Soft Machine³ - Arts Tech and Other

Yesterday, Mahendra shared this item from Gina Trapani, about OpenID, and a conversation ensued.

How to Set Up OpenID on Your Own Domain - Smarterware

Rob Gordon - I don’t get this. I don’t even see a registration system on her domain - it is just a blog. I think there is much more to it than this.

Richard Walker - @Rob it’s quite simple, Google is still providing the OpenId machinery, but her identity URL is now her own site, not her Google profile URL. She is not an OpenId provider, hence doesn’t need to host the machinery.

Rob Gordon - Hi Richard - I’m sorry, I still don’t get it - what does she need an “identity url” for, if there is nothing to log in to? I would like to put OpenID on one of my sites, where there is a registration system and a secured login - for example www.caltrade.com/community - but I don’t see how two lines of code can accomplish that.

Mahendra Palsule - Rob, I think what the post describes is how to set up your own Open ID that you can use to login to other websites, where the identity url of your login will point to your own domain.

What you are looking for is a way to let visitors to your site use Open ID as an authentication mechanism.

Richard Walker - They wouldn’t. What you are talking about is the “hassle” of being a provider. For those who don’t want the “hassle” and responsibility of being a provider, this is one way to use another provider but have her “identity URL” be ginatrapani.org . In other words, she would still use “log in with Google” but no-one would know that, and hyperlinks would take you to her site, not her google profile.

All providers have to deal with security and maintenance and costs. Two lines of code certainly do NOT do that :)

You should clarify what you mean by “put OpenID on….” If you mean you want to support OpenID via other providers [log in with Google], that’s one thing. If you want the account profiles like caltrade.com/useraccount to be OpenID URLs themselves, you need to be a provider, I think.

This would be a great question for Stack Overflow, you know why? They ONLY support OpenID by other providers! See here: http://stackoverflow.com/users/login

Rob Gordon - Ok guys, I get it now. Thank you.

Mahendra Palsule - Thanks, Richard :)

Rob Gordon - Richard - you must have edited your post after I read it. I do want to add open ID to my sites - for example this one I am building: www.TradeMatch.us - but it will likely require that I buy a mod, and I don’t have much money now. You seem to know quite a bit about this - what do you do?

Mark Essel - There are open source options Rob. You shouldn’t have to buy anything. Hit up a search on openid authentication in your favorite language

[time passes…]

Richard Walker - @Rob Yes, I understand, not really, it depends. Thanks @Mark.. Your welcome, @Mahendra!

@Rob Highly recommended: http://www.twit.tv/twig47 This Week in Google from 2 days ago, Messina Trapani & Laporte hash out OpenId OAuth in detail.

Rob Gordon - Thanks Richard - I will check this out. I really need to get this working as I think it is one of the reasons I am not getting traction on some of my sites. I’m using an open source php script and will also try to contact some of the developers to see if they have any proposed solutions.

Richard Walker - You’re welcome, Rob. The days of each service providing user names, accounts and logins are over I think. Which is great, because security guidelines insist we use $ecUr3 passwords and change them frequently. Do that for a few hundred services and tell me how much time you have left in the day.

You should log in to Stack Overflow because they let you have multiple OpenIDs and warn you when you’ve made a mistake. That’s the new problem… remembering which OpenID provider you used last.

Your model should probably be recast to CALTRADE/urlhash where urlhash is the authenticated ID of one of your users. You can map your old usernames CALTRADE/user to the new way on rollout (first login since change.)

In short: even though you don’t provide “account logins”, you can have authenticated users, and store user information. There’s no artificial user namespace, there isn’t a “land grab,” you don’t have to worry about user account ID security, and people don’t have to remember umpteen user names and passwords.

Here is my SO profile: http://stackoverflow.com/users/44509/reechard I think you understand now why this is appealing: anyone can ask/answer questions on SO, they just need to provide ID via Yahoo, Facebook, Twitter, Google, etc.

@Mahendra I’d like to capture this conversation onto my blog, even though it happened under your “share.” Thanks in advance?