Snipe.Net - Geeky Stuff
Twitter
Currently: @etamotweet dammit - you still there? Crap reception and my phone is almost dead in reply to etamotweet 5 hrs ago

Use Your Own Domain for OpenID Logins

Posted on February 21, 2010 by snipe in Featured, Tips & Tricks

I’m a big fan of OpenID, and the concept of a unified login system, but the implemention of OpenID on many of the websites that use it is often miserable. This article can simplify your OpenID login experience.

NOTE: If you want to skip all my chatter and explanation and just get to the code, check out Jeff Atwood’s post on the StackOverflow blog. It’s much less verbose, but probably not ideal for people unfamiliar with OpenID.

What is OpenID?

OpenID is “a decentralized authentication protocol that makes it easy for people to sign up and access web accounts”. That means if you create an account on any website using OpenID (such as Google, Yahoo, Flickr, MySpace, AOL, WordPress.Com, LiveJournal, Get Satisfaction, and more recently Facebook, to name just a few), you can use that account to login to any website using OpenID. It attempts to simplify logging into websites by using one account, and therefore not having to create a new username and password set for every website on which you wish to create an account.

Many studies have shown that the average web user feels overwhelmed by the number of usernames and passwords they have to remember, which means they often end up using very simple paswords that are easy to remember, and often use the same password for multiple websites.

This is, of course, a big no-no. If one of the websites gets compromised and user login data is exposed, malicious parties now potentially have access to all of the websites for which the user has used the same password. So if my BigButtPorn.Com account gets hacked, and I use the same login for my bank, my banking login credentials are now compromised. Unifying a login makes user registrations easier, so people will arguably be more apt to use a strong password for that one OpenID account. (I should mention that I have no idea if BigButtPorn.Com exists, or if it uses OpenID. As such, the example above should not be considered an endorsement for BigButtPorn.Com, or any other kind of butt porn, for that matter.)

Incidentally, in this day and age, there is absolutely no reason for anyone to still be using the same password for ANY two websites. Thanks to applications like 1Password, hard-to-guess passwords are automatically generated and stored for easy access, and every popular web browser allows you to store passwords. Remembering passwords isn’t even something people should be concerned with.

How Does it Work?

If I have a Livejournal account where my journal address is snipeyhead.livejournal.com and I want to use my LiveJournal OpenID to login to a different website, I would enter snipeyhead.livejournal.com in the OpenID url field of the site:

(Alternatively, if the OpenID provider’s icon is listed, as LiveJournal’s is above, I could login without knowing my OpenID url. Most OpenID logins will give you the option of selecting which service you’d like to use, or manually entering your OpenID url.)

If this is the first time I’m using this OpenID account to login to this particular website, I’ll be taken to my OpenID provider’s website (in this example, Livejournal.Com) and I’ll be asked if I want to allow the website to use my OpenID account to authenticate. I will then confirm this, and be taken back to the original website I’m trying to login to.

Pretty simple, right? Unfortunately, this is often not as straightforward as it seems, not because of OpenID itself, but because of the way many websites implement their OpenID system.

Where it Gets Wonky

The way many websites implement OpenID can be utterly maddening, if you have more than one OpenID account – which you probably do.

I was recently on the UXExchange website and was nearly apoplectic with rage as I tried OpenID after OpenID account. I know I have an account there. I have had an account there since the day they launched. But I have NO idea which OpenID I created my account with.

After the 5th try, I gave up and realized I’d have to create a new account. This pissed me off for a few reasons, not the least of which being that in this particular community, prior community engagement (the number of questions you’ve posted and answered, etc) establish your rank. By creating a new account, I’m effectively seen by the community as a newbie, and I’m enough of a nerd that stuff like that matters to me.

Ironically, UXEchange is a usability and information architecture community. I know that I can email them to consolidate my accounts, and I probably will, but this experience really helped underline how easy it is to screw up the user interface for OpenID.

In short, the problem becomes remembering which out of the collection of OpenIDs you have is the one you’ve used to initially create an account with a particular website.

Making it a Little Easier

To use OpenID without losing your mind, you have a few options. The easier would be to decide that you will only ever use one specific OpenID to login to third-party websites, and leave it at that. The problem I have with that is that mainstream adoption of OpenID has happened over a very long period of time, so I may have started off with only LiveJournal as an OpenID account, but then gradually Google, Blogger, Myspace, etc added OpenID support, so I decided that I’d rather use one of the newer ones instead of my LiveJournal account. This is how things got fragmented and confusing for me, and I would assume other people as well.

Fortunately, there is a little known feature of OpenID called delegation that can help save your sanity. If you have your own website with it’s own domain name, you can delegate your own domain name to act as your OpenID.

I decided to start from scratch. I don’t know if I’ll always have my LiveJournal account, I don’t know how much I trust Google anymore, I hate MySpace, I don’t use Blogger, and so on. I created an account at myopenid.com, a very simple OpenID provider that is easy to remember and offers persona managament.

A 20-second registration later, I was set up with snipe.myopenid.com as my new OpenID identifier.

To enable my domain, snipe.net, to act as a delegate for MyOpenID.Com, I added the following to the header of Snipe.Net:

<link rel="openid.server" href="http://www.myopenid.com/server"  />
2.<link rel="openid.delegate" href="http://snipe.myopenid.com/" />
3.<link rel=”openid2.provider” href=”http://www.myopenid.com/server” />
4.<link rel=”openid2.local_id” href=”http://snipe.myopenid.com/” />

Now, instead of trying to remember which OpenID provider I used, I use ‘snipe.net’ as my OpenID manual url, and it automatically knows to use my account at MyOpenID to authenticate. Since I’m the only one that has control over Snipe.Net, I’m the only one that can delegate Snipe.Net as snipe.myopenid.com.

So that’s all there is to it. I have heard that delegating using Google and Yahoo is tricky, if not impossible, but I haven’t looked into it. I personally prefer to avoid letting either of those companies have too much of a reach over what I’m commenting on and where.

Also check out:

If you think this article kicked ass, subscribe to the RSS feed or follow me on Twitter! Share with your friends, or leave a comment below (or better still, do both!) My entire concept of self-worth is in your hands, so that makes you kind of a big deal. Srsly.

This entry was posted on Sunday, February 21st, 2010 at 10:04 pm and is filed under Featured, Tips & Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
  • This worked perfectly for me. You don't even have to go through their domain setup process; just putting those for lines between the head tags of a web page does the trick.
  • I've had the same problem with OpenID... pissed me off so much that I more or less gave up on it. Perhaps I'll take a look at it again at some point. The Facebook or Google logins just seem easier to deal with anymore. I hate to give them too much trust, but I'm too old and tired to fight it.
  • Mel
    Thanks for this, got it all set up now! =D
  • georgerevutsky
    Great and useful article - thanks so much.
  • Matt
  • Matt
    ...and if the whole OpenID thing causes knowledgable technicians problems, what does the average person in the street think? It's a right pain in the ass in terms of usability. The people who architect these solutions need to architect them for a lower common denominator instead of thinking like a developer.
    User centred design? What a radical idea ;)
  • Yeah - it's almost always executed poorly, not always for lack of trying. I know this was a concern for some of the OpenID guys, and they know it contributed to lower adoption rates for the service. If anyone has seen a really great implementation of it, I'd love to see it and showcase it as an example. RPX from JanRain doesn't do a bad job, but I don't think non-premium customers can customize the experience much. (I could be wrong there - it's been a while since I've tinkered.) At least they try to store a cookie so it prompts you to login with the same service you logged in with last time.
  • I tried using Google as my OpenID provider for a while. Frustratingly I had all kinds of issues. Been some time though so it might be better now. It has always annoyed me how some sites only accept one or two OpenIDs.
  • Yeah, seems like Google and Yahoo suck for that, according to all the of research I've done. Google can kind of suck it anyway.

    I think most OpenID-ready sites do support all OpenID providers, they just don't always give you the option of manually entering a url, which makes it impossible to use them. There are so many UX problems with the way sites implement OpenID, it's not even funny. Probably a big reason it's taken so long to gain any traction.
blog comments powered by Disqus