OpenID is a way to authenticate oneself to different sites with a single account. This works by making use of HTTP redirection. The following sequence diagram gives an overview of the general actions involved in authenticating users.
While OpenID is an exciting technology, the following points need mentioning.
- The Website that offers access via OpenID cannot connect your OpenID to accounts you have on other websites. The OpenID specification suggests that websites treat an OpenID as confidential information.
- The OpenID Provider knows of each site, that you want to authenticate with using your OpenID. No wonder, the usual suspects are providing you with OpenIDs; it allows them to build more complete user profiles.
- The OpenID Provider can impersonate any user that he provides an OpenID for.
- Using OpenID for authentication does not abolish the need for fighting bots and spam. A user signing into a Website with an OpenID for the first time might be a bot and the usual precautions should be employed as when registering by other means.
- With the request for an authentication page (6) the Browser might send a cookie. This cookie identifies the user against the OpenID Provider. If the user has previously decided to trust (or to distrust) the Website, the OpenID Provider can choose to do without items 7, 8, 9, 10 and continue directly with 11.
- Sequence diagrams are a great way of visualizing complex workflows.
Post new comment