This link has been bookmarked by 50 people . It was first bookmarked on 06 Dec 2007, by someone privately.
-
10 Jun 14
-
28 Jan 14
-
20 Jun 13
-
15 Mar 13
-
22 Feb 12
carlos puentesOpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.
OpenID is decentralized. No central authority must approve or register Relying Parties or OpenID Providers. An end user can freely choose which OpenID Provider to use, and can preserve their Identifier if they switch OpenID Providers.
While nothing in the protocol requires JavaScript or modern browsers, the authentication scheme plays nicely with "AJAX"-style setups. This means an end user can prove their Identity to a Relying Party without having to leave their current Web page.
OpenID Authentication uses only standard HTTP(S) requests and responses, so it does not require any special capabilities of the User-Agent or other client software. OpenID is not tied to the use of cookies or any other specific mechanism of Relying Party or OpenID Provider session management. Extensions to User-Agents can simplify the end user interaction, though are not required to utilize the protocol.
The exchange of profile information, or the exchange of other information not covered in this specification, can be addressed through additional service types built on top of this protocol to create a framework. OpenID Authentication is designed to provide a base service to enable portable, user-centric digital identity in a free and decentralized manner. -
07 Jul 11
-
02 Jun 11
-
26 May 11
-
No central authority
-
decentralized
-
only standard HTTP(S)
-
(optional) The Relying Party and the OP establish an association (Establishing Associations) -- a shared secret established using Diffie-Hellman Key Exchange (Rescorla, E., “Diffie-Hellman Key Agreement Method,” .) [RFC2631]. The OP uses an association to sign subsequent messages and the Relying Party to verify those messages; this removes the need for subsequent direct requests to verify the signature after each authentication request/response.
-
The Relying Party verifies (Verifying Assertions) the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association or by sending a direct request to the OP.
-
All direct requests are HTTP POSTs
-
5.1.2. Direct Response
The body of a response to a Direct Request (Direct Request) consists of an HTTP Response body in Key-Value Form (Key-Value Form Encoding). The content-type of the response SHOULD be "text/plain".
-
- HMAC-SHA1 - 160 bit key length ([RFC2104] (Krawczyk, H., Bellare, M., and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication,” .) and [RFC3174] (Eastlake, D. and P. Jones, “US Secure Hash Algorithm 1 (SHA1),” .))
- HMAC-SHA256 - 256 bit key length ([RFC2104] (Krawczyk, H., Bellare, M., and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication,” .) and [FIPS180‑2]
6.2. Signature Algorithms
OpenID Authentication supports two signature algorithms:
-
7.3.2. XRDS-Based Discovery
-
7.3.3. HTML-Based Discovery
HTML-Based discovery MUST be supported by Relying Parties. HTML-Based discovery is only usable for discovery of Claimed Identifiers. OP Identifiers must be XRIs or URLs that support XRDS discovery.
To use HTML-Based discovery, an HTML document MUST be available at the URL of the Claimed Identifier. Within the HEAD element of the document
-
8. Establishing Associations
An association between the Relying Party and the OpenID Provider establishes a shared secret between them, which is used to verify subsequent protocol messages and reduce round trips.
-
9.3. Immediate Requests
When requesting authentication, the Relying Party MAY request that the OP not interact with the end user. In this case the OP MUST respond immediately with either an assertion that authentication is successful, or a response indicating that the request cannot be completed without further user interaction.
-
If no association handle is specified, the OP SHOULD use a private association for signing the response. The OP MUST store this association and MUST respond to later requests to check the signature of the response via Direct Verification (Verifying Directly with the OpenID Provider).
-
11.4.1. Verifying with an Association
The Relying Party follows the same procedure that the OP followed in generating the signature (Generating Signatures), and then compares the signature in the response to the signature it generated
-
11.4.2. Verifying Directly with the OpenID Provider
To have the signature verification performed by the OP, the Relying Party sends a direct request (Direct Request) to the OP. To verify the signature, the OP uses a private association that was generated when it issued the positive assertion (Positive Assertions).
-
14. OpenID Authentication 1.1 Compatibility
This section describes how to interact with OpenID Authentication 1.1 Relying Parties and OPs. OpenID Authentication 2.0 implementations SHOULD support OpenID Authentication 1.1 compatibility, unless security considerations make it undesirable.
-
-
11 Apr 11
-
Protocol Overview
-
Generating Signatures
-
Message Authentication Code (MAC)
-
Procedure
-
Signature Algorithms
-
HMAC-SHA256 is RECOMMENDED.
-
Verifying Assertions
-
"openid.response_nonce
-
Verifying the Return URL
-
Checking the Nonce
-
nonce
-
HMAC-SHA256
-
DH-SHA256
-
15. Security Considerations
-
If the nonce were not checked
-
Man-in-the-Middle Attacks
-
Rogue Relying Party Proxying
-
User-Agents
-
User Interface Considerations
-
Denial of Service Attacks
-
-
23 Jan 11
-
- openid.ns
All messages that are sent as HTTP requests (GET or POST) MUST contain the following fields:
-
To initiate OpenID Authentication, the Relying Party SHOULD present the end user with a form that has a field for entering a User-Supplied Identifier.
The form field's "name" attribute SHOULD have the value "openid_identifier", so that User-Agents can automatically determine that this is an OpenID form.
-
7.3.2.2. Extracting Authentication Data
Once the Relying Party has obtained an XRDS document, it MUST first search the document (following the rules described in [XRI_Resolution_2.0] (Wachob, G., Reed, D., Chasen, L., Tan, W., and S. Churchill, “Extensible Resource Identifier (XRI) Resolution V2.0 - Committee Draft 02,” .)) for an OP Identifier Element. If none is found, the RP will search for a Claimed Identifier Element.
-
-
22 Oct 10
-
04 Oct 10
-
12 May 10
-
18 Mar 10
-
04 Mar 10
-
14 Jan 10
-
13 Oct 09
-
06 Feb 09
-
30 Jan 09
-
17 Dec 08
-
30 Oct 08
-
The URL's path is equal to or a sub-directory of the realm's path.
-
-
26 Oct 08
-
11 Jun 08
-
07 Apr 08
-
15.4. HTTP and HTTPS URL Identifiers
-
-
06 Apr 08
-
04 Feb 08
-
18 Dec 07
Christopher Allen"OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.
OpenIDopenid authentication identity web standards security spec credentials delegation
-
07 Dec 07
-
06 Dec 07
-
05 Dec 07
Page Comments
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.