OpenID - Wikipedia

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by ... OpenID FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch Openanddecentralizedauthenticationprotocolstandard TheOpenIDlogo OpenIDisanopenstandardanddecentralizedauthenticationprotocolpromotedbythenon-profitOpenIDFoundation.Itallowsuserstobeauthenticatedbyco-operatingsites(knownasrelyingparties,orRP)usingathird-partyidentityprovider(IDP)service,eliminatingtheneedforwebmasterstoprovidetheirownadhocloginsystems,andallowinguserstologintomultipleunrelatedwebsiteswithouthavingtohaveaseparateidentityandpasswordforeach.[1]UserscreateaccountsbyselectinganOpenIDidentityprovider,[1]andthenusethoseaccountstosignontoanywebsitethatacceptsOpenIDauthentication.SeverallargeorganizationseitherissueoracceptOpenIDsontheirwebsites.[2] TheOpenIDstandardprovidesaframeworkforthecommunicationthatmusttakeplacebetweentheidentityproviderandtheOpenIDacceptor(the"relyingparty").[3]Anextensiontothestandard(theOpenIDAttributeExchange)facilitatesthetransferofuserattributes,suchasnameandgender,fromtheOpenIDidentityprovidertotherelyingparty(eachrelyingpartymayrequestadifferentsetofattributes,dependingonitsrequirements).[4]TheOpenIDprotocoldoesnotrelyonacentralauthoritytoauthenticateauser'sidentity.Moreover,neitherservicesnortheOpenIDstandardmaymandateaspecificmeansbywhichtoauthenticateusers,allowingforapproachesrangingfromthecommon(suchaspasswords)tothenovel(suchassmartcardsorbiometrics). ThefinalversionofOpenIDisOpenID2.0,finalizedandpublishedinDecember2007.[5]ThetermOpenIDmayalsorefertoanidentifierasspecifiedintheOpenIDstandard;theseidentifierstaketheformofauniqueUniformResourceIdentifier(URI),andaremanagedbysome"OpenIDprovider"thathandlesauthentication.[1] Contents 1Adoption 2Technicaloverview 2.1Loggingin 2.2Identifiers 3OpenIDFoundation 3.1People 3.2Chapters 3.3Intellectualpropertyandcontributionagreements 3.4Legalissues 4Security 4.1Authenticationbugs 4.2Phishing 4.3Privacyandtrustissues 4.4Authenticationhijackinginunsecuredconnection 4.5CovertRedirect 5History 6OpenIDversuspseudo-authenticationusingOAuth 6.1Attackagainstpseudo-authentication 6.1.1Verifyingtheletter 7OpenIDConnect(OIDC) 8Seealso 9References 10Externallinks Adoption[edit] AsofMarch 2016[update],thereareover1billionOpenID-enabledaccountsontheInternet(seebelow)andapproximately1,100,934siteshaveintegratedOpenIDconsumersupport:[6]AOL,Flickr,Google,Amazon.com,Canonical(providernameUbuntuOne),LiveJournal,Microsoft(providernameMicrosoftaccount),Mixi,Myspace,Novell,OpenStreetMap,Orange,Sears,Sun,TelecomItalia,UniversalMusicGroup,VeriSign,WordPress,Yahoo!,theBBC,[7]IBM,[8]PayPal,[9]andSteam,[10]althoughsomeofthoseorganizationsalsohavetheirownauthenticationmanagement. Manyifnotallofthelargerorganizationsrequireuserstoprovideauthenticationintheformofanexistingemailaccountormobilephonenumberinordertosignupforanaccount(whichthencanbeusedasanOpenIDidentity).Thereareseveralsmallerentitiesthatacceptsign-upswithnoextraidentitydetailsrequired. FacebookdiduseOpenIDinthepast,butmovedtoFacebookConnect.[11]BloggeralsousedOpenID,butsinceMay2018nolongersupportsit.[12] Technicaloverview[edit] Thissectionneedstobeupdated.Relevantdiscussionmaybefoundonthetalkpage.Pleasehelpupdatethisarticletoreflectrecenteventsornewlyavailableinformation.(August2014) Anenduseristheentitythatwantstoassertaparticularidentity.Arelyingparty(RP)isawebsiteorapplicationthatwantstoverifytheenduser'sidentifier.Othertermsforthispartyinclude"serviceprovider"orthenowobsolete"consumer".Anidentityprovider,orOpenIDprovider(OP)isaservicethatspecializesinregisteringOpenIDURLsorXRIs.OpenIDenablesanendusertocommunicatewitharelyingparty.ThiscommunicationisdonethroughtheexchangeofanidentifierorOpenID,whichistheURLorXRIchosenbytheendusertonametheenduser'sidentity.AnidentityproviderprovidestheOpenIDauthentication(andpossiblyotheridentityservices).Theexchangeisenabledbyauser-agent,whichistheprogram(suchasabrowser)usedbytheendusertocommunicatewiththerelyingpartyandOpenIDprovider. Loggingin[edit] Theenduserinteractswitharelyingparty(suchasawebsite)thatprovidesanoptiontospecifyanOpenIDforthepurposesofauthentication;anendusertypicallyhaspreviouslyregisteredanOpenID(e.g.alice.openid.example.org)withanOpenIDprovider(e.g.openid.example.org).[1] TherelyingpartytypicallytransformstheOpenIDintoacanonicalURLform(e.g.http://alice.openid.example.org/). WithOpenID1.0,therelyingpartythenrequeststheHTMLresourceidentifiedbytheURLandreadsanHTMLlinktagtodiscovertheOpenIDprovider'sURL(e.g.http://openid.example.org/openid-auth.php).Therelyingpartyalsodiscoverswhethertouseadelegatedidentity(seebelow). WithOpenID2.0,therelyingpartydiscoverstheOpenIDproviderURLbyrequestingtheXRDSdocument(alsocalledtheYadisdocument)withthecontenttypeapplication/xrds+xml;thisdocumentmaybeavailableatthetargetURLandisalwaysavailableforatargetXRI. TherearetwomodesinwhichtherelyingpartymaycommunicatewiththeOpenIDprovider: checkid_immediate,inwhichtherelyingpartyrequeststhattheOpenIDprovidernotinteractwiththeenduser.Allcommunicationisrelayedthroughtheenduser'suser-agentwithoutexplicitlynotifyingtheenduser. checkid_setup,inwhichtheendusercommunicateswiththeOpenIDproviderviathesameuser-agentusedtoaccesstherelyingparty. Thecheckid_immediatemodecanfallbacktothecheckid_setupmodeiftheoperationcannotbeautomated. First,therelyingpartyandtheOpenIDprovider(optionally)establishasharedsecret,referencedbyanassociatehandle,whichtherelyingpartythenstores.Ifusingthecheckid_setupmode,therelyingpartyredirectstheenduser'suser-agenttotheOpenIDprovidersotheendusercanauthenticatedirectlywiththeOpenIDprovider. Themethodofauthenticationmayvary,buttypically,anOpenIDproviderpromptstheenduserforapasswordorsomecryptographictoken,andthenaskswhethertheendusertruststherelyingpartytoreceivethenecessaryidentitydetails. IftheenduserdeclinestheOpenIDprovider'srequesttotrusttherelyingparty,thentheuser-agentisredirectedbacktotherelyingpartywithamessageindicatingthatauthenticationwasrejected;therelyingpartyinturnrefusestoauthenticatetheenduser. IftheenduseracceptstheOpenIDprovider'srequesttotrusttherelyingparty,thentheuser-agentisredirectedbacktotherelyingpartyalongwiththeenduser'scredentials.ThatrelyingpartymustthenconfirmthatthecredentialsreallycamefromtheOpenIDprovider.IftherelyingpartyandOpenIDproviderhadpreviouslyestablishedasharedsecret,thentherelyingpartycanvalidatetheidentityoftheOpenIDproviderbycomparingitscopyofthesharedsecretagainsttheonereceivedalongwiththeenduser'scredentials;sucharelyingpartyiscalledstatefulbecauseitstoresthesharedsecretbetweensessions.Incontrast,astatelessordumbrelyingpartymustmakeonemorebackgroundrequest(check_authentication)toensurethatthedataindeedcamefromtheOpenIDprovider. AftertheOpenIDhasbeenverified,authenticationisconsideredsuccessfulandtheenduserisconsideredloggedintotherelyingpartyundertheidentityspecifiedbythegivenOpenID(e.g.alice.openid.example.org).Therelyingpartytypicallythenstorestheenduser'sOpenIDalongwiththeenduser'sothersessioninformation. Identifiers[edit] ToobtainanOpenID-enabledURLthatcanbeusedtologintoOpenID-enabledwebsites,auserregistersanOpenIDidentifierwithanidentityprovider.IdentityprovidersoffertheabilitytoregisteraURL(typicallyathird-leveldomain,e.g.username.example.com)thatwillautomaticallybeconfiguredwithOpenIDauthenticationservice. OncetheyhaveregisteredanOpenID,ausercanalsouseanexistingURLundertheirowncontrol(suchasablogorhomepage)asanaliasor"delegatedidentity".TheysimplyinserttheappropriateOpenIDtagsintheHTML[13]orserveaYadisdocument.[14] StartingwithOpenIDAuthentication2.0(andsome1.1implementations),therearetwotypesofidentifiersthatcanbeusedwithOpenID:URLsandXRIs. XRIsareanewformofInternetidentifierdesignedspecificallyforcross-domaindigitalidentity.Forexample,XRIscomeintwoforms—i-namesandi-numbers—thatareusuallyregisteredsimultaneouslyassynonyms.I-namesarereassignable(likedomainnames),whilei-numbersareneverreassigned.WhenanXRIi-nameisusedasanOpenIDidentifier,itisimmediatelyresolvedtothesynonymousi-number(theCanonicalIDelementoftheXRDSdocument).Thisi-numberistheOpenIDidentifierstoredbytherelyingparty.Inthisway,boththeuserandtherelyingpartyareprotectedfromtheenduser'sOpenIDidentityeverbeingtakenoverbyanotherpartyascanhappenwithaURLbasedonareassignableDNSname. OpenIDFoundation[edit] TheOpenIDFoundation(OIDF)promotesandenhancestheOpenIDcommunityandtechnologies.TheOIDFisanon-profitinternationalstandardsdevelopmentorganizationofindividualdevelopers,governmentagenciesandcompanieswhowishtopromoteandprotectOpenID.TheOpenIDFoundationwasformedinJune2007andservesasapublictrustorganizationrepresentinganopencommunityofdevelopers,vendorsandusers.OIDFassiststhecommunitybyprovidingneededinfrastructureandhelpinpromotingandsupportingadoptionofOpenID.ThisincludesmanagingintellectualpropertyandtrademarksaswellafosteringviralgrowthandglobalparticipationinOpenID. People[edit] TheOpenIDFoundation'sboardofdirectorshassixcommunityboardmembersandeightcorporateboardmembers:[15] Communityboardmembers Chairman:NatSakimura(NATConsultingLLC) ViceChairman:BjornHjelm(Verizon) Treasurer:JohnBradley(Yubico) Secretary:MikeJones(Microsoft) CommunityRepresentative:GeorgeFletcher(CapitalOne) CorporateRepresentative:AshishJain(ArkoseLabs) Corporateboardmembers Cisco –NancyCam-Winget Google –FilipVerley KDDI –KosukeKoiwai NRISecure –TakehisaShibata Okta –VittorioBertocci PingIdentity –WesleyDunnington VisaInc. –LuisDaSilva YahooAdTech –ArvindKumarGarg Chapters[edit] OIDFisaglobalorganizationtopromotedigitalidentityandtoencouragethefurtheradoptionofOpenID,theOIDFhasencouragedthecreationofmemberchapters.MemberchaptersareofficiallypartoftheFoundationandworkwithintheirownconstituencytosupportthedevelopmentandadoptionofOpenIDasaframeworkforuser-centricidentityontheinternet. Intellectualpropertyandcontributionagreements[edit] TheOIDFensuresthatOpenIDspecificationsarefreelyimplementablethereforetheOIDFrequiresallcontributorstosignacontributionagreement.ThisagreementbothgrantsacopyrightlicensetotheFoundationtopublishthecollectivespecificationsandincludesapatentnon-assertionagreement.Thenon-assertionagreementstatesthatthecontributorwillnotsuesomeoneforimplementingOpenIDspecifications. Legalissues[edit] TheOpenIDtrademarkintheUnitedStateswasassignedtotheOpenIDFoundationinMarch2008.[16]IthadbeenregisteredbyNetMeshInc.beforetheOpenIDFoundationwasoperational.[17][18]InEurope,asofAugust31,2007,theOpenIDtrademarkisregisteredtotheOpenIDEuropeFoundation.[19] TheOpenIDlogowasdesignedbyRandy"ydnar"Reddig,whoin2005hadexpressedplanstotransfertherightstoanOpenIDorganization.[20] SincetheoriginalannouncementofOpenID,theofficialsitehasstated:[21] Nobodyshouldownthis.Nobody'splanningonmakinganymoneyfromthis.Thegoalistoreleaseeverypartofthisunderthemostliberallicensespossible,sothere'snomoneyorlicensingorregisteringrequiredtoplay.Itbenefitsthecommunityasawholeifsomethinglikethisexists,andwe'reallapartofthecommunity. SunMicrosystems,VeriSignandanumberofsmallercompaniesinvolvedinOpenIDhaveissuedpatentnon-assertioncovenantscoveringOpenID1.1specifications.ThecovenantsstatethatthecompanieswillnotassertanyoftheirpatentsagainstOpenIDimplementationsandwillrevoketheirpromisesfromanyonewhothreatens,orasserts,patentsagainstOpenIDimplementors.[22][23] Security[edit] Authenticationbugs[edit] InMarch,2012,aresearchpaper[24]reportedtwogenericsecurityissuesinOpenID.Bothissuesallowanattackertosignintoavictim'srelyingpartyaccounts.Forthefirstissue,OpenIDandGoogle(anIdentityProviderofOpenID)bothpublishedsecurityadvisoriestoaddressit.[25][26]Google'sadvisorysays"AnattackercouldforgeanOpenIDrequestthatdoesn'taskfortheuser'semailaddress,andtheninsertanunsignedemailaddressintotheIDPsresponse.Iftheattackerrelaysthisresponsetoawebsitethatdoesn'tnoticethatthisattributeisunsigned,thewebsitemaybetrickedintologgingtheattackerintoanylocalaccount."Theresearchpaperclaimsthatmanypopularwebsiteshavebeenconfirmedvulnerable,includingYahoo!Mail,smartsheet.com,Zoho,manymoon.com,diigo.com.Theresearchershavenotifiedtheaffectedparties,whohavethenfixedtheirvulnerablecode. Forthesecondissue,thepapercalledit"DataTypeConfusionLogicFlaw",whichalsoallowsattackerstosignintovictims'RPaccounts.GoogleandPayPalwereinitiallyconfirmedvulnerable.OpenIDpublishedavulnerabilityreport[27]ontheflaw.ThereportsaysGoogleandPayPalhaveappliedfixes,andsuggestotherOpenIDvendorstochecktheirimplementations. Phishing[edit] SomeobservershavesuggestedthatOpenIDhassecurityweaknessesandmayprovevulnerabletophishingattacks.[28][29][30]Forexample,amaliciousrelayingpartymayforwardtheendusertoabogusidentityproviderauthenticationpageaskingthatendusertoinputtheircredentials.Oncompletionofthis,themaliciousparty(whointhiscasealsocontrolsthebogusauthenticationpage)couldthenhaveaccesstotheenduser'saccountwiththeidentityprovider,andthenusethatenduser'sOpenIDtologintootherservices. Inanattempttocombatpossiblephishingattacks,someOpenIDprovidersmandatethattheenduserneedstobeauthenticatedwiththempriortoanattempttoauthenticatewiththerelyingparty.[31]Thisreliesontheenduserknowingthepolicyoftheidentityprovider.InDecember2008,theOpenIDFoundationapprovedversion1.0oftheProviderAuthenticationPolicyExtension(PAPE),which"enablesRelyingPartiestorequestthatOpenIDProvidersemployspecifiedauthenticationpolicieswhenauthenticatingusersandforOpenIDProviderstoinformtheRelyingPartieswhichpolicieswereactuallyused."[32] Privacyandtrustissues[edit] OthersecurityissuesidentifiedwithOpenIDinvolvelackofprivacyandfailuretoaddressthetrustproblem.[33]However,thisproblemisnotuniquetoOpenIDandissimplythestateoftheInternetascommonlyused.[citationneeded] TheIdentityProviderdoes,however,getalogofyourOpenIDlogins;theyknowwhenyouloggedintowhatwebsite,makingcross-sitetrackingmucheasier.AcompromisedOpenIDaccountisalsolikelytobeamoreseriousbreachofprivacythanacompromisedaccountonasinglesite. Authenticationhijackinginunsecuredconnection[edit] AnotherimportantvulnerabilityispresentinthelaststepintheauthenticationschemewhenTLS/SSLarenotused:theredirect-URLfromtheidentityprovidertotherelyingparty.TheproblemwiththisredirectisthefactthatanyonewhocanobtainthisURL(e.g.bysniffingthewire)canreplayitandgetloggedintothesiteasthevictimuser.Someoftheidentityprovidersusenonces(numberusedonce)toallowausertologintothesiteonceandfailalltheconsecutiveattempts.ThenoncesolutionworksiftheuseristhefirstonetousetheURL.However,afastattackerwhoissniffingthewirecanobtaintheURLandimmediatelyresetauser'sTCPconnection(asanattackerissniffingthewireandknowstherequiredTCPsequencenumbers)andthenexecutethereplayattackasdescribedabove.Thusnoncesonlyprotectagainstpassiveattackers,butcannotpreventactiveattackersfromexecutingthereplayattack.[34]UseofTLS/SSLintheauthenticationprocesscansignificantlyreducethisrisk. Thiscanberestatedas: IF(BothRP1andRP2haveBobasaclient)AND//acommoncase (BobusesthesameIDPwithbothRP1andRP2)AND//acommoncase (RP1doesnotuseVPN/SSL/TLStosecuretheirconnectionwiththeclient)//preventable! THEN RP2couldobtaincredentialssufficienttoimpersonateBobwithRP1 END-IF CovertRedirect[edit] OnMay1,2014,abugdubbed"CovertRedirectrelatedtoOAuth2.0andOpenID"wasdisclosed.[35][36]ItwasdiscoveredbymathematicsdoctoralstudentWangJingattheSchoolofPhysicalandMathematicalSciences,NanyangTechnologicalUniversity,Singapore.[37][38][39] TheannouncementofOpenIDis: "'CovertRedirect',publicizedinMay2014,isaninstanceofattackersusingopenredirectors–awell-knownthreat,withwell-knownmeansofprevention.TheOpenIDConnectprotocolmandatesstrictmeasuresthatprecludeopenredirectorstopreventthisvulnerability."[40] "Thegeneralconsensus,sofar,isthatCovertRedirectisnotasbad,butstillathreat.UnderstandingwhatmakesitdangerousrequiresabasicunderstandingofOpenRedirect,andhowitcanbeexploited."[41] Apatchwasnotimmediatelymadeavailable.OriEisen,founder,chairmanandchiefinnovationofficerat41stParametertoldSueMarquettePoremba,"Inanydistributedsystem,wearecountingofthegoodnatureoftheparticipantstodotherightthing.IncaseslikeOAuthandOpenID,thedistributionissovastthatitisunreasonabletoexpecteachandeverywebsitetopatchupinthenearfuture".[42] History[edit] TheoriginalOpenIDauthenticationprotocolwasdevelopedinMay2005[43]byBradFitzpatrick,creatorofpopularcommunitywebsiteLiveJournal,whileworkingatSixApart.[44]InitiallyreferredtoasYadis(anacronymfor"Yetanotherdistributedidentitysystem"),[45]itwasnamedOpenIDaftertheopenid.netdomainnamewasgiventoSixAparttousefortheproject.[46]OpenIDsupportwassoonimplementedonLiveJournalandfellowLiveJournalenginecommunityDeadJournalforblogpostcommentsandquicklygainedattentioninthedigitalidentitycommunity.[47][48]WebdeveloperJanRainwasanearlysupporterofOpenID,providingOpenIDsoftwarelibrariesandexpandingitsbusinessaroundOpenID-basedservices. InlateJune,discussionsstartedbetweenOpenIDusersanddevelopersfromenterprisesoftwarecompanyNetMesh,leadingtocollaborationoninteroperabilitybetweenOpenIDandNetMesh'ssimilarLight-weightIdentity(LID)protocol.ThedirectresultofthecollaborationwastheYadisdiscoveryprotocol,adoptingthenameoriginallyusedforOpenID.ThenewYadiswasannouncedonOctober24,2005.[49]Afteradiscussionatthe2005InternetIdentityWorkshopafewdayslater,XRI/i-namesdevelopersjoinedtheYadisproject,[50]contributingtheirExtensibleResourceDescriptorSequence(XRDS)formatforutilizationintheprotocol.[51] InDecember,developersatSxipIdentitybegandiscussionswiththeOpenID/Yadiscommunity[52]afterannouncingashiftinthedevelopmentofversion2.0ofitsSimpleExtensibleIdentityProtocol(SXIP)toURL-basedidentitieslikeLIDandOpenID.[53]InMarch2006,JanRaindevelopedaSimpleRegistration(SREG)extensionforOpenIDenablingprimitiveprofile-exchange[54]andinAprilsubmittedaproposaltoformalizeextensionstoOpenID.Thesamemonth,workhadalsobegunonincorporatingfullXRIsupportintoOpenID.[55]AroundearlyMay,keyOpenIDdeveloperDavidRecordonleftSixApart,joiningVeriSigntofocusmoreondigitalidentityandguidancefortheOpenIDspec.[48][56]ByearlyJune,themajordifferencesbetweentheSXIP2.0andOpenIDprojectswereresolvedwiththeagreementtosupportmultiplepersonasinOpenIDbysubmissionofanidentityproviderURLratherthanafullidentityURL.Withthis,aswellastheadditionofextensionsandXRIsupportunderway,OpenIDwasevolvingintoafull-fledgeddigitalidentityframework,withRecordonproclaiming"WeseeOpenIDasbeinganumbrellafortheframeworkthatencompassesthelayersforidentifiers,discovery,authenticationandamessagingserviceslayerthatsitsatopandthisentirethinghassortofbeendubbed'OpenID2.0'.[57]"InlateJuly,SxipbegantomergeitsDigitalIdentityExchange(DIX)protocolintoOpenID,submittinginitialdraftsoftheOpenIDAttributeExchange(AX)extensioninAugust.Latein2006,aZDNetopinionpiecemadethecaseforOpenIDtousers,websiteoperatorsandentrepreneurs.[58] OnJanuary31,2007,SymantecannouncedsupportforOpenIDinitsIdentityInitiativeproductsandservices.[59]Aweeklater,onFebruary6MicrosoftmadeajointannouncementwithJanRain,Sxip,andVeriSigntocollaborateoninteroperabilitybetweenOpenIDandMicrosoft'sWindowsCardSpacedigitalidentityplatform,withparticularfocusondevelopingaphishing-resistantauthenticationsolutionforOpenID.Aspartofthecollaboration,MicrosoftpledgedtosupportOpenIDinitsfutureidentityserverproductsandJanRain,Sxip,andVeriSignpledgedtoaddsupportforMicrosoft'sInformationCardprofiletotheirfutureidentitysolutions.[60]Inmid-February,AOLannouncedthatanexperimentalOpenIDproviderservicewasfunctionalforallAOLandAOLInstantMessenger(AIM)accounts.[61] InMay,SunMicrosystemsbeganworkingwiththeOpenIDcommunity,announcinganOpenIDprogram,[62]aswellasenteringanon-assertioncovenantwiththeOpenIDcommunity,pledgingnottoassertanyofitspatentsagainstimplementationsofOpenID.[22]InJune,OpenIDleadershipformedtheOpenIDFoundation,anOregon-basedpublicbenefitcorporationformanagingtheOpenIDbrandandproperty.[63]Thesamemonth,anindependentOpenIDEuropeFoundationwasformedinBelgium[64]bySnorriGiorgetti.ByearlyDecember,non-assertionagreementswerecollectedbythemajorcontributorstotheprotocolandthefinalOpenIDAuthentication2.0andOpenIDAttributeExchange1.0specificationswereratifiedonDecember5.[65] Inmid-January2008,Yahoo!announcedinitialOpenID2.0support,bothasaproviderandasarelyingparty,releasingtheproviderservicebytheendofthemonth.[66]InearlyFebruary,Google,IBM,Microsoft,VeriSignandYahoo!joinedtheOpenIDFoundationascorporateboardmembers.[67]AroundearlyMay,SourceForge,Inc.introducedOpenIDproviderandrelyingpartysupporttoleadingopensourcesoftwaredevelopmentwebsiteSourceForge.net.[68]InlateJuly,popularsocialnetworkserviceMySpaceannouncedsupportforOpenIDasaprovider.[69]InlateOctober,GooglelaunchedsupportasanOpenIDproviderandMicrosoftannouncedthatWindowsLiveIDwouldsupportOpenID.[70]InNovember,JanRainannouncedafreehostedservice,RPXBasic,thatallowswebsitestobeginacceptingOpenIDsforregistrationandloginwithouthavingtoinstall,integrateandconfiguretheOpenIDopensourcelibraries.[71] InJanuary2009,PayPaljoinedtheOpenIDFoundationasacorporatemember,followedshortlybyFacebookinFebruary.TheOpenIDFoundationformedanexecutivecommitteeandappointedDonThibeauasexecutivedirector.InMarch,MySpacelaunchedtheirpreviouslyannouncedOpenIDproviderservice,enablingallMySpaceuserstousetheirMySpaceURLasanOpenID.InMay,Facebooklaunchedtheirrelyingpartyfunctionality,[72][73]lettingusersuseanautomaticlogin-enabledOpenIDaccount(e.g.Google)tologintoFacebook.[74] InSeptember2013,JanrainannouncedthatMyOpenID.comwouldbeshutdownonFebruary1,2014;apiechartshowedFacebookandGoogledominatethesocialloginspaceasofQ22013.[75]FacebookhassinceleftOpenID;itisnolongerasponsor,representedontheboard,orpermittingOpenIDlogins.[15][76] InMay2016,Symantecannouncedthattheywouldbediscontinuingtheirpip.verisignlabs.comOpenIDpersonalidentityportalservice.[77][78] InMarch2018,StackOverflowannouncedanendtoOpenIDsupport,citinginsufficientusagetojustifythecost.Intheannouncement,itwasstatedthatbasedonactivity,usersstronglypreferredFacebook,Google,ande-mail/passwordbasedaccountauthentication.[79] OpenIDversuspseudo-authenticationusingOAuth[edit] OpenIDisawaytouseasinglesetofusercredentialstoaccessmultiplesites,whileOAuthfacilitatestheauthorizationofonesitetoaccessanduseinformationrelatedtotheuser'saccountonanothersite.AlthoughOAuthisnotanauthenticationprotocol,itcanbeusedaspartofone. Authenticationinthecontextofauseraccessinganapplicationtellsanapplicationwhothecurrentuserisandwhetherornotthey'represent.[...]Authenticationisallabouttheuserandtheirpresencewiththeapplication,andaninternet-scaleauthenticationprotocolneedstobeabletodothisacrossnetworkandsecurityboundaries. However,OAuthtellstheapplicationnoneofthat.OAuthsaysabsolutelynothingabouttheuser,nordoesitsayhowtheuserprovedtheirpresenceorevenifthey'restillthere.AsfarasanOAuthclientisconcerned,itaskedforatoken,gotatoken,andeventuallyusedthattokentoaccesssomeAPI.Itdoesn'tknowanythingaboutwhoauthorizedtheapplicationoriftherewasevenauserthereatall.Infact,muchofthepointofOAuthisaboutgivingthisdelegatedaccessforuseinsituationswheretheuserisnotpresentontheconnectionbetweentheclientandtheresourcebeingaccessed.Thisisgreatforclientauthorization,butit'sreallybadforauthenticationwherethewholepointisfiguringoutiftheuseristhereornot(andwhotheyare).[80] ThefollowingdrawinghighlightsthedifferencesbetweenusingOpenIDversusOAuthforauthentication.NotethatwithOpenID,theprocessstartswiththeapplicationaskingtheuserfortheiridentity(typicallyanOpenIDURI),whereasinthecaseofOAuth,theapplicationdirectlyrequestsalimitedaccessOAuthToken(valetkey)toaccesstheAPIs(enterthehouse)onuser'sbehalf.Iftheusercangrantthataccess,theapplicationcanretrievetheuniqueidentifierforestablishingtheprofile(identity)usingtheAPIs. Attackagainstpseudo-authentication[edit] OpenIDprovidesacryptographicverificationmechanismthatpreventstheattackbelowagainstuserswhomisuseOAuthforauthentication. Notethatthevaletkeydoesnotdescribetheuserinanyway,itonlyprovideslimitedaccessrights,tosomehouse(whichisnotevennecessarilytheuser's,theyjusthadakey).Thereforeifthekeybecomescompromised(theuserismaliciousandmanagedtostealthekeytosomeoneelse'shouse),thentheusercanimpersonatethehouseownertotheapplicationwhorequestedtheirauthenticity.Ifthekeyiscompromisedbyanypointinthechainoftrust,amalicioususermayinterceptitanduseittoimpersonateuserXforanyapplicationrelyingonOAuth2forpseudoauthenticationagainstthesameOAuthauthorizationserver.Conversely,thenotarizedlettercontainstheuser'ssignature,whichcanbecheckedbytherequestingapplicationagainsttheuser,sothisattackisnotviable. [81] Verifyingtheletter[edit] Thelettercanusepublic-keycryptographytobeauthenticated. Therequestingapplicationprovidesitsencryptionpublickeytotheuser,whichprovidesittotheauthenticationserver. Theauthenticationserverencryptsadocumentcontaininganencryptionkeywhichcorrespondstoaone-wayhashofasecrettheuserknows(e.g.passphrase)forchallenge–responseusingtheapplication'spublickey. Theuserpassestheencrypteddocumentbacktotheapplication,whichdecryptsit. Theapplicationencryptsarandomphraseusingthereceivedencryptionkey,andasksthattheuserdothesame,thencomparestheresults,iftheymatch,theuserisauthentic. OpenIDConnect(OIDC)[edit] PublishedinFebruary2014bytheOpenIDFoundation,OpenIDConnectisthethirdgenerationofOpenIDtechnology.ItisanauthenticationlayerontopoftheOAuth2.0authorizationframework.[82]Itallowscomputingclientstoverifytheidentityofanenduserbasedontheauthenticationperformedbyanauthorizationserver,aswellastoobtainthebasicprofileinformationabouttheenduserinaninteroperableandREST-likemanner.Intechnicalterms,OpenIDConnectspecifiesaRESTfulHTTPAPI,usingJSONasadataformat. OpenIDConnectallowsarangeofparties,includingweb-based,mobileandJavaScriptclients,torequestandreceiveinformationaboutauthenticatedsessionsandendusers.TheOpenIDConnectspecificationisextensible,supportingoptionalfeaturessuchasencryptionofidentitydata,discoveryofOpenIDproviders,andsessionmanagement. Seealso[edit] Authorization Athensaccessandidentitymanagement BrowserID CentralAuthenticationService IndieAuth InformationCard LibertyAlliance Light-weightIdentity SAML Shibboleth(ShibbolethConsortium) Singlesign-on SQRL WebFinger WebID WS-Federation References[edit] ^abcdEldon,Eric(2009-04-14)."Singlesign-onserviceOpenIDgettingmoreusage".venturebeat.com.Retrieved2009-04-25. ^"WhatisanOpenID?".Retrieved19June2014. ^"OpenIDAuthentication2.0specification –Final".Retrieved2011-10-24. ^"OpenIDAttributeExchange1.0 –Final".Retrieved2011-10-24. ^"OpenIDAuthentication2.0-Final".2007-12-05.Retrieved2014-05-18. ^"OpenIDUsageStatistics". ^bashburn,bill(2008-04-22)."BBCJoinsOpenIDFoundation". ^"TechnologyLeadersJoinOpenIDFoundationtoPromoteOpenIdentityManagementontheWeb".2008-02-07. ^"PayPalAccessUsesOpenID2.0".OpenID·.Retrieved19June2014. ^"SteamCommunity ::SteamWebAPIDocumentation".Retrieved2012-02-10. ^Perez,JuanCarlos."Facebook,Googlelaunchdataportabilityprogramstoall".NetworkWorld,Inc.Retrieved19June2014. ^"It'sspringcleaningtimeforBlogger".Bloggerteam.Retrieved10September2019. ^"OpenIDAuthentication1.1#Delegation". ^PaulTarjan."EasyOpenIDDelegationwithYadis".Archivedfromtheoriginalon2009-07-04.Retrieved2009-06-30. ^ab"Leadership".openIDFoundation.Retrieved19June2014. ^"TrademarkAssignment,Serial#:78899244".UnitedStatesPatentandTrademarkOffice.2008-05-06.Retrieved2008-05-19.ExecDt:03/27/2008 ^"LatestStatusInfo".UnitedStatesPatentandTrademarkOffice.2006-03-27.Retrieved2008-03-20. ^"NetMesh:Company/Management".NetMesh.Archivedfromtheoriginalon2007-08-30.Retrieved2008-03-20. ^"OpenIDEuropeTrademark&LogoPolicy".OpenIDEuropeFoundation.Archivedfromtheoriginalon2008-03-09.Retrieved2008-03-20. ^Reddig,Randy(2005-06-29)."OpenIDLogo".DangaInteractive.Retrieved2008-03-20. ^Fitzpatrick,Brad."IntellectualProperty". ^ab"SunOpenID:Non-AssertionCovenant".SunMicrosystems.Retrieved2008-03-20. ^"VeriSign'sOpenIDNon-AssertionPatentCovenant".VeriSign.Archivedfromtheoriginalon2008-04-15.Retrieved2008-03-20. ^RuiWang;ShuoChen&XiaoFengWang."SigningMeontoYourAccountsthroughFacebookandGoogle:aTraffic-GuidedSecurityStudyofCommerciallyDeployedSingle-Sign-OnWebServices". ^"AttributeExchangeSecurityAlert". ^"SecurityadvisorytowebsitesusingOpenIDAttributeExchange". ^"Vulnerabilityreport:Dataconfusion". ^Crowley,Paul(2005-06-01)."PhishingattacksonOpenID".DangaInteractive.Retrieved2008-03-20. ^Anderson,Tim(2007-03-05)."OpenIDstillopentoabuse".ITWeek.Retrieved2007-03-13. ^Slot,Marco."Beginner'sguidetoOpenIDphishing".Retrieved2007-07-31. ^"VerisignPIPFAQ".Archivedfromtheoriginalon2008-11-13.Retrieved2008-11-13. ^Jones,Mike."PAPEApprovedasanOpenIDSpecification".OpenIDFoundation. ^StefanBrands(2007-08-22)."Theproblem(s)withOpenID".Archivedfromtheoriginalon2011-05-16.Retrieved2010-12-12.(originallypublishedonTheIdentityCorneratwww.idcorner.org/?p=161) ^Tsyrklevich,Eugene."SingleSign-OnfortheInternet:ASecurityStory"(PDF).BlackhatUSA.Retrieved2012-04-19. ^"SerioussecurityflawinOAuth,OpenIDdiscovered".CNET.2May2014.Retrieved10November2014. ^"CovertRedirect".Tetraph.1May2014.Retrieved10November2014. ^"Facebook,GoogleUsersThreatenedbyNewSecurityFlaw".Yahoo.2May2014.Retrieved10November2014. ^"NastyCovertRedirectVulnerabilityfoundinOAuthandOpenID".TheHackerNews.3May2014.Retrieved10November2014. ^"MathstudentdetectsOAuth,OpenIDsecurityvulnerability".TechXplore.3May2014.Retrieved10November2014. ^"CovertRedirect".OpenID.15May2014.Retrieved10November2014. ^"'CovertRedirect'vulnerabilityimpactsOAuth2.0,OpenID".SCMagazine.2May2014.Retrieved10November2014. ^"LessonstobeLearnedfromCovertRedirect".41stParameter.5May2014.Retrieved10November2014. ^Fitzpatrick,Brad(2005-05-16)."DistributedIdentity:Yadis".LiveJournal.Archivedfromtheoriginalon2006-05-04.Retrieved2008-03-20. ^Waters,JohnK(2007-12-01)."OpenIDUpdatesIdentitySpec".RedmondDeveloperNews.Archivedfromtheoriginalon2008-02-08.Retrieved2008-03-20. ^"Glossary".LiveJournalServer:TechnicalInfo.Retrieved13October2009. ^Lehn,DavidI.(18May2005)."18May2005".Advogatoblogfordlehn.Advogato.Archivedfromtheoriginalon21December2010.Retrieved13October2009.Theywerelookingforanameandmanagedtoemailmeaboutopenid.netrightbeforeIwasgoingtoofferittothem.SoIgaveittothemforthenewandimprovedOpenIDproject. ^"OpenID:anactuallydistributedidentitysystem".2005-09-24.Archivedfromtheoriginalon2005-09-24.Retrieved2008-03-20. ^abFitzpatrick,Brad(2006-05-30)."brad'slife –OpenIDandSixApart".LiveJournal.Archivedfromtheoriginalon2007-04-25.Retrieved2008-03-20. ^Recordon,David(2005-12-24)."AnnouncingYADIS...again".DangaInteractive.Retrieved2008-03-20. ^Reed,Dummond(2005-12-31)."ImplementingYADISwithnonewsoftware".DangaInteractive.Retrieved2008-03-20. ^Reed,Drummond(2008-11-30)."XRDBegins".EqualsDrummond.Retrieved5January2009. ^Hardt,Dick(2005-12-18)."SxipconcernswithYADIS".DangaInteractive.Retrieved2008-03-20. ^Hardt,Dick(2005-12-10)."SXIP2.0Teaser".Identity2.0.Archivedfromtheoriginalon2007-08-14.Retrieved2008-03-20. ^Hoyt,Josh(2006-03-15)."OpenID+SimpleRegistrationInformationExchange".DangaInteractive.Retrieved2008-03-20. ^Grey,Victor(2006-04-02)."ProposalforanXRI(i-name)profileforOpenID".DangaInteractive.Retrieved2008-03-20. ^Recordon,David(2006-04-29)."Movin'On..."LiveJournal.Archivedfromtheoriginalon2006-10-20.Retrieved2008-03-20. ^Recordon,David(2006-06-16)."MovingOpenIDForward".DangaInteractive.Retrieved2008-05-19. ^JohannesErnstandDavidRecordon.Editor:PhilBecker(2006-12-04)."ThecaseforOpenID".ZDNet.Retrieved2010-12-12.{{citenews}}:|author=hasgenericname(help) ^"SymantecUnveilsSecurity2.0IdentityInitiativeatDEMO07Conference".Symantec.2007-01-31.Retrieved2008-03-20. ^Graves,Michael(2007-02-06)."VeriSign,Microsoft&PartnerstoWorktogetheronOpenID+Cardspace".VeriSign.Archivedfromtheoriginalon2008-05-03.Retrieved2008-03-20. ^Panzer,John(2007-02-16)."AOLand63MillionOpenIDs".AOLDeveloperNetwork.Archivedfromtheoriginalon2008-05-11.Retrieved2008-03-20. ^"SunMicrosystemsAnnouncesOpenIDProgram".PRNewswire.2007-05-07.Retrieved2008-03-20. ^OpenIDBoardofDirectors(2007-06-01)."OpenIDFoundation".Retrieved2008-03-20. ^OpenIDEuropeFoundation ^"OpenID2.0...Final(ly)!".OpenIDFoundation.2007-12-05.Retrieved2008-03-20. ^"Yahoo!AnnouncesSupportforOpenID;UsersAbletoAccessMultipleInternetSiteswithTheirYahoo!ID".Yahoo!.2008-01-17.Archivedfromtheoriginalon2008-03-04.Retrieved2008-03-20. ^"TechnologyLeadersJoinOpenIDFoundationtoPromoteOpenIdentityManagementontheWeb".OpenIDFoundation.Marketwire.2008-02-07.Retrieved2008-03-20. ^"SourceForgeImplementsOpenIDTechnology"(Pressrelease).SourceForge,Inc.May7,2008.ArchivedfromtheoriginalonMay13,2008.Retrieved2008-05-21. ^"MySpaceAnnouncesSupportfor"OpenID"andIntroducesNewDataAvailabilityImplementations".BusinessWire.MySpace.2008-07-22.p. 2.Retrieved2008-07-23. ^"MicrosoftandGoogleannounceOpenIDsupport".OpenIDFoundation.2008-10-30. ^"JanRainReleasesFreeVersionofIndustryLeadingOpenIDSolution"(Pressrelease).JanRain,Inc.November14,2008.ArchivedfromtheoriginalonDecember18,2008.Retrieved2008-11-14. ^"FacebookDevelopers|FacebookDevelopersNews".Developers.facebook.com.2009-05-18.Archivedfromtheoriginalon2009-12-23.Retrieved2009-07-28. ^"FacebooknowacceptsGoogleaccountlogins".Pocket-lint.com.2009-05-19.Retrieved2009-07-28. ^"OpenIDRequirements–FacebookDeveloperWiki".Wiki.developers.facebook.com.2009-06-26.Archivedfromtheoriginalon2009-12-23.Retrieved2009-07-28. ^Kane,ZeeM(4September2013)."MyOpenIDtoshutdown.WillbeturnedoffonFebruary1,2014".TheNextWeb.Retrieved5September2013. ^"OpenIDSponsoringMembers".Retrieved17April2014. ^"SymantecPersonalIdentificationPortalbannerindicatesservicewillbediscontinuedon12September2016".Archivedfromtheoriginalon11June2016.Retrieved17May2016. ^"IsSymantecfailinghardatbeingGoogle?".7May2016.Retrieved17May2016. ^"SupportforOpenIDendedonJuly25,2018". ^"UserAuthenticationwithOAuth2.0".OAuth.net.Retrieved19March2015. ^"Whyisitabadideatouseplainoauth2forauthentication?".InformationSecurityStackExchange.Retrieved7July2018. ^"OpenIDConnectFAQandQ&As".Retrieved25August2014. Externallinks[edit] Officialwebsite OpenIDatCurlie vteAuthenticationAuthenticationAPIs BSDAuthentication(BSDAuth) eAuthentication(eAuth) GenericSecurityServicesAPI(GSSAPI) JavaAuthenticationandAuthorizationService(JAAS) PluggableAuthenticationModules(PAM) SimpleAuthenticationandSecurityLayer(SASL) SecuritySupportProviderInterface(SSPI) XCertUniversalDatabaseAPI(XUDA) Authenticationprotocols ACF2 AuthenticationandKeyAgreement(AKA) CAVE-basedauthentication Challenge-HandshakeAuthenticationProtocol(CHAP) MS-CHAP CentralAuthenticationService(CAS) CRAM-MD5 Diameter ExtensibleAuthenticationProtocol(EAP) HostIdentityProtocol(HIP) IndieAuth Kerberos LANManager NTLANManager(NTLM) OAuth OpenID OpenIDConnect(OIDC) Password-authenticatedkeyagreementprotocols PasswordAuthenticationProtocol(PAP) ProtectedExtensibleAuthenticationProtocol(PEAP) RemoteAccessDialInUserService(RADIUS) ResourceAccessControlFacility(RACF) SecureRemotePasswordprotocol(SRP) TACACS Woo–Lam Category Commons Retrievedfrom"https://en.wikipedia.org/w/index.php?title=OpenID&oldid=1091999073" Categories:CloudstandardsPasswordauthenticationFederatedidentityIdentitymanagementinitiativeComputeraccesscontrolprotocolsHiddencategories:CS1errors:genericnameArticleswithshortdescriptionShortdescriptionmatchesWikidataArticlescontainingpotentiallydatedstatementsfromMarch2016AllarticlescontainingpotentiallydatedstatementsWikipediaarticlesinneedofupdatingfromAugust2014AllWikipediaarticlesinneedofupdatingAllarticleswithunsourcedstatementsArticleswithunsourcedstatementsfromSeptember2016ArticleswithCurlielinks Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Inotherprojects WikimediaCommons Languages العربيةCatalàČeštinaDeutschEspañolEsperantoEuskaraفارسیFrançaisGalego한국어BahasaIndonesiaItalianoעבריתMagyarBahasaMelayuNederlands日本語NorskbokmålPolskiPortuguêsРусскийSlovenčinaSuomiSvenskaไทยTürkçeУкраїнськаTiếngViệt中文 Editlinks