Current page:  Layout / OpenID

OpenID - Framework for Identity Management

OpenID Standard

OpenID is an open source standard for delegating authentication on websites and other web-based services. It implements the idea of single sign-on, which means that a user only has to log in once and can use various different services without logging in again.

The user has to register with an OpenID provider, which manages the user's identities. When the user wants to log into a website, he is redirected to the website of the OpenID provider to authenticate himself. After the authentication he is automatically redirected to the other website by the OpenID provider, which also supplies the necessary information without any further action by the user.

In the OpenID standard (version 2.0) it is only defined how the OpenID provider and the web services (called relying parties) communicate with each other and how the user is redirected to the OpenId provider for authentication. In addition to that, it is also defined how negotiate the properties of the connection, e.g. if encryption is used.

OpenID Extensions

In addition to the standard there are also two extensions released, which are both used in eID Connect:

  • OpenID Attribute Exchange: This extension allows the relying parties and the OpenID provider to exchange user attributes. This means, that a website can request certain information about the user and the OpenID provider can supply those. Usually the provider will ask the user for approval on the first request and remember this decision for future requests.

  • OpenID Provider Authentication Policy Extension: This extension covers the strength of the authentication procedure and its security level. There are different levels, e.g. starting with authentication with username and password up to two-factor-authentication with certain crypto-hardware. However, this extension is rarely used, because most websites are satisfied with just the usual password login  and most OpenID providers do not offer an alternative anyway.

In eID Connect the attribute exchange extension is used in order to provide the relying parties with the users attributes. However, the protocol is extended in a way, that additional information about the personal data can be provided. It is possible that the eID Connect server tell the relying party, if some data is verified by the German ID card. But, in this case the server will ask the users permission not just once but on every request of a relying party.

The authentication policy extension is also supported in eID Connect, because it also supports login via hardware token and the German ID card.

Development and Adoption

In 2005, the protocol was originally developed by Brad Fitzpatrick, who was working at Six Apart Ltd. at the time. In the following two years additional companies joined the project by assisting in development or creating OpenID providers, including Microsoft, AOL and Sun Microsystems. In 2007, they founded the OpenID Founcation, which published the OpenID standard and continued its development.

In the meantime more companies joined the OpenID Foundation, including Faceook, Google, Yahoo and PayPal, which either became relying parties in OpenID or OpenID providers themself. At Facebook this means, that it is possible to connect to Facebook with OpenID, however, their own interface 'Facebook Connect' (which is used for like-buttons and Facebook apps) is much more complex.

OpenID is a widely used Internet standard, especially for small web blogs and portals, but also some large companies in the OpenID Foundation support the standard. The number of users worldwide is estimated to be over one billion users (Google's Gmail is counted as an OpenId provider) and the number of websites is supposed to be several millions.

Security

Over the years there OpenID had several security issues, which couldn't all be solved. For instance, OpenId is susceptible against phishing attacks, because the automatic redirection might not lead to the OpenID provider. Additionally, there was a vulnerability, where an attacker could change some of the users attributes during a regular login, for example the Email address.

Due to these issues, OpenID is mostly used for non-critical applications, e.g. to log in and comment on web blogs. It is discouraged to use OpenID for applications with financial risk.

One way to reduce these security risks is restricting OpenID on known providers and Relying Parties. Especially when the Relying Party and the OpenID Provider are known to each other and have a way for mutual authentication, then OpenId can be used as a common standard for communication.