? The first question points to a classic security issue: If you can manipulate a third party website, you can redirect people to your own identity provider or write one to fit the bill.
In other words, security is in the hands of the people running the hosting site. Considering the code quality of many sites written in popular scripting languages, this is a concern, but not a fundamental argument against OpenID.
The second question is trickier: Can a hacker sniff the communications between the consumer and identity provider and store the sessions? After all, the provider sends a confirmation message in case of successful authentication. An attacker could try to present a recorded session as credentials for a new login. However, this can be prevented by enabling OpenID SSL/TLS to secure the connection and adding a challenge to each request. This approach means that any response will be valid once only, which rules out trivial recycling.
Despite this, it is not a good idea to underestimate the complexity of stateful session management in a stateless protocol like http, which is the basis for OpenID. The fact that various web applications have been compromised is a clear indication of the dangers, assuming you believe surveys and whitepapers [8].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.