Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is OpenID too complicated? [closed]

I'm beginning to seriously doubt the OpenID community despite that fact that it works.

I'm in the process of currently evaluating OpenID as an authentication service for 'this' site and while the promises are great, I just can't get it to work. And I'm really lost.

I ask of the SO community to help me out here. Give me answers and show me examples so I can leverage this in the way it was meant to be.

My scenario is very typical. I want to authenticate users through a specific Google Apps domain. If you have access to this Google Apps domain, then you have access to my web application.

Where I get lost, is all the prerequisites and dependencies involved.

  1. What is XRD?
  2. What is Yadis?
  3. Why do I need XRD and Yadis?
  4. What do I need to do to deploy OpenID authentication on my website?

Also, this is really important to me.

When I login to SO, I use my Google Account. When I click the login button I'm presented with this confirmation page. Where I'm granting SO the right to use my Google Account credentials.

Somehow, Google knows that it's "Stackoverflow.com" that's asking me if it's okay to login. And I wish to know what manner of control I have over this little text. I intend to deploy OpenID on several different domains but I would prefer if they would all work without having to be individually configured with special parameters, such as secret API keys and what not. However, I don't know for sure if this is a prerequisite of OpenID, that or the Federated Login API that Google provides.

like image 708
John Leidegren Avatar asked Jan 27 '10 07:01

John Leidegren


People also ask

Is OpenID obsolete?

This page lists libraries for OpenID 2.0 – a now obsolete specification. OpenID 2.0 has been superseded by OpenID Connect.

Is OpenID Connect dead?

Is OpenID Dead? Yes, OpenID is an obsolete standard that is no longer supported by the OpenID Foundation.

How secure is OpenID?

OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.

Why is OAuth so complicated?

OAuth's lack of authentication guidance led to a number of confusing, complex integration scenarios, which is precisely why OpenID Connect (OIDC) was created. OIDC is a newer standard that extends OAuth, adding support for authentication.


1 Answers

To actually answer you question (i.e. disregarding all argumentative points) I'm as-we-speak using DotNetOpenAuth to implement OpenID authorisation for one of my sites; and it's been quite trivial.

It's just a .NET control you drop it, configure a tiny amount of things, and then let it link to Forms authentication. Quite nice.

like image 112
Noon Silk Avatar answered Sep 19 '22 13:09

Noon Silk