OpenID is a decentralized authentication system for web services. The identities of the authentication system are based on URLs and allow logging into multiple services with a single identity without re-entering username and password (single sign-on).
What is OpenID?
OpenID is based on a decentralized concept and uses URL-based identities (IDs) for logging into web services. With the help of these identities, it is possible to log in to multiple services without having to re-enter a username and password. The concept thus supports single sign-on. The prerequisite for using the procedure is a one-time registration with an ID provider and support by the desired service. It is an open specification from 2005 and version 2.0 was released in 2007.
Due to various limitations and missing features, the OpenID Foundation adopted a completely revised version of the protocol called OpenID Connect in 2014. To provide better support for mobile applications and more interoperability, the new version uses the so-called OAuth 2.0 framework.
The goal of the new protocol is to create wider acceptance and more opportunities for single sign-on procedures on the network. The authentication mechanism of OAuth 2.0 differs significantly from that of OpenID.
The operating principle of the ID procedure
To log in to web services, users need an ID. This can be issued by an ID provider. The decentralized architecture allows the existence of many different ID providers. The open standard ensures that the effort required to become a provider is relatively low. The ID has the format of a URL and could be, for example, username.example.com or example.com/username.
Web services can support both traditional username and password logon procedures and ID logon. If traditional logon procedures are not used, the effort required to securely manage usernames and passwords is eliminated. This effort is then shifted to the respective ID provider.
Typical logon procedure with the ID-based method
A typical logon procedure could look as follows. Once a user has created an identity with an ID provider, it is sufficient to identify himself to a web service with his identity URL. The web service automatically forwards the user to the page of his ID provider. There he can log in with his data. He is then redirected back to the original web service and can use it.
If the user accesses other web services that support ID logon during the surfing session, no new logon is necessary. After entering the ID URL, the user is logged in to the service directly.
Using OpenID login on the Internet
OpenID and variations of it have been implemented by many web services on the web. These include Yahoo, Google, Microsoft, PayPal, VeriSign and Facebook. According to the BSI, around 50,000 websites accepted the login procedure in 2009.
Due to its limitations, OpenID has been increasingly superseded by OpenID Connect and OAuth 2.0. Companies that support the more modern method include Deutsche Telekom, Microsoft, Google, IBM, Amazon. Salesforce.com and many more.