Tuesday, April 22, 2008

Why OpenID?

Let's start with the formal definition.

"OpenID is a url, which facilitates, decentralized single sign-on".

"decentralized" - does not sound right..., let me explain what it really means.

"Decentralized" means - it's not centralized - in other words it does not have a central server controlling everything. Comparing this with Microsoft Passport is the best way to understand. Under Microsoft Passport there is a central server controlling everything and facilitates single sign-on. But, under OpenID there is no such central server - as per your wish, if you want, you can run your own OpenID Provider.

Second point, how OpenID facilitates SSO.

With SSO, you logs in once with your credentials - and there after you access different relying party web sites without the need to relogin to the OpenID Provider. Each relying party will redirect you to the OpenID Provider for authentication. OpenID Provider will give the user the option to let the OpenID Provider remember his credentials - this avoids the user, the need to relogin there after. If user accepts this option - he only needs to present his credentials only once to the OpenID Provider upon his first redirect to the OpenID Provider. With this, for the rest of the relying party web sites, the user does not need to relogin to the OpenID Provider.

This is not the only benefit of using OpenID.

With OpenID, you need not to maintain different set of profiles at different relying party web sites - as well as seperate user names and passwords. Once you maintain a single profile at your OpenID Provider, you can simply share it with the rest.

Another key benefit is, you never loose your favourite user name, with OpenID.

In the context of OpenID - your user name is your OpenID - it's not necessarily need to be an URL derived from your user name, you use to login to your OpenID Provider.

For example, first I sign up with myopenid.com with the user name 'prabath' - and I get my OpenID as prabath.myopenid.com. So... my user name to OpenID relying party web sites, is prabath.myopenid.com - not just 'prabath' - 'prabath' is only the user name that I use to login to the OpenID Provider.

prabath.myopenid.com is assigned to me by my OpenID Provider - but... What if it's not my favorite user name - in other words what if it's not my favorite OpenID ??? I may not want to use the OpenID given to me by my OpenID Provider... I have a blog and I need to use my blog url as my OpenID. And that is my favorite OpenID or in other words, that is my favorite user name for other OpenID relying party web sites.

This can be easily done with OpenID - you simply need to add a tag to your blog - which will delegate OpenID authentication functionality to your OpenID Provider - so, with this you can maintain your profile at any OpenID Provider - but still you can select an OpenID as per your wish - but keep in mind, it should be an url, which you own... otherwise there is no way you can add the 'delegate' tag to delegate the OpenID authentication functionality to your OpenID Provider.

Another benefit of OpenID is, you never loose it. I guess this requires a better explanation.

If you maintain different accounts at different relying party web sites and what if you loose your password... or somebody else got hold of it. You loose it forever - no recovery at all if somebody else got hold of your password and changed it. If this is your Yahoo account or the Facebook - the damage is immense and your personality can be destroyed.

I can see a BIG question mark right on top of your nose :-). How come OpenID solves this?

With OpenID - you always use a url, which is totally under your control and you own the domain name. You can open an account with any OpenID Provider, but, still you can use your own url and delegate it to your OpenID Provider. So, what if - you loose your OpenID Provider password. Who ever stolen it will have access to all your relying party web sites - but the damage he can do is minimized and only till you realize you have lost your OpenID Provider password. You need not to worry about the lost password - you still own your OpenID url, simply open a new account with a OpenID Provider and change the delegate tag in your web page to point to the new account. That will make the lost password, useless.