OpenID

It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each.

Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

[1] As of March 2016[update], there are over 1 billion OpenID-enabled accounts on the Internet (see below) and approximately 1,100,934 sites have integrated OpenID consumer support:[6] AOL, Flickr, Google, Amazon.com, Canonical (provider name Ubuntu One), LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, OpenStreetMap, Orange, Sears, Sun, Telecom Italia, Universal Music Group, VeriSign, WordPress, Yahoo!, the BBC,[7] IBM,[8] PayPal,[9] and Steam,[10] although some of those organizations also have their own authentication management.

[13] One of the key benefits of OpenID is that it allows users to control their own identity information, rather than relying on individual websites to store and manage their login credentials.

OpenID has been widely adopted by a number of large websites and service providers, including Google, Yahoo!, and PayPal.

In contrast, a stateless or dumb relying party must make one more background request (check_authentication) to ensure that the data indeed came from the OpenID provider.

Identity providers offer the ability to register a URL (typically a third-level domain, e.g. username.example.com) that will automatically be configured with OpenID authentication service.

Once they have registered an OpenID, a user can also use an existing URL under their own control (such as a blog or home page) as an alias or "delegated identity".

When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document).

The OpenID Foundation was formed in June 2007 and serves as a public trust organization representing an open community of developers, vendors and users.

This includes managing intellectual property and trade marks as well a fostering viral growth and global participation in OpenID.

Member chapters are officially part of the Foundation and work within their own constituency to support the development and adoption of OpenID as a framework for user-centric identity on the internet.

For the second issue, the paper called it "Data Type Confusion Logic Flaw", which also allows attackers to sign in to victims' RP accounts.

"[33] Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.

The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user.

The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability.

Ori Eisen, founder, chairman and chief innovation officer at 41st Parameter told Sue Marquette Poremba, "In any distributed system, we are counting of the good nature of the participants to do the right thing.

[43] The original OpenID authentication protocol was developed in May 2005[44] by Brad Fitzpatrick, creator of popular community website LiveJournal, while working at Six Apart.

[50] After a discussion at the 2005 Internet Identity Workshop a few days later, XRI/i-names developers joined the Yadis project,[51] contributing their Extensible Resource Descriptor Sequence (XRDS) format for utilization in the protocol.

With this, as well as the addition of extensions and XRI support underway, OpenID was evolving into a full-fledged digital identity framework, with Recordon proclaiming "We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication and a messaging services layer that sits atop and this entire thing has sort of been dubbed 'OpenID 2.0'.

Late in 2006, a ZDNet opinion piece made the case for OpenID to users, web site operators and entrepreneurs.

[68] Around early May, SourceForge, Inc. introduced OpenID provider and relying party support to leading open source software development website SourceForge.net.

[69] In late July, popular social network service MySpace announced support for OpenID as a provider.

[75] In September 2013, Janrain announced that MyOpenID.com would be shut down on February 1, 2014; a pie chart showed Facebook and Google dominate the social login space as of Q2 2013.

[78][79] In March 2018, Stack Overflow announced an end to OpenID support, citing insufficient usage to justify the cost.

Note that with OpenID, the process starts with the application asking the user for their identity (typically an OpenID URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf.

If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

OpenID provides a cryptographic verification mechanism that prevents the attack below against users who misuse OAuth for authentication.

In technical terms, OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.

OpenID Connect allows a range of parties, including web-based, mobile and JavaScript clients, to request and receive information about authenticated sessions and end users.