Open Authentication in the Web 3.0: OpenID and OAuth

We are soon approaching the end of the semantic web with great user interaction and user-generated content, known as Web 2.0. The web, since its beginning in the 90's, has been envisaged to go through two major generations, which we call Web 1.0 and Web 2.0. While Web 1.0 was largely related to content generated by professional websites, Web 2.0 came with a lot of social media sites and social networks, in which anyone from anywhere could interact seamlessly.

Now, we are about to move into the third generation of the Web, Web 3.0, which will strengthen the foundation laid by Web 2.0, by providing smoother authentication and identity protocols. Two major technologies enabling this form the topic of today's post: OpenID and OAuth.

What Are OpenID and OAuth?

OpenID is a user identification standard, which lets you sign on various services with the same identity. It's just like a URL, with some special code enabled in its target page. With OpenID, when you sign up on a new service (that has enabled OpenID login), you don't need to register upfront. Simply click on the OpenID login and provide your OpenID URL in the field.

You will be automatically redirected to your OpenID provider (see below) where you will sign in. Bingo! You have access to all features of the new service.

In simple terms, OpenID saves you time; you don't need to register in any OpenID-enabled services. Many web services have already adopted this type of authentication and many are about to.

On the other hand, OAuth allows you to have secure API authorization. Which means, with this technology, you can give authorization to any web-based entity to access and use your data, residing in any other platform. But this is no insecure process, as you decide on what data the third party can access and what level of usage it has. This is like the valet key of your car, which you give to the parking lot attendant; this key doesn't allow the attendant to drive the car more than about a mile, and cannot be used to open anything else in the car.

Check out more information about OAuth.

How Do I Get OpenID?

OpenID is nothing but a URL, with a special authentication code attached at the target page. Surprisingly, you may already have your OpenID. For instance, users of Blogger, AOL, Flickr, LiveJournal, Technorati, WordPress, Yahoo, etc., already have their OpenID. Here they are:

  • Blogger: Your blog URL (blogname.blogspot.com)
  • WordPress: Your blog URL (blogname.wordpress.com)
  • Yahoo: Find details at openid.yahoo.com
  • Technorati: Technorati.com/people/Technorati/username
  • AOL: openid.aol.com/screenname
  • Flickr: flickr.com/photos/username

When you go into OpenID enabled websites such as Wikitravel, Magnolia, etc., just click Log in and you will be directed to a login page, where you will find an option to log in with OpenID. Click it. Simply provide your OpenID URL (any of the above) and click Log in. You will be directed to whichever provider you use and log in there. That's it and you will be automatically authenticated at Wikitravel.

Beware of Phishing

There is always ways to cheat users in OpenID authentication. This deception can happen at the time of redirecting to your OpenID provider. Let's assume you are using Blogger. When you provide your Blogger URL at the login page of any service, check to make sure that you are actually redirected to legitimate Blogger login page itself. Check the address bar of the browser.

If it's some other page with a layout similar to Blogger, don't provide your Blogger ID and password. They are linked to all of your Google services like Gmail, Adsense, Adwords, and more. In this case, you will be divulging your information with an unknown provider, and thus will be compromising all your data. So, make sure you are redirected to original provider page itself. This type of security threat is known as Phishing attack.

How to Enable OpenID on Your Private Website?

You can use your private website URL as your OpenID. Simply follow these steps [As provided by Sam Ruby at OpenID.net]

1. Go and sign up at MyOpenID to create your own OpenID (something similar to yourname.myopenid.com)
2. Place the following code into the header of your website (anywhere after <head> and before </head> tags).
<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="Your OpenID at MyOpenID.com here" />

That's it. You can now use your own blog URL to log in anywhere. For more information about OpenID, please go to OpenID.net.

Conclusion

OpenID and OAuth are tomorrow's authentication and authorization protocols. Any web service that don't use this will simply be going out of business slowly and gradually.

0 Opinions:

Post a Comment

Comments are moderated very strictly