OpenID is a decentralized Single Sign-On system. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. Instead, they only need to be previously registered on a website with an OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in; OpenID solves the problem without relying on any centralized website to confirm digital identity.
OpenID is increasingly gaining adoption among large sites, with organizations like Google, Microsoft, IBM, Verisign, Yahoo!, AOL and | Orange acting as providers. In addition, integrated OpenID support has been made a high priority in Firefox 3 and OpenID can be used with Windows CardSpace.
- 1 History
- 2 Using OpenID
- 3 Adoption
- 4 OpenID Foundation
- 5 Criticism
- 6 Tools
- 7 Resources
- 8 Tutorials
- 9 External links
- 10 References
- 11 See also
OpenID was originally developed by Brad Fitzpatrick of LiveJournal. It was not clear at the time that Fitzpatrick's technology was going to prevail as a standard, however, as multiple competing and technically sound alternatives were also being implemented simultaneously. Through a series of important face-to-face meetings, developers and stakeholders created a common, interoperable standard now called OpenID. Some primary players are, in no particular order, the Lightweight ID, Yadis, "Sxip DIX" protocol that was proposed at IETF, and XRI/"i-name". Future OpenIDspecifications are being developed in a "meritocratic fashion" on openid.net, involving many technology companies, user companies and OSS developers.
To help spawn additional deployment, a group of vendors announced a US$50,000 developer bounty program in August 2006, offering $5,000 each to the first ten large-scale Open Source projects to implement OpenID support.
Currently work is underway developing OpenID Authentication 2.0, which will use the Yadis service discovery protocol. OpenID is now developing into a much more complete framework that will support other identity services besides authentication.
A basic glossary of the terms used with OpenID:
- End user : The person who wants to assert his or her identity to a site.
- Identifier : The URL or XRI chosen by the End User as their OpenID identifier.
- Identity provider or OpenID provider : A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services). Note that the OpenID specifications use the term "OpenID provider" or "OP".
- Relying party : The site that wants to verify the end user's identifier.
- Server or server-agent : The server that verifies the end user's identifier. This may be the end user's own server (such as their blog), or a server operated by an identity provider.
- User-agent : The program (such as a browser) that the end user is using to access an identity provider or a relying party.
- Consumer : An obsolete term for the relying party.
A website, such as
example.com, which wants to enable OpenID logins for its visitors, places a login form somewhere on the page. Unlike a typical login form, which prompts the user for a user name and password, there is only one field - for the OpenID identifier. The site may choose to display a small OpenID logo next to the field. This form is connected to an implementation of an OpenID client library.
If a user named Alice wants to log in to
example.com using the OpenID identifier
alice.openid.example.org that she has registered with the identity provider
openid.example.org, she simply goes to
example.com and types
alice.openid.example.org in the OpenID login box.
If the identifier is a URL, the first thing the relying party (
example.com) does is transform this URL into a canonical form, e.g.,
http://alice.openid.example.org/. With OpenID 1.0, the relying party then requests the web page located at that URL and, via an HTML link tag, discovers that the provider server is, say,
http://openid.example.org/openid-auth.php. It also discovers whether it should use a delegated identity (see below). Starting with OpenID 2.0, the client does discovery by requesting the XRDS document (also called the Yadis document) with the content type
application/xrds+xml that may be available at the target URL and is always available for a target XRI.
There are two modes in which the relying party can communicate with the identity provider:
checkid_immediate, which is machine-oriented and in which the relying party requests that the provider not interact with the user. All communication is relayed through the user's browser, but presumably without the user's knowledge;
checkid_setup, in which the user communicates with the provider server directly using the very same web browser used to access the relying party site.
The second option is more popular on the Web; also,
checkid_immediate can fallback to
checkid_setup if the operation cannot be automated.
First, the relying party and the provider (optionally) establish a "shared secret"f - referenced by an associate handle, which the relying party then stores. If using
checkid_setup, the relying party redirects the user's web browser to the provider. In this case, Alice's browser is redirected to
openid.example.org so Alice can authenticate herself with the provider.
The method of authentication may vary, but typically, an OpenID provider asks for a password (and then possibly stores the user's session using cookies, as many websites with password-based authentication do). Alice may be prompted for her password if she was not logged in on
openid.example.org, and then asked whether she trusts, say,
http://example.com/openid-return.php - the page designated by
example.com as the one where the user should return after completing authentication - to receive details about her identity. If she answers positively, OpenID authentication is considered successful and the browser is redirected to the designated return page with credentials given. If Alice decides not to trust the relying party site, the browser is still redirected - however, the relying party is notified that its request was rejected, so
example.com refuses to authenticate Alice in turn.
However, the login process is not over yet because at this stage,
example.com cannot decide whether the credentials received really came from
openid.example.org. If they had previously established a shared secret (see above), the relying party can validate the shared secret received with the credentials against the one previously stored. Such a relying party is called stateful because it stores the shared secret between sessions. In comparison, a stateless or dumb relying party must make one more background request (
check_authentication) to ensure that the data indeed came from
After Alice's identifier has been verified, she is considered logged in to
alice.openid.example.org. The site may then store the session or, if this is her first logon, prompt Alice to enter some information specific to
example.com, in order to complete registration.
The "OpenBanking" sub-project of OpenID aims to provide a "more secure way for consumers & small businesses to share financial information & fintech companies to offer innovative banking & payment products/services".
- OpenBanking - Financial API (FAPI): https://fapi.openid.net
Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.
There are two ways to obtain an OpenID-enabled URL that can be used to login on all OpenID-enabled websites.
- To use an existing URL under one's own control (such as one's blog or home page), and if one knows how to edit HTML, one can insert the appropriate OpenID tags in the HTML code following instructions at the OpenID specification.
- The second option is to register an OpenID identifier with an identity provider. They offer the ability to register a URL (typically a third-level domain) that will automatically be configured with OpenID authentication service.
XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—"i-names" and "i-numbers"—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.
OpenID Connect (commonly abbreviated as OIDC) is a specification for data sharing and Single Sign-On (SSO) that is commonly paired with OAuth 2.0+ for sharing JWT user "claims" to pair OpenID as an authentication mechanism to OAuth as an "authorization" mechanism.
- OpenID Connect: http://openid.net/connect/
- Real-life OIDC Security (7-part study): https://security.lauritz-holtmann.de/post/sso-security-overview/
As of July 2007, there are over 120 million OpenIDs on the Internet (see below) and approximately 4,500 sites have integrated OpenID consumer support.
- AOL provides (brokers) OpenIDs, in the form "openid.aol.com/screename".
- Orange offers OpenIDs to their 40 million broadband subscribers.
- SixApart blogging hosts LiveJournal and Vox. Both support OpenID; Vox as a provider and LiveJournal as both a provider and a relying party.
- [Wordpress.com | WordPress] also provides OpenIDs on all Blog instances
- Other services accepting OpenID as an alternative to registration include Wikitravel, photo sharing host Zooomr, linkmarking host Ma.gnolia, identity aggregator ClaimID, icon provider IconBuffet, and Basecamp and Highrise by 37signals.
- Blogger has added support for openid if enabled but does not serve as a provider currently
- Yahoo users can use their yahoo ids as OpenIDs starting January 31st, 2008.
The OpenID Foundation is a 501(c)3 non-profit incorporated in the United States. The OpenID Foundation was formed to help manage copyright, trademarks, marketing efforts and other activities related to the success of the OpenID community. The singular goal of the OpenID Foundation is to protect OpenID.
The OpenID Foundation's board of directors has seven members:
- Scott Kveton (MyStrands)
- David Recordon (Six Apart)
- Dick Hardt (Sxip)
- Martin Atkins
- Artur Bergman (Wikia)
- Johannes Ernst (NetMesh)
- Drummond Reed (Parity and OASIS XRI and XDI TCs)
- Bill Washburn, Ph.D., of XDI.ORG, is the foundation's executive director.
- OpenID Providers: http://wiki.openid.net/OpenIDServers
RPX is a software as a service (SaaS) application that handles the user interface, authentication, and import of user profile and registration data for any web site. The API allows customization and integration.
- RPX: https://rpxnow.com/
openid-server JOS (Java OpenID Server) is a multi-domain, multi-user OpenID Provider.
- OpenID Server: http://code.google.com/p/openid-server/
R-Objects Inc. filed for the OpenID trademark (serial 78899244) on 2006-06-02 which was published for opposition on 2007-01-09, claiming a first use date of 2005-05-17 and a first use in commerce date of 2006-04-18. Sxip Identity Corporation subsequently filed for the OpenID trademark (serial 77041930) on 2006-11-11 but abandoned it on 2006-11-23. Randy "ydnar" Reddig claimed ownership of the OpenID logo on 2005-06-25 and announced plans to transfer it to Six Apart (or some OpenID.org).
There is a pending USPTO patent application with PCT priority from Denmark of 2001-03-09 that covers the central aspects of OpenID.
The official site currently states:
Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.
Both Sun Microsystems and VeriSign have issued patent non-assertion covenants covering OpenID 1.1 specifications. These covenants   state that neither company will assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.
For example, a malicious relying party may forward the end user to a bogus identity provider authentication page asking that end user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end user's account with the identity provider, and as such then use that end user’s OpenID to log into other services.
In an attempt to combat possible phishing attacks some OpenID providers mandate that the end user needs to be authenticated with them prior to an attempt to authenticate with the relying party. However this then relies on the end user knowing the policy of the identity provider, and regardless this issue remains a significant additional vector for man-in-the-middle phishing attacks.
Other criticisms are that the addition of a 3rd party (the identity provider) into the authentication process significantly adds complexity and therefore possibility of vulnerability into the system. Also this system shifts responsibility for "quality" of authentication to the end user (in their choice of identity provider), a shift that the end user and the relying party (for example their bank) need to understand.
- RPX Now: https://rpxnow.com/ (JanRain has been one of the leading voices in the developer community and have contributed code libraries and commercial out-of-the-box solutions for enabling OpenID on your site quickly and conveniently. They provide a commercial out-of-the-box solution for quickly and easily implementing the OpenID protocol, with hooks into major third party providers such as sxip, identi.ca, MyOpenID, Facebook, MySpace, Google, Yahoo! and Windows Live / MSN (now with a "free" but limited version for instant use as well).)
- OpenID Connect - Debugger tool: https://oidcdebugger.com/
- OpenID Connect: https://openid.net/connect/
- Curity - OpenID free course: https://curity.io/resources/courses/openid-connect-in-detail/id-tokens-and-userinfo-endpoint/
- Introduction to OAuth 2.0 and OpenID Connect (E-Learning course): https://courses.pragmaticwebsecurity.com/courses/introduction-to-oauth-2-0-and-openid-connect
- OpenID Connect Java: 
- PHP OpenID Connect Basic Client: https://github.com/jumbojett/OpenID-Connect-PHP
- Gluu -- NodeJS/Java based OpenID Connect + LDAP + Shibboleth server: https://www.gluu.org/
Becoming a Provider
- OpenID -- Run your own identity server: http://wiki.openid.net/w/page/12995226/Run-your-own-identity-server
- OpenID Enabled - PHP OpenID Library: http://www.openidenabled.com/php-openid/
- Prairie - FREE OpenID solution: http://barnraiser.org/prairie
- OpenID for Java Web applications, Part 1 -- Enable your Java Web applications to use OpenID authentication: http://www.ibm.com/developerworks/java/library/j-openid/
- Use Java EE and OpenID Connect to Secure Your Java API : https://dzone.com/articles/use-java-ee-and-openid-connect-to-secure-your-java (tutorial by Okta SSO/IdP)
- Spring Security and OpenID Connect: https://www.baeldung.com/spring-security-openid-connect
- phpMyID v2.0 -- Fixing Abandoned OSS Software: https://adamcaudill.com/2014/04/19/phpmyid-fixing-abandoned-oss-software/ | SRC
- HOWTO -- Setup Your Own OpenID Provider: https://lildude.co.uk/howto-setup-your-own-openid-provider
- Setting Up an OpenID Server with phpMyID: https://mikewest.org/2007/01/setting-up-an-openid-server-with-phpmyid
- OpenID for non-SuperUsers: http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers#claimYourBlog
- Setup and install of multiuser phpMyID (OpenID) under Plesk: http://www.bigsoft.co.uk/blog/index.php/2008/11/16/set-up-and-install-phpmyid
- Unable to log in with your OpenID provider -- no OpenID identifier was provided: https://meta.stackexchange.com/questions/79275/unable-to-log-in-with-your-openid-provider-no-openid-identifier-was-provided (using StackOverflow's OpenID login consumer)
- OpenID Connect (OIDC) changes to legacy OAuth 2.0 no longer suggested but standard: https://wso2.com/library/articles/a-primer-on-oauth-2-0-for-client-side-applications-part-1/
- Get Started with Spring Security 5.0 and OIDC (via kta): https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc
- Identity, Claims, & Tokens – An OpenID Connect Primer: https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1 | Okta's OIDC sandbox | Okta Sample OIDC config
- OpenID Recipe from Plaxo: http://www.plaxo.com/api/openid_recipe
- OpenID official site: http://openid.net/
- The Case for OpenID: http://blogs.zdnet.com/digitalID/?p=78 (ZDNet article contrasting OpenID with other identity systems by Johannes Ernst, then at NetMesh & David Recordon, then at VeriSign)
- OpenID -- The RESTful approach to Single Sign-On: http://www.opendarwin.org/~drernie/B2126242314/C395201355/E20061208151336/index.html (brief overview)
- OpenID for non-SuperUsers: http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers (by Sam Ruby)
- wikipedia:Identity 2.0
- wikipedia:Light-Weight Identity
- wikipedia:Information Card
- wikipedia:Windows CardSpace
- wikipedia: LDAP
- wikipedia:Liberty Alliance
- wikipedia:Shibboleth (Internet2)
- wikipedia:Athens access and identity management
- wikipedia:Extensible Name Service
- Photos From Facebook HQ - Free Love, Free Jerky & Freedom for User Data: http://www.readwriteweb.com/archives/photos_from_facebook_hq_free_love_free_jerky_freedom_for_user_data.php
- OpenID Europe: https://groups.google.com/forum/#!topic/openid/GtCjC_lZKfY (former Non-profit organization to help promote and deploy the OpenID framework in Europe, now joined with main OpenID foundation as separate chapter)
- OpenID Source (OIDS) — OpenID Source Initiative is a Community in the OID community to grow OpenID
- OpenID Enabled — resource for OpenID users and developers
- Directory of OpenID enabled Websites (Consumers)
- Spread OpenID - helping to spread OpenID to not so tech-savvy users
- step2 - combining OpenID and OAuth in one protocol: http://code.google.com/p/step2/
- Is Facebook Connect v. OpenID v. Google Friend Connect just Passport v. AOL Screename sign-on wars all over again or is there a bigger deal?: http://friendfeed.com/steverubel/f6771e54/is-facebook-connect-v-openid-google-friend
- OpenID Integration PHP: http://www.sajithmr.com/openid-integration-php/
- openid-selector -- A user-friendly way to select an OpenID: http://code.google.com/p/openid-selector/
- ID Selector: https://www.idselector.com/
- How to accept OpenID in a popup without leaving the page: http://www.sociallipstick.com/2009/02/how-to-accept-openid-in-a-popup-without-leaving-the-page/
- OpenID in JS (DEMO): http://openid-demo.appspot.com/
- Federated Login for Google Account Users: http://code.google.com/apis/accounts/docs/OpenID.html
- Does OpenID need to be hard?: http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/
- Google Abandons Standards, Forks OpenID: http://neosmart.net/blog/2008/google-doesnt-use-openid/
- The Evils of OpenID: http://secondthoughts.typepad.com/second_thoughts/2009/02/the-evils-of-openid.html
- Yahoo and Popup UI for OpenID: Aligning the Experience Across OPs: http://blog.janrain.com/2009/09/yahoo-and-popup-ui-for-openid-aligning.html
- Java OpenID Library - Configuration and Custom Messages: http://willnorris.com/2009/11/java-openid-library-configuration-and-custom-messages
- Java OpenID Library Design - Message Handling: http://willnorris.com/2009/11/java-openid-library-design-message-handling
- The OpenId Sequence Diagram: http://blogs.sun.com/bblfish/entry/the_openid_sequence_diagram
- OpenID demo application: http://www.projectzero.org/zero/lemans/latest/docs/zero.devguide.doc/zero.openid.demo/OpenIDDemoOverview.htm
- NTT docomo is now an OpenID Provider: http://openid.net/2010/03/09/ntt-docomo-is-now-an-openid-provider/
- Government of Japan started accepting OpenID: http://openid.net/2010/03/09/government-of-japan-started-accepting-openid/
- OpenID - The RESTful approach to Single Sign-On: http://www.opendarwin.org/~drernie/B2126242314/C395201355/E20061208151336/index.html
- OpenID for non-SuperUsers: http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers - by wikipedia: Sam Ruby
- Janrain’s Take on 37signals Decision To Remove OpenID Login: http://www.janrain.com/blogs/janrains-take-37signals-decision-remove-openid-login
- OpenID - The Web’s Most Successful Failure: http://www.webmonkey.com/2011/01/openid-the-webs-most-successful-failure/
- Learning from our Mistakes - The Failure of OpenID, AtomPub and XML on the Web: http://www.25hoursaday.com/weblog/2011/01/30/LearningFromOurMistakesTheFailureOfOpenIDAtomPubAndXMLOnTheWeb.aspx
- OpenID, Successful Failures And New Federated Identity Options: http://blogs.forrester.com/eve_maler/11-02-03-openid_successful_failures_and_new_federated_identity_options
- Sketch of a FOAF SSL OpenID service: blogs.oracle.com/bblfish/entry/sketch_of_a_foaf_ssl
- Current Firefox 3 Requirements on the Mozilla Wiki
- OpenID bounty sponsors: http://iwantmyopenid.org/bounty/sponsors
- OSCON - The State of OpenID talk by Scott Kveton
- OpenID Foundation
- Application #78899244 on uspto.gov
- Application #77041930 on uspto.gov
- Notice of Abandonment for application #77041930 on uspto.gov
- Sun's OpenID Non-Assertion Patent Covenant
- VeriSign's OpenID Non-Assertion Patent Covenant
- : http://www.itweek.co.uk/2184695 OpenID still open to abuse]
- Beginner's guide to OpenID phishing: http://openid.marcoslot.net/
- Connect2id server: https://connect2id.com/products/server | SLIDES | DOWNLOAD
- Java cookbook for OpenID Connect public clients (using "Nimbus OAuth 2.0 SDK + OpenID Connect extension"): https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/guides/java-cookbook-for-openid-connect-public-clients
- OpenID Connect - Java/Spring server: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
- Shibboleth extension for OpenID Connect (in Java): https://github.com/uchicago/shibboleth-oidc
- Openid4Java - OpenID 2.0 Java Libraries: https://github.com/jbufu/openid4java (leading legacy OpenID 2.0 SDK)
- Authenticate Java Spring Boot with OpenID Connect (OIDC) using Auth0: https://auth0.com/authenticate/java-spring-boot/oidc/
- OneLogin OpenId Connect Spring Boot Sample: https://github.com/onelogin/onelogin-oidc-java/tree/master/spring-boot-app
- Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings: https://medium.com/@darutk/full-scratch-implementor-of-oauth-and-openid-connect-talks-about-findings-55015f36d1c3
- phpMyID: https://github.com/sole/phpMyID (previously the leading PHP implementation of OpenID)
- OpenID-LDAP: https://github.com/adrianheine/openid-ldap
- Authorization header missing in django rest_framework, is apache to blame?: https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame/13387616#13387616
- What is the new phpMyID?: https://stackoverflow.com/questions/4128991/what-is-the-new-phpmyid
- Installing Suhosin: https://suhosin.org/stories/install.html