digg

Facebook Connect Join Digg About

Screencast: How to use OpenID

simonwillison.net Video showing how to create a new OpenID and use it to log in to different sites without needing to create a new username and password for each one.

Who dugg this? Made popular Dec 23, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

55 Comments

show profanity settings
expand all
  • unloud, on 10/12/2007, -2/+17Digg.com, please support OpenID with a CAPTCHA in comments! It's a great protocol with growing backing in the community.
  • unloud, on 10/12/2007, -3/+16OpenID servers are decentralized. Anyone can set one up. It's like email, but the id is only usable to verify that you are the same person on both sites. The trust comes from which site your main id comes from and not from one centralized site. It's more of a pointer to a site saying "this is my main place on the internet" than a authentication system. It's much less scary to people than Microsoft's idea of owning the internet.

    Oh yeah, did I mention that it's open source and easy to set up? . . . Two things that Microsoft's solution defiantly isn't, and two things that site admins might digg a lot and make them want to set it up.
  • jcims, on 10/12/2007, -1/+13I'm not sure why bairy is getting dugg down. Folks that use enough of the Internet to get something out of federated authentication are going to have a gut feeling that relying on a proprietary Microsoft approach is risky. Plus, if you've ever tried to implement Passport, it's a bit weird and not terribly flexible.
  • unloud, on 10/12/2007, -0/+11Sorry, edit box beat me - List of sites that support OpenID:

    https://www.myopenid.com/directory
  • penneyisok, on 10/12/2007, -0/+8This is a good concept. I had to create one to use claimid.com but that's seems to be the only site that I have used that works with OpenID thus far. If more main stream site start using this it will be a good thing, but I doubt this will happen. Hopefully I'm wrong.
    I have so many accounts now on so many different sites, its not even funny.
  • thinsoldier, on 10/12/2007, -2/+10what if I sign up for a site at home and then I want to log in at work but don't have the same keepass info at work?

    It's the same problem with desktop e-mail clients and browser bookmarks

    WEB-mail and Social Bookmarking WEBsites solved this problem for me.
    And now OpenID is solving it again. :)

    Sure if I had a laptop that i carried with me everywhere I go I wouldn't have this problem. But I hate laptops :)
  • SoundJudgment, on 10/12/2007, -7/+15Didn't Microsoft already try this concept? With Passport?
  • jamester, on 10/12/2007, -0/+8Cheers for a quite good explanation. I also appreciated the instructions on turning any of your websites into OpenID's.
  • alchemista, on 10/12/2007, -0/+6Please explain how a spammer can spam your OpenID? An OpenID isn't your email address. This could reduce spam because all these little sites do not have your email address (most sites send you an email to verify your account registration).
  • simonwillison, on 10/12/2007, -0/+5That's exactly why I made the screencast. OpenID is a brilliant concept, but it just doesn't have enough sites supporting it yet - because there aren't enough people using it. It's a chicken and egg problem. I'm hoping that by making it really easy to understand how to create one and start using it more people will get accounts which will encourage more sites to start using it.
  • pbeesley1989, on 10/12/2007, -6/+11That actually looks pretty pretty long and tedious, not to mention the security risks made possible by putting all your eggs in one basket.
  • robertDouglass, on 10/12/2007, -0/+5There is work being done to bring OpenID to Drupal. This video helped me a lot. Thanks for posting.
  • mskadu, on 10/12/2007, -0/+5Frankly, i dont see the point. I've made one, but all i can use it with is Zoomr, Vox, etc - none of which i use.
  • spectre_25gt, on 10/12/2007, -1/+6@zippy
    A closed blanket statement like that is not likely to get much support here, especially when you do squat to back it up.
  • nacs, on 10/12/2007, -0/+4Another problem with Passport is that for a non-Microsoft site to support Passport sign-ins, they have to fill out all sorts of paperwork and pay a significant licensing fee.

    OpenID however is completely open, carries no licensing fees and there are even open-source libraries for most languages you can download to add openID support to your site without writing a bunch of code.
  • inactive, on 10/12/2007, -0/+4That was basically the thought I had. Until the sites I use jump to OpenID, namely Digg, why do it?
  • jcims, on 10/12/2007, -0/+4I think that's the point of the video, to try to get some adoption going. If someone would write an OpenID module for vBulletin the number of sites could go from 10 to 10,000 pretty quickly. Pick up any new hobby and start slumming forums for it, you'll quickly see why this is a great thing.
  • rowanjl, on 10/12/2007, -0/+3Most people have their eggs in the one basket anyway, at least OpenID allows you to change ALL of your passwords at once, so if someone does figure it out, you can change it, without having to worry about forgetting any websites...
  • factoryjoe, on 10/12/2007, -0/+3You might see OpenID show up on Digg sooner than you might think...
  • alchemista, on 10/12/2007, -0/+3This is great except it also puts the onus of security on the OpenID holder. While it's very convenient to create your own OpenID by just adding two links on your HTML page, that also means now that page needs to be very secure. If someone can easily edit your HTML, they can simply redirect your login and you're screwed. Same goes for the OpenID providers, if any of them slacks on security, you have now broken your identity on multiple sites. Also, these providers (at least Verisign) shows you all past activity, so if someone can break into that provider, they can instantly see all the sites you are using with that OpenID, making exploitation even easier.

    I think this is a great concept, but I'm surprised he doesn't mention the security issues that this creates. It's one thing to worry about whether the provider goes out of business, but it's another to recognize how easy it is to exploit. That's a benefit of a strong master who has very tight security controls in place.

    (also, it seems like the Verisign provider doesn't work with the redirection trick, it keeps telling me I don't own the URL - even though it lets me login)
  • alchemista, on 10/12/2007, -3/+5So did a zillion other people, and MS Passport was doing the same thing years ago. Don't think too highly of your genius idea :)
  • inactive, on 10/12/2007, -0/+2I get it. Its single-signon, but not stored on your computer. So, I use my (or a hosted) domain name to not type in passwords, which Firefox does for me.
  • Atomic1fire, on 10/12/2007, -1/+3passports just one provider of an identity though
    openid goes on the idea that there can be more then one provider for the same type of identity
    thus letting morethen one service for the same type of site
    imagine yahoo photos being acessable by google
    or google docs and spreadsheets through livejournal
    your starting to see yahoo messenger allow contact with windows live
    and its the same concept with jabber or openid
    jabbers more supported because of Google and its ability to use gateways though
  • nacs, on 10/12/2007, -0/+2One has a nice obvious name and the other one is gobbledygook?

    (Seriously how do they expect the average consumer to remember/say that word let alone type that into a URL bar without making a typo?)
  • alchemista, on 10/12/2007, -0/+1Ok, I think I figure out the issue. In the delegate, you must put the full http protocol around your delegate name. However, when you sign in with OpenID (at least on the sites I tried), you do not need to put the http around the delegate name.

    To be safe, you can just put http around everything, even when you sign in.
  • kveton, on 10/12/2007, -0/+1Getting support for open source projects was the main reason we launched the OpenID Code Bounty (http://iwantmyopenid.org/bounty).

    There are already plugins/modules for MediaWiki, WordPress, Drupal, Joomla!, phpBB and many, many more. I agree, focusing on the open source applications (especially forums) is a great way to drive adoption. Just think if you could tie your in-game persona to an OpenID? Then playing SecondLife or Counterstrike you could go out and brag in every forum as you the player. Not just you-saying-you-are-the-player.

    I talk more about the bounty status here:

    http://kveton.com/blog/2006/10/07/openid-bounty-status/

    Look for another update coming in January.
  • Stonekeeper, on 10/12/2007, -1/+2Anyone know the difference between openid and shibboleth? Thanks...
  • alchemista, on 10/12/2007, -0/+1The VOX provider isn't working with the delegate trick either....
  • inmatarian, on 10/12/2007, -0/+1It seems like a good idea. The only problem I can see with it is figuring out what providers to trust. I could theoretically set up my own OpenID server for malicious purposes, and with my own false identity, do all sorts of havoc on sites that support OpenID.

    I foresee a near future where there's a central list of trusted OpenID servers.
  • jcims, on 10/12/2007, -0/+1@alchemista

    thinsoldier's point is why openid exists...it's only moronic if you don't apply any thought or experience to it.
  • geekitechture, on 10/12/2007, -0/+1I think eludu is trying to say that people can use OpenID to spam the sites that support it. One login, access to a whole list of sites with comment sections that are easy to spam with ads for Viagra pills or hair-loss creme or whatever.
  • neuroticus, on 10/12/2007, -0/+1@alchemista

    afaik, every website does not know your openid password, only the openid provider. When you are signed into your openid (cookie active in your browser) AND have granted trust to a third party website, only then can you use the third party website.

    For instance, I have no qualms mentioning my openid (sorry for doing this again, I'm a huge fan of openid), which is gavinengel.com, and my main email, which is gavin@engel.com, and a third party site Ive trusted, ma.gnolia.com (user gavinengel). Since you don't know my password, there is nothing you can do.

    So again, ma.gonlia does NOT know my password, only my openid provider (Vox) does. If ma.gnolia gets hacked, my password would not be lost.
  • Atomic1fire, on 10/12/2007, -0/+1with openid
    your still using the same username and password on those multiple sites
    its just easyer because its like signing up for all of them at once and making the small adjustments you make when you sign up
    basicly they may ask you to make a username to replace profile.typekey.com/username with just username or something of your choice
    (im just using typekey as an example since its my prefered id and my first one in use and username isnt my username obviously)
  • kveton, on 10/12/2007, -0/+1Most of the open source projects that are adopting support for OpenID are simply hooking it to their existing account mechanisms. You essentially link a local account to an OpenID as Simon just mentioned above.

    The key to OpenID and why its so handy is that it eases the barrier to engagement for users on sites. So often you hit a site, see something interesting and then go to engage only to be presented with a registration screen. Most the time, users don't engage. If they can quickly login, they can quickly engage. The more they use it, the less you have the "now what was my login name on this site" problem ... :-)
  • Fitzavig, on 10/12/2007, -0/+1@thinsoldier

    Any website can sell your email address anyways. And as someone before me said, this openid may actually take away the need for email verification.

    If you're worried about the site being hacked where you posted that one comment and never returned, the video clearly showed you can allow it to access your openid once only. So I don't think there's too much trouble with that.

    This thing is still in its early phases though so don't worry too much about if it'll work quite right yet. That's the beauty of OSS, it usually evolves over time into a quality product given the right motivation (and this will have tons of it).
  • Crossing, on 10/12/2007, -0/+1This would be amazing if any of the sites I visit on a day to day basis supported it. :(
  • simonwillison, on 10/12/2007, -0/+0So ask them to! They won't do it unless they percieve demand for it.
  • TryCialis, on 06/11/2008, -0/+0Visit our online pharmacy here:

    http://www.takepill.com/?product=viagra

    Buy Viagra (Sildenafil Citrate) is the most popular medication used in the treatment of erectile dysfunction. Order generic Viagra online now.

    Only $1.27 per pill.

    ***********

    Buy Generic Cialis(Tadalafil)

    http://www.takepill.com/?product=cialis

    Tadalafil relaxes muscles and increases blood flow to particular areas of the body.
    Tadalafil is used to treat erectile dysfunction (impotence).
    Tadalafil may also be used for purposes other than those listed in this medication guide.

    Only $1.61 per pill.

    ***********

    Buy Generic Levitra (Vardenafil)

    http://www.takepill.com/?product=levitra

    Vardenafil relaxes muscles and increases blood flow to particular areas of the body.
    Vardenafil may also be used for purposes other than those listed in this medication guide.

    Only $ 1.67 per pill.

    ***********

    Our benefits: No prescription Needed. Worldwide shipping.

    Best Price. Multilingual. Confidential.
  • kveton, on 10/12/2007, -0/+0This is one of the problems with the decentralized model. Although its more compelling for people to adopt the technology because nobody owns it, it opens you up to the kinds of attacks you're talking about. The short answer is there is no answer for this right now. I forsee something like Akismet (http://www.akismet.com) for OpenID's coming in the near future. There is also http://botbouncer.com that we developed to help centrally "verify" users with a CAPTCHA. These are workable solutions but they are centralized and involve trusting the provider of those services.
  • johnie1, on 10/12/2007, -2/+2zoomr:

    Uh-Oh, Zooomr Experienced an Error
    It looks like something didn't quite go right. If you care to help out, please kindly report this incident to our Feedback Team.

    Thank-You!

    yeah, thank you
  • simonwillison, on 10/12/2007, -0/+0That's why OpenID is /not/ a replacement for putting people through an account signup process on your site. You can still put people through a captcha, and/or send them a verification e-mail (after asking for their e-mail address). Heck, you can even get people to create a proper username and password just for your site. Then you associate their OpenID with their new account so they never have to use that password again.

    OpenID replaces username/password combinations, but doesn't necessarily replace accounts entirely. And that's just fine.
  • mvannatter, on 10/11/2007, -0/+0Thanks! Sweet, dugg it.
  • GwynethLlewelyn, on 10/12/2007, -0/+0Well, being a WordPress and Wiki user, I'm currently "back-fitting" all my installations with OpenID :) since both these tools allow for OpenID authentication...
  • mattymcg, on 10/12/2007, -0/+0I guess you didn't watch it to the part at which it suggests you can make your own domain an OpenID. It was just a suggestion for those people who aren't geeky enough to have their own domain, of whom, believe it or not, there are many.
  • Randy, on 10/12/2007, -2/+1Google Video version:
    http://video.google.com/videoplay?docid=-7463164786703060643
  • geekitechture, on 10/12/2007, -1/+0SixApart has OpenID.
  • robgrady, on 10/12/2007, -1/+0Great screencast, it brings all the pieces together clearly.
  • bairy, on 10/12/2007, -13/+12Also, the problem with Microsoft Passport is, well, it's Microsoft.
    The people most likely to need/use a single login/password are aware of Microsoft's shortcomings.
  • Fetching more discussions...
    Show 51 - 57 of 57 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.