Me, Myself and OpenID

2008-07-09, , , Comments

That’s not strictly Python

[PyCon UK]

At the opening day of PyCon UK 2007 Simon Willison delivered a keynote presentation entitled “Building the Social Web with OpenID”. Willison is an assured and expert presenter, and it took him just an hour to work through 146 multimedia slides pitching OpenID as, in a sentence:

“single sign-on for the web.”

At the time I felt disappointed: I’d expected something more directly related to Python. Looking back from almost a year on, I realise that the presentation I got most from at that conference also had little directly to do with Python (Dr. Terry Jones, “Fluidinfo - towards the next everything”[1]). For me, conferences are a chance to step back and reflect, to learn about new things, which is why, this year, I chose to attend the more eclectic ACCU 2008 conference.

Viral networks

Simon Willison’s 2007 keynote has turned out to be a slow-burner. I’m a curmudgeon when it comes to the social web: I didn’t start instant-messaging until recently, and although I’ve signed up for FaceSpace, HookdUp! and InKrowd[2] I forget why and can’t claim to get what they’re about.

Despite my reticence, invitations to join some new social network regularly appear in my inbox, usually from my oldest nephew. He’s not trying to rescue me; I just happen to be in his address book, and he doesn’t think twice about handing over the keys to his online identity whenever he signs up to some network. There’ll be a prompt:

Let your friends know you’ve joined MeeToo!

All you then have to do is enter your Microyahooglesoft! password and anyone you’ve ever emailled will receive your invitation to connect; thus the invitations replicate, like a chain letter, but without the expense of copying or postage.

What you will have to do, though, and keep doing, is reinvent yourself by claiming a new username and password for every network you join. Inevitably you’ll recycle passwords. And so your disparate online identities share a common vulnerability.

OpenID

[OpenID]

OpenID aims to address several problems with this picture.

  • If a website allows you the chance to sign-up using OpenID, you don’t have to create a new identity to use that site. You don’t have to trust the site with your credentials at all. Authentication is done off-site by your chosen OpenID provider. Here’s a short clip in which Simon Willison demonstrates how it works:

  • Like all that’s good about the internet, OpenID is an open and free standard. I’m hoping this means it really is secure! It also means developers have a choice of implementations and users have a choice of providers.

  • The OpenID tagline, “single sign-on for the web”, can be misleading. You’re not limited to a single identity. It’s perfectly valid to create separate identities for separate roles, just as fiction writers might choose to publish in different genres using different names.

  • Leading blog sites already support OpenID, meaning you can maintain an identity when, e.g., commenting on WordPress, Blogger and LiveJournal blogs.

  • I’ve noticed an increasing interest in OpenID. More people write about it, more sites offer it. Here’s a graph on the JanRain blog showing the increase in Unique Relying Parties (sites that accept OpenID).

[OpenID relying parties]

Mistrust

So much for the hype. Software developers have a healthy skepticism for new technologies, as evidenced in this article by Alan Lenton. Unfortunately the article is weakened by a few misconceptions but the closing paragraph did make me stop and think.

Finally, who would you trust your personal information to? Microsoft? Google? Yahoo? IBM? VeriSign? Not a cat in hell’s chance!

Well, an OpenID identifier is just a URL which you can prove you own. If you already own a domain you can use a URL within that domain, and it’s possible to change your OpenID provider without changing your identity using delegation. You just add a couple of links to the head of the page at this URL. The OpenID specification shows how an end user would delegate to their LiveJournal account.

<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate" href="http://exampleuser.livejournal.com/">

This simple indirection allows you to maintain an identifier while changing providers. With just a little more effort you can host your own identity server. Of course there’s much to be said for using a specialist third party but I wanted to see how easy a do-it-yourself approach could be.

For me, the easiest way turned out to be phpMyID, a standalone, single user, OpenID Identity Provider implemented in just two files. One, a configuration file, you edit, supplying your username and a secure hash of your chosen password; the other contains an OpenID implementation in PHP. Upload both files to your webserver. And that’s it.

The project documentation is good. In addition, a fine tutorial by Sam Ruby walks through the process, explaining each step and polishing the URLs, and JanRain provides a form allowing you to check your OpenID. For the record, my identifier is tag.wordaligned.org and the lighttpd server configuration looks like this:

$HTTP["host"] == "tag.wordaligned.org" {
    server.document-root = basedir + "self"
    fastcgi.server = (
        ".php" => ((
            "bin-path" => "/usr/local/bin/php-cgi",
            "socket" => basedir + "lighttpd/php.socket"
    ))),
    index-file.names  = ( "index.php", "index.html" )
    ...
}

Next steps

Single sign-on for the web is doubly misleading. You can only sign on to those parts of the web which accept OpenID, and that doesn’t include many of the sites which I’ve actually bothered signing up for to date. But now that I have an OpenID, I’ll be using it when I can. Watch this space!


[1] I recommend subscribing to Terry Jones’ blog: lots of original, thought-provoking material. Simon Willison’s blog is also an excellent source of material for anyone interested in Web development. You can sign into it using OpenID.

[2] I invented these site names as silly parodies. It turns out they’ve all been registered and some are indeed operating social networks.