Up until now, I logged into my blog using the standard username/password. Since my blog is hosted as a vhost, setting up SSL (https) is a pain: You either need a dedicated IP:port per ssl-vhost, or need to work with certificates that list multiple domains (Update 2009-04-18: SNI). Running SSL on a non-standard port works pretty well, but most firewalls don’t like that. Conclusion: the only widely available way to log into my blog is over plain http. Needless to say, I don’t like my password going in plaintext over the Internet.
After doing some research, I learned that OpenID is capable of doing just that (an much more). The concept behind OpenID is fairly simple. Note that I’m cutting corners here.
- A website wants to be able to identify who you are. The normal way to do this is to prompt the user for an identifier (name, nickname, email-address, handle, …) and a proof that he owns that identifier (usually a password).
- The user provides the website with his OpenID identifier (usually in the form of a website-address). Note that only an identifier is supplied, no proof yet.
- The original website (called relying party in OpenID jargon) surfs to the provided website (OpenID identifier) and asks that site (called the OpenID provider) to verify that the user actually owns this website.
- The OpenID provider verifies the user in whatever way it wants (username/password, SSL-certificate, retinal scan, …) and asserts to the relying party that the current user does (or does not) own the specified website.
- The original website accepts this assertion as a proof that the user owns the identifier.
The big difference is that the verification happens at another website than the login. This website can use SSL, even if the original website can’t. AOL’s developer network has a more detailed, but still simplified, explanation on OpenID. True geeks can just read the specs.
I currently use myOpenID (Update 2013-09-27: they stopped the service) as provider. They provide a detailed audit log, and allow fairly detailed settings. To test things out, I used the checkup tool at openidenabled.com. To actually make things work, I’m using the OpenID plugin for WordPress, together with its compation plugin XRDS-Simple.