HOWTO: Set yourself up with an OpenID
3rd June 2007 @ 10:48 EDT
updated 3rd June 2007 @ 11:07 EDT

This post is in response to this comment on my blog (because I have no idea who that is :-). Here's my suggestion on how to get the most out of your OpenID.

  1. Get yourself an identity provider.
    I recommend using a pre-existing service rather than setting up your own. You can use AOL, Verisign (PIP), MyOpenID and a whole host of others.
  2. Edit your preferred blog or home page to configure it for delegation.
  3. When you sign into web apps, use your URL, not the URL from your provider.

I'm currently using AOL as my preferred identity provider; I also have accounts with Verisign and MyOpenID. If you already have an AIM account, you can use AOL as your identity provider without having to explicitly sign up for another service (which means that you don't need to remember yet another password).

So, assuming that you're using AOL, the next thing to do is edit your home page or blog template and add a couple of lines to the <head>: 

   <link rel="openid.server" 


      href="https://api.screenname.aol.com/auth/openidServer">


   <link rel="openid.delegate"


       href="http://openid.aol.com/wezfurlong">

If you're using Verisign PIP: 

   <link rel="openid.server"


      href="https://pip.verisignlabs.com/server/" />


   <link rel="openid.delegate"


      href="http://wezfurlong.pip.verisignlabs.com/" />


   <meta http-equiv="X-XRDS-Location"


      content="http://pip.verisignlabs.com/user/wezfurlong/yadis" />


   <meta http-equiv="X-YADIS-Location"


      content="http://pip.verisignlabs.com/user/wezfurlong/yadis" />

And for MyOpenID: 

   <link rel="openid.server"


        href="http://www.myopenid.com/server" />


   <link rel="openid.delegate"


        href="http://youraccount.myopenid.com/" />


   <meta http-equiv="X-XRDS-Location"


        content="http://www.myopenid.com/xrds?username=youraccount.myopenid.com" />

These fragments allow an OpenID consumer site (such as my blog) to discover your identity provider and your identity with that provider. They can then initiate authentication using those credentials but then retain your original URL as your identity. This is nice because your URL is more meaningful than the various identity endpoint URLs from the providers, and also nice because you can easily switch out to a different provider if it takes your fancy.

This delegation mechanism relies on the consumer being able to parse your web page to locate those elements. Sometimes you may not be able to control some of the content on your page, so it may not be successfully parsed. You can avoid that issue by explicitly sending X-XRDS-Location and X-YADIS-Location headers, either in your PHP script, or by some magic in your httpd.conf.

Another trick is to redirect to your yadis file if the client indicates that it is looking for it: 

   RewriteCond %{HTTP_ACCEPT} application/xrds\+xml


   RewriteCond %{HTTP_ACCEPT} !application/xrds\+xml\s*;\s*q\s*=\s*0(\.0{1,3})?\s*(,|$)


   RewriteRule ^$ http://netevil.org/yadis.xrdf [R,L]

(I think I borrowed this from Sam Ruby, or maybe it was Simon Willison).

What's in the yadis file? You can read all about it on openidenabled.com. Here's mine: 

<?xml version="1.0" encoding="UTF-8"?>


<xrds:XRDS


  xmlns:xrds="xri://$xrds"


  xmlns:openid="http://openid.net/xmlns/1.0"  


  xmlns="xri://$xrd*($v*2.0)">


  <XRD>


    <Service priority="5">


      <Type>http://openid.net/signon/1.1</Type>


      <URI>https://api.screenname.aol.com/auth/openidServer</URI>


      <openid:Delegate>http://openid.aol.com/wezfurlong</openid:Delegate>


    </Service>


    <Service priority="10">


      <Type>http://openid.net/signon/1.1</Type>


      <Type>http://openid.net/sreg/1.0</Type>


      <URI>https://pip.verisignlabs.com/server</URI>


      <openid:Delegate>http://wezfurlong.pip.verisignlabs.com/</openid:Delegate>


    </Service>


    <Service priority="20">


      <Type>http://openid.net/signon/1.0</Type>


      <Type>http://openid.net/sreg/1.0</Type>


      <URI>https://pip.verisignlabs.com/server</URI>


      <openid:Delegate>http://wezfurlong.pip.verisignlabs.com/</openid:Delegate>


    </Service>


  </XRD>


</xrds:XRDS>

This yadis file says that I prefer to use AOL (its priority value is lower than the others) and then VeriSign PIP, preferring OpenID version 1.1 over version 1.0.

If you're using only one provider, you can just use their yadis URI rather than setting up your own (that's what those http-equiv meta elements are doing in my examples above).

by Wez Furlong in .
14 Comments | Permalink
Post a comment
Testing My OpenID
3rd June 2007 @ 19:09 EDT

Thanks for the tips Wez. I just authenticated using my new MyOpenID OpenID :)

by http://www.asleep.net/ in .
Thanks
3rd June 2007 @ 21:33 EDT

Thanks for the tutorial, Wez. That was really easy to setup. :)

by Jeremy Privett in .
Thanks!
3rd June 2007 @ 23:34 EDT

Let me third the thanks. Nice tutorial (-:

S

by http://blog.phpdoc.info/ in .
YAT (Yet Another Thanks)
7th June 2007 @ 12:53 EDT

The apache redirection wouldn't work for me but inserting the meta and link tags did. Thanks much, I'd wanted to get this up and running for a while.

by http://justin.patrin.info/ in .
YAYAT
11th July 2007 @ 05:39 EDT

Cheers, Wez! Finally got OpenID going (my domain delegating to MyOpenID). Proved pretty straightforward based on your blog post, and also Sam Ruby's <a href="http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers"OpenID for non-SuperUsers</a>.

by http://rich.phekda.org in .
Another thanks
14th August 2007 @ 22:35 EDT

That was painless :)

by Andy Dowling in .
Thanks!
30th September 2007 @ 20:03 EDT

Great set of instructions! I set up OpenID using Verisign (PIP), <a href="https://pip.verisignlabs.com/seatbelt.do">Verisign's Seatbelt OpenID Plugin</a>, and the <a href="http://eran.sandler.co.il/openid-delegate-wordpress-plugin/">OpenID Delegate Wordpress Plugin</a>. The only difficulty that I had was that I couldn't use Versign's XRDS link directly. I had to create my own XRDS file using PIP's as a template, add the openid:Delegate tags, and then link to that. Otherwise, it works perfectly. Thanks!

by Shack Dougall in .
Cool beans!
9th October 2007 @ 04:02 EDT

Thanks Wez! This post is to test, and all seems to be working. Cool!

by Keith Fletcher in .
Own Id
14th October 2007 @ 07:34 EDT

This is a blatant plug for <a href="http://www.own-id.com/">Own Id</a>, it lets you delegate your own id.

by Tony Locke in .
don't forget your head!
8th November 2007 @ 09:18 EDT

<head> element is optional in HTML (and it's perfectly OK to omit it), but OpenID won't work unless it's explicitly added to the document!

by http://pornel.net/ in .
testing
11th December 2007 @ 13:37 EDT

Thank you Wez, very usefull info.

by Goran Dodig in .
Let's see if it works
9th January @ 11:05 EDT

I copied your code and replaced "wezfurlong" with my name.

by http://www.goebel.net in .
Thanks
24th January @ 12:39 EDT

Thanks for example. It works!

by Karol Zalewski in .
OpenID Delegation with PIP
14th April @ 14:13 EDT

Thanks for the tutorial. This information let me eliminate yet one more plugin from my blog - freeing up a little more memory.

By the way, PIP OpenID delegation appears to work with just the openid.server and openid.delegate links. (I didn't link to XRDS or YADIS.)

Cheers!

by http://www.chipbennett.net in .
Post a comment