Identity management on the web with Open ID
ID Check

OpenID offers an open standard for logging on to closed-door websites.
Web 2.0 is not everybody's idea of a good thing. One problem is the multitude of password-protected websites. Personal blogs, virtual communities from Xing to Facebook, and sites that manage workflow, expenses, and vacation planning often rely on web-based applications with private user accounts. This overload of passwords and login boxes is causing some hapless users to lose track of all the options. As long as users work on a single, local, physical device (or can access a server in the vicinity), tools such as the password managers offered by most web browsers, as well as alternatives such as KDE wallet, are useful aids. But the Web 2.0 paradigm assumes the user can move about and log in from different locations.
Community Approach
Identity management solutions provide a more mobile and flexible solution for simplifying web login. These tools often employ the principle of a trusted third party. A few large global players have stepped up with services that offer single-source, trusted third party login solutions. Microsoft's Passport system was created in line with this belief. Today, Microsoft markets Passport as "Windows Live ID" [1]. Many users, however, are wary of becoming dependent on proprietary applications.
An early alternative known as the Liberty Alliance Project [2] offered a more open approach, but it was widely regarded as an overspecified dinosaur, and the Liberty Alliance still has not found widespread acceptance despite a seven-year effort. The OpenID project, under the auspices of the OpenID Foundation [3], relies on simpler functionality that can be integrated more easily into online authentication systems.
Users who choose the OpenID alternative do not enter a user name but, instead, identify themselves with a URI (Uniform Resource Identificator) that can be displayed in a web browser. The URI can be a web address offered by an OpenID service, such as http://nilsmagnus.myopenid.com with Myopenid [4]. The type of identity is not important as long as a browser can access the page. The page needs to add a tag that points to the service provider:
<link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href= "http://nilsmagnus.myopenid.com/" />
The provider-side server specifies the first relation; the second restates the name of the identity. The provider will typically set up a page to make this information available to websites that request login information. However, a user could alternatively integrate the necessary details into a personal homepage or blog. In that case, your own address would serve as your OpenID.
Logging In
An application that supports OpenID will display an OpenID login field in addition to the traditional login page. For instance, Figure 1 shows the OpenID authentication page for the Amarok wiki.
When a user enters the URI-based ID, the web application, which is known as a consumer in OpenID speak, retrieves the server portion of the URI. OpenID refers to the server as the identity provider.
The consumer (the Amarok wiki, in this case) asks the provider for the name associated with the URI. To do so, it redirects to the provider's website, and the provider indicates who has issued the request. The user then agrees to the request by entering a password. The provider redirects the browser back to the consumer site, where the user is now logged in.
One practical feature of OpenID is that you can store several attributes for a single identity with a provider, for example, your full name, your preferred language, or your date of birth (see Figure 2). A user who receives a consumer request can specify which data the provider should disclose to the consumer and which data to keep secret.
This approval process is important for preventing the misuse of a critical parameter, such as a bank PIN, which you can actually store along with your ID. Some providers let the user create multiple personae, each with a separate set of attributes.
This approach is also known as User-Centric Identity Management, in that every user can individually define the information the provider supplies to inquiring consumers.
Some identity providers issue identities for free. It is up to the user to decide which provider to trust. In contrast to the centralized approach used by Passport, a decentralized collection of OpenID providers compete with each other to offer services. Users are even free to set up their own provider.
If you are interested in developing your own solution, open source packages are available in programming languages such as Perl, PHP, Ruby, Python, and Java [7].
Security Concerns
You might be asking yourself how secure OpenID is if anybody can act as a provider. Can an attacker spoof or hijack an identity? The first question points to a classic security issue: If you can manipulate a third party website, you can redirect people to your own identity provider or write one to fit the bill.
In other words, security is in the hands of the people running the hosting site. Considering the code quality of many sites written in popular scripting languages, this is a concern, but not a fundamental argument against OpenID.
The second question is trickier: Can a hacker sniff the communications between the consumer and identity provider and store the sessions? After all, the provider sends a confirmation message in case of successful authentication. An attacker could try to present a recorded session as credentials for a new login. However, this can be prevented by enabling OpenID SSL/TLS to secure the connection and adding a challenge to each request. This approach means that any response will be valid once only, which rules out trivial recycling.
Despite this, it is not a good idea to underestimate the complexity of stateful session management in a stateless protocol like http, which is the basis for OpenID. The fact that various web applications have been compromised is a clear indication of the dangers, assuming you believe surveys and whitepapers [8].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
LibreOffice 7.5 has Arrived and is Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.