It’s been 7-8 years for me browsing the web and every week, I visit hundreds of website and so I created hundreds of accounts across Internet!
- Every time I visit a new site, it says “Sign Up” | “Register” | “Create an account” (what? Am not touching the keyboard… damn!)
- Ok, now I registered myself now what? It’s asking to confirm the email!!! (~@#$&#~.. abuses)
- I confirm it and pheeew! finally am authorized to comment or access the features…
- Few days later I visit the site again but wait it’s not accepting my username/password? (Where’s the forget password link…)
I got irritated and I started ignoring the sites who asked me to make a new username/password thing… It’s enough to remember my mail and facebook password… am not a database!
Let me tell you the pain of website-owner/admin…
- If you are not identified as a unique user how they will tell who’s doing what on site…
- There are more bots on Internet than actual human’s (that’s y u need to type those captcha images and verify the email)
And yes, there was someone (OpenID and OAuth) listening and acting…
What’s OpenID anyways? in a simple language you create an account once and the same account is used by various sites. If you are logged in this means you are logged in to all the linked sites.
Websites these days are rapidly adopting the OpenID/OAuth and users too should move on to it. If you are Facebook, Gmail/Google, Yahoo registered users you can link your account to the sites which have this feature.
Following the same in my upcoming work I am implementing the OpenID/OAuth Login system. Here is I made a sample application… work.dilliwal.com/openLogin
openLogin made by me using the php-openid lib and codeigniter as the framework
can you throw some light on how password security is maintained in openid?For different linked sites, does all of them have own copy of user credentials or is sent to some other authority?Suppose i’m logging in google with yahoo id then will google send my details to yahoo server??Also does any site need to have some explicit registeration with W3C or some centralized authority to be part of open-id or any one can make a site which is part of open id?
I would explain it in a very simple language, We have 3 guys here
[1] the Open-Id provider (say google)
[2] the end user who wish to login into the site (say intheb.com!)
[3] And the site (intheb.com here) which we say as “consumer”
So the story begins this way… end-user visits intheb.com, intheb.com shows various open-id providers… end-user choose his provider (say he chooses google)… intheb.com makes some handshaking with google (handshaking in sense some kind of key exchange session set-up and yadis discovery) it then redirects to google… google identifies u as its user and sends the response back to intheb.com…
What is the difference anyways? intheb.com dosent store any password rather it stores the openid of the user… when u log in with google, google after authentication sends the unique open-id url of the user to intheb.com.. which intheb.com stores for user-identification…