Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the future of OpenID, OpenID2, Open Connect? Is it worth implementing a provider? [closed]

I see OpenID logins available everywhere, and decided that I should look into implementing my own provider on my server so I can control my information and my login.

This is, surprisingly, quite complicated and difficult.

Even though many sites allow OpenID logins (such as this one), I am discovering the following issues:

  1. Many simple "roll-your-own" single identity OpenID Provider solutions are now vaporware.
  2. There have been pretty severe ongoing security issues with OpenID:

http://en.wikipedia.org/wiki/OpenID#Security

  1. Many OpenID Providers seem to have disappeared (MyOpenID.com, getopenid.com, etc..)
  2. The protocol seems to be constantly changing with previous versions dropped (perhaps due to security issues?)

As an example, this solution on SO from Aug'13 about using Google Plus/Profiles as a delegate now gets an error from Google saying that OpenID 2.0 support is being removed from Google by this April and replaced with OpenID Connect:

Delegate OpenID to Google (NOT Google Apps)

Does anyone even offer a simple OpenID Connect single identity provider? Looking at OpenID's list of OpenID provider software doesn't mention any OpenID Connect solutions at all, not to mention that the page hasn't been updated in 4 years!

http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server

Looking through all this information, it makes me really happy I shelved my plan a couple years ago to implement OpenID 2.0 on my server, since that looks like it's becoming obsolete already, and I can't figure out an easy way to just prove my identity. It's surprising that I can't just do a single package install and edit a config file and go. Most of the simpler implementations involve installing and using PHP, which has it's own security issues that need to be learned about.

So - anyone who is an expert on OpenID and where it is going who can give me some advice on how to just setup my on identity provider or if it's worth the difficulty? I'd love to have control over my information and distribution of my email address as well as have a permanent identity, but if the standard is going to keep changing then it's not really permanent.

like image 525
David Ljung Madison Stellar Avatar asked Feb 12 '15 02:02

David Ljung Madison Stellar


1 Answers

OpenID 2.0 is deprecated, and just today the OpenID Foundation approved an OpenID 2.0 to OpenID Connect Migration Guide.

I'm not an expert on OpenID, but it's important to be aware that OpenID Connect is fundamentally different from older versions. In particular, it runs on top of OAuth, so the Relying Party must obtain OAuth credentials from the Service Provider.

There is spec that allows the RP to automatically obtain these OAuth Credentials (called Dynamic Client Registration), but the spec is marked as "optional", it is not widely supported in client libraries, and I severely doubt we'll be seeing many applications implementing Dynamic Client Registration.

The movement to OpenID Connect takes the power away from both users and from application developers (not to mention the smaller identity providers) and gives it all to the large, name-brand service providers. So unfortunately, it looks like the idea of setting up your own personal OpenID Provider is not going to be future proof.

like image 83
sffc Avatar answered Oct 10 '22 03:10

sffc