Simon Willison’s Weblog

How to turn your blog in to an OpenID

Wouldn’t it be great if you could use the same account to log in to multiple sites and applications, without having to trust them all with your password? Wouldn’t it be even better if you could do this without having to hand ownership of your online identity over to some monolithic third party? (I’m looking at you, .NET Passport Microsoft Passport Windows Live ID.)

The good news is, you can! OpenID is a decentralised authentication system invented by LiveJournal but now being developed as an open standard under the careful mentorship of the Apache Software Foundation. Anyone can create an OpenID, and the number of sites which let you log in with one is growing by the day.

An OpenID is simply a URL. My OpenID is simonwillison.net, the address of my weblog. I can use it to sign in to any site that supports OpenID, and because I’m the only person with control over my weblog’s homepage I’m the only person who can use that identity.

If you want your own OpenID (and you should), here’s how to get one.

1. Sign up with an OpenID provider

OpenID is decentralised, which means that anyone can set themselves up as an OpenID provider. You can run your own server if you want to (phpMyID is one way of doing that) but there are a number of free services that will host an ID for you. Those include:

  1. LiveJournal. They invented it, and if you have a LiveJournal account you already have an OpenID—it’s the URL of your journal. I’m swillison.livejournal.com.
  2. Vox—Six Apart’s sexy new social network thang. I’m simon.vox.com.
  3. VeriSign Labs, who have done some excellent work around OpenID and run a provider as part of their Personal Identity Provider service. I’m swillison.pip.verisignlabs.com.
  4. MyOpenID, run by JanRain, authors of the most widely used OpenID libraries. I’m swillison.myopenid.com.

If you already have an account with Vox or LiveJournal you can skip straight to step 2. If not, pick the provider that you trust the most and create an account there. This isn’t a permanent decision: you can move provider at any time without losing your account, provided you follow step 2.

2. Point your own site at your new OpenID

Here comes the magic. Having picked your provider and created an OpenID there, edit the HTML of your weblog’s homepage (or indeed whichever URL you want to use as your personal OpenID) and add the following to the document <head>:

<link rel="openid.server"
  href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate"
  href="http://swillison.livejournal.com/">

Replace the openid.delegate href with the OpenID at your provider, and the openid.server href with that provider’s OpenID server. You can find the server by viewing source on your OpenID page there, or by using this table:

OpenID ProviderServer URL
LiveJournal http://www.livejournal.com/openid/server.bml
Vox http://www.vox.com/services/openid/server
VeriSign https://pip.verisignlabs.com/server
MyOpenID http://www.myopenid.com/server

This delegation mechanism is key to OpenID’s status as a truly decentralised authentication system. If you decide you no longer trust your identity provider you can switch to another one by just editing a couple of lines of HTML—your OpenID will stay the same.

3. Log in to something!

Now that you have an OpenID, you can use it to log in to all sorts of sites. Find their OpenID login form and enter your new OpenID—that’s the URL of your weblog. You will be redirected to a page on your identity provider which will either ask you to log in or ask you to authorize the site to use your identity. Click “Yes” and you’ll be sent back to the original site and magically logged in—no password required.

I’ve been collecting a list of sites that allow you to log in using OpenID under the openidconsumer tag; sites you may have heard of include Ma.gnolia, Zooomr and Wikitravel.

OpenID on simonwillison.net

This whole entry is a round-about way of announcing the addition of OpenID support to my weblog engine. You can sign in here; once signed in you’ll be able to leave comments with a pretty OpenID logo (proving that they came from you) and track recent comments that you’ve posted on the Your Comments page. I’m working on adding other functionality for logged-in users such as the ability to edit your own comments or for trusted users to flag comment spam.

This kind of light-weight account mechanism is one of the things that makes OpenID so interesting. I doubt I could convince anyone to create a new account just to access a few features on my weblog, but if they already have an OpenID the overhead of logging in is small enough that I’m hopeful at least a few people will give it a go.

As always, report any bugs in the comments.

Update: I’ve created a screencast showing how to use OpenID.

This is How to turn your blog in to an OpenID by Simon Willison, posted on 19th December 2006.

Tagged , , , , ,

Next: Why JSON isn't just for JavaScript

Previous: Finally powered by Django