OpenID

PDD · 02-05-2007 4:40pm #1

Hi Folks,

Just out of curiosity I was wondering if boards.ie has any intention of implementing an OpenID sign-on system? And if not then why not?

Dave

aidan_walsh · 02-05-2007 4:41pm

Care to outline what the benefits would be?

seamus · 02-05-2007 4:49pm

Indeed. How would our 100,000 active users benefit from having an OpenID account?

PDD · 02-05-2007 4:54pm

Eh users not having to remember another username and password

Stark · 02-05-2007 4:57pm

I don't think there's a vBulletin plugin for OpenID yet, which would make it too much work.

I think it would be cool though.

seamus · 02-05-2007 5:05pm

It would be though. I've never seen another site using openID. So it would be just another username and password. At the moment. The biggest problem I see is users. Sites could very easily lure unsuspecting users into allowing the site have all of their details, or even worse, signing up with a dodgy openID provider.

I'm assuming from what I've read, the system works like this;

You sign up on Site A, let's imagine that it's boards.ie. Boards.ie issues you with an openID account, and thus a URI that identifies you on boards.ie. Lets say for example's sake, seamus.boards.ie.

Then I go to Amazon.com, and I want to sign up. They ask me for an openID, em, ID, and I give them seamus.boards.ie. So Amazon.com goes to boards.ie's openID server, says "Hi, I want to be your new friend!". boards.ie then prompts me for my openID password, asking me if I'm happy to send personal details to Amazon.com, and I give it. So now boards.ie and Amazon.com are paired, for my openID.

Then every time I return to Amazon.com, I give it my openID. Amazon.com redirects me to boards.ie, where I give my openID password, and then I get redirected to Amazon.com, logged in as me.

Yes?

aidan_walsh · 02-05-2007 5:09pm

seamus wrote:

Yes?

Nearly. It works as a kind of off-site "remember me", in that whenever you go back to the site and you enter your name to log in, Amazon will check with boards.ie. Boards checks to see if there is already a pairing, and if there is will supply Amazon the nod silently.

It will continue to be this case until the user specifically breaks the pairing.

EDIT: Just changed a little there, as my first draft seemed to indicate that the OpenID server contained information about the user. It doesn't. All the OpenID server sends back is essentially "this *is* the droid you have been looking for". Its still down to the individual website to retain all other information about the user, in Amazon's case postal details and credit card information. OpenID is about identity, not information - a common misconception surrounding the idea.

PDD · 02-05-2007 5:12pm

My bad..... I thought there was a plugin for vBulletin :-|

Google and Yahoo are already on the road to implementing it so I guess its just a matter of time.

BuffyBot · 02-05-2007 5:19pm

Perhaps in the future, but I don't think there is much need for it outside the non-techy community that populate boards.ie

seamus · 02-05-2007 5:28pm

aidan_walsh wrote:

Nearly. It works as a kind of off-site "remember me", in that whenever you go back to the site and you enter your name to log in, Amazon will check with boards.ie. Boards checks to see if there is already a pairing, and if there is will supply Amazon the nod silently.

I'm definitely missing something then.

Is there a client-side component?

Whats to stop someone going to Amazon, supplying my openID, and having full access to my Amazon account after the pairing? As far as I can see, there's no ongoing attempt by Amazon to verify that I am who I say I am, only that my server is who I say it is.

Does the user first have to sign in on the openID server, from the client that they're using?

aidan_walsh · 02-05-2007 5:36pm

seamus wrote:

I'm definitely missing something then.

Is there a client-side component?

Whats to stop someone going to Amazon, supplying my openID, and having full access to my Amazon account after the pairing? As far as I can see, there's no ongoing attempt by Amazon to verify that I am who I say I am, only that my server is who I say it is.

Does the user first have to sign in on the openID server, from the client that they're using?

The security of the system is left entirely in the hands of the individual OpenID provider, who may choose to implement a client side component like a cookie or a third party ap to verify (as Microsoft did when they added OpenID support to Windows Cardspace), or just to take the users claim at face value.

In fact, security is seen as one of the areas (if not the area) in which OpenID providers are going to have to be seen to be the most competitive.

Boston · 02-05-2007 5:37pm

And the benefits Vs cost of Implimentation of this would be what?

RuggieBear · 02-05-2007 6:36pm

i'd just quite like search back.:)

6th · 02-05-2007 6:49pm

RuggieBear wrote:

i'd just quite like search back.:)

And the bit that says who's viewing the forum - even though I know its not accurate

aidan_walsh · 02-05-2007 6:52pm

6th wrote:

And the bit that says who's viewing the forum - even though I know its not accurate

I never saw the appeal in that...

RuggieBear · 02-05-2007 6:54pm

aidan_walsh wrote:

I never saw the appeal in that...

stalking...d'uh!!!:D

6th · 02-05-2007 7:04pm

Damn right, I never know where Aidan is and it makes me sad.

OpenID

Comments