Banner Adverts by Adderley Advertising Agency (AAA):

Cape Town news

  • RSS-Button
  • You are here: 
  • Home
  • rpxnow, openid and this blog

rpxnow, openid and this blog

Posted on September 5th, 2009 by Richard Catto 2,656 views

One of web 2.0′s great annoyances is the growing multitude of accounts one accrues whenever one signs up for yet another new online service / web site. In fact it is sheer madness.

What would be so much easier is to have one Internet account that logs you into every darn thing you use. This is an idea that first occurred to me nearly a decade ago, but only in recent years has that problem been addressed via OpenID and something called OAuth, which I will explain in layman’s terms in a second.

Each WordPress blog has a user database and a registration facility that can be turned on or off depending on the blog owner’s preferences. So if you are an avid follower of many blogs and you registered with them all (which has certain benefits, including the ability to edit your own comments) you could very swiftly amass a lot of new accounts which you would need to keep track of somehow. If you throw in all the other sites that you register accounts for it’s not inconceivable to have literally hundreds of accounts all over the web, some of which you have probably completely forgotten about. I am definitely in that category. I’ve signed up for so many services and sites over the years that I can’t even remember some of their domains, let alone what username, password combination and email address I used to sign up with.

However, in the ocean of accounts that I’ve accrued over the years, there are some that I use on a daily basis. One such account is my main google account at which I receive all my email. That is the one account I use on a daily basis. So if that one google account could be used to give me access to all those other web sites and services that ordinarily I’d have to register for, then that would solve the whole multiple account problem.

A few years ago, such a protocol was created and we know it as OpenID, and you can go get an OpenID account which will allow you to access a lot of sites, however, for most people, OpenID does not offer anything except a login. If you create an OpenID account with claimid.com, for instance, you just get an OpenID login and a profile page. Big deal. It’s not immediately obvious to many people how that helps them further in life, and I agree with them. It’s much more useful to register a yahoo account or a google account which offers you a whole range of services including an email address. Thing is, both google and yahoo have now converted those accounts you have with them into OpenIDs. Ditto for FaceBook, Twitter, myspace and a whole lot of other service providers.

Each one of those service providers offers the facility to a third party web site, such as this blog, to allow their accounts to verify the identity of the person logging in. The third party site can then give them access to a profile it creates for that associated google or yahoo or etc. account. Of course, it’s not quite as straightforward as that. Each third party site owner needs to install or write software which handles the OpenID protocol and all the individual nuances that each different service provider adds to their account offerings. Into this breech steps RPXNOW with a service that unifies these disparate third party implementations of OpenID into a single user configurable service that makes the process of accepting OpenID logins from all the popular services much easier. In the case of this WordPress blog, all I had to do was install the RPX WordPress plugin and do some easy configuration to get this blog accepting OpenID logins.

The above image is what you will roughly see if you click the link to login. I’ve customised my login screen to show the six third party account providers that I think most of my readers use on a daily basis. When you use OpenID to login to this blog via OpenID via RPXNOW, you don’t transmit your account credentials (i.e. your password) to either RPXNOW or this blog. You only tell your provider, what your password is so that it can log you in, then it tells RPXNOW that the login was successful and because we trust them to give us the correct answer, we log you into this blog and allow you to modify your profile on this blog.

The important thing to remember is that your password is never given to anyone except the service provider that holds your account, which brings us back to the other topic of OAuth.

The alternative to OAuth is Basic Authentication which is the familiar username / password combo. With Basic Authentication, all access to a service requires that you hand over your password, even to a third party app, if you wish to give that third party app the ability to modify things on your account. But that is a big security hole and requires you to trust someone other than yourself with your password. So this is a problem and most users refuse to hand over their password, which is the best practise. So the problem remains – how does one allow a third party app to access your twitter account , for example, without having to hand over your password to them? OAuth was designed to address this problem.

When a third party app uses OAuth to access your twitter account, for example, what happens is that you are sent over to twitter to sign in. Again the only party receiving your password is twitter. Once twitter has logged you in, it then presents to you the request from the third party app to allow it either Read only access or Read-Write access. The latter is more common because then you would be allowing the third party app to send a tweet to your twitter account. This all happens in a context of you wanting a third party app to have access to your twitter account so that information from that app is published on your twitter account. If you didn’t want to accomplish that, you wouldn’t grant access to the third party app. When you tell twitter to grant the third party app access, you again are not giving it your password, instead it is given a unique token which is only valid for that app for your twitter account. So the effect is that it strictly limits the app to doing only what you want it to do. If you gave the app your password, as Basic Authentication does, you would be giving it unlimited power to your account and not only it, but potentially anyone else that got hold of the password. The OAuth token is good for only one app to access it, and that is tied to a domain. The token does not expire, but can be revoked at any time, giving you complete granular control.

Some people prefer to look at pictures to understand something, I prefer words, but just so everyone is catered to, here is a pictorial guide on what I just explained in words.

The point of this discussion was to introduce my readers to OpenID and OAuth as two important new web technologies that you can expect to encounter more often now and  to help you to understand them and to know how they benefit your online experience. Do not be afraid or wary of them – they are useful tools! Feel free to test OpenID out on this blog by logging in with your favourite third party online account. You will discover how easy it will make registering and logging on to new services and sites.

If you have any further questions you need answering, post them below and I will endeavour to clarify further.

Filed under Internet |

8 Responses to “rpxnow, openid and this blog”

  1. Brian Kissel Says:
    September 5th, 2009 at 19:30

    Thanks for the thorough and thoughtful summary of the benefits of OpenID, OAuth, and user centric identity management. This is one of those rare instances where website operators and end users can have both a more convenient and more secure experience by leveraging these enabling new technologies.

  2. Richard Catto Says:
    September 7th, 2009 at 07:55

    I’ve discovered a side benefit of installing rpxnow on this blog – no more spam comments, no more abusive anonymous commenters spewing their vitriol, because I’ve chosen the option that requires commenters to be logged in.

    It’s easy to login to this blog now – no need to register, just login with your favourite third party OpenID enabled account and a profile will be automatically created in the background without further effort for you, and you’ll be allowed to comment.

  3. Colin Dean Says:
    September 8th, 2009 at 21:20

    Excellent article. OpenID is a great unifier and I can’t wait until major players start supporting it. I have way too many logins to remember and am eager to reduce this!

  4. Richard Catto Says:
    September 8th, 2009 at 21:37

    @Colin: The Internet giants such as google and yahoo (and others) are supporting this via OpenID enabling their user’s accounts.

    What must happen now is that more third party web site owners must decide to support OpenID logins instead of requiring all new subscribers to register a fresh new account with them.

    If you enjoy using an existing account to access services, you can request webmasters of web sites you visit to start supporting OpenID.

    That’s one way to motivate acceptance. But I think as webmasters come to see the benefits, they’ll roll it out themselves to make their user experience richer.

  5. Michael Says:
    September 9th, 2009 at 01:45

    As a third party service provider, I was amazed at the functionality and ease of implementation RPX offers. We were able to implement this into our existing login routines in less than 6 hours. with most of that spent setting up Developer accounts with Myspace, facebook, and twitter.

  6. Russell Cohen Says:
    October 15th, 2009 at 09:03

    Please could you explain more about the setup time of 6 hours for RPX, “with most of that spent setting up Developer accounts with Myspace, facebook, and twitter”?

  7. Richard Catto Says:
    October 16th, 2009 at 02:23

    @Russell Cohen: The actual implementation of RPXnow with your site is beyond the scope of this article. More help can be found on rpxnow.com and its developer wiki and in its google group. RPXNOW is a service aimed at developers to allow them to process OpenID logins. For the owner of a self-hosted WordPress blog, like this one, implementing the RPXnow service is very straightforward – simply add their plugin to your blog.

  8. Vijay Balakrishnan Says:
    January 24th, 2010 at 09:25

    We have a requirement to log in from various social network sites like
    FaceBook,Twitter etc.We would like to connect all these userid’s to a single
    identity on the backend for our social application in the Cloud. We have been
    looking at Ping.identity as a vendor.I am trying to figure out how to map all
    these various social email id’s for eg. to a single identity in the
    backend.Could OpenId be a solution for this use-case on the backend ?

Leave a Reply

You must be logged in to post a comment.

FaceBook Profile

Subscribe

Subscribe via email:

FeedBurner

RSS readers

Meta

Recent Posts

Google Ad planner

Visitor info

Copyright © 2010 Cape Town news  |  All Rights Reserved

Design by 1234.info | Theme by Theme Lab and Linux Hosting | Powered by WordPress and WP Multiflex 5

Afrigator