Date: 2006-12-07 23:02:00
I've been playing with OpenID recently and put together an OpenID identity provider as a little Python script that runs as a CGI under Apache. I wanted to really understand how the protocol works so I did this without the use of any existing OpenID libraries. It turned out to be a little finicky and the current specification leaves a bit to be desired, but with just 140 lines of code I've got a working OpenID provider.

So my OpenID is now (the use of .name here isn't specifically related to OpenID, it's just part of an url). What can I do with that? There is a growing list of OpenID enabled software where I can theoretically log in with an OpenID. This means I don't have to give every random web site a password (and have to keep thinking up new ones), I can just use my OpenID knowing that nobody else can use my identity. In practice, adoption is slow but progressing well. I hope to be able to use this on sites like Wikipedia or Trademe (New Zealand's version of ebay) in the near future.

[info]brad did the initial development of OpenID a couple of years ago, so it's no suprise that Livejournal has some of the best support for it. There are two halves to this support: (1) Everybody who has a Livejournal account automatically has an OpenID today, so another OpenID that I could use is; (2) People who do not maintain a journal at can still log in to the site, create friends lists, other people can friend them, and so on.

OpenID is really good stuff and hopefully will soon be adopted everywhere. Like other wildly successful protocols such as SMTP, HTTP, and XMPP, nobody owns OpenID so the failure of one company or organisation won't render it useless. And, of course there's no money involved (unlike say, SSL).
I don't really understand OpenID, or at least how to roll my own, but I have used my LJ OpenID in conjunction with Zooomer and I've found the experience to be quite nice.

I wish WordPress had better support for OpenID so LJ'ers could login to post comments on my blog. Some day.
There appear to be a multitude of google hits for openid and wordpress, but some of them mention out of date plugins and varying support for wordpress versions. Hopefully something rises out of all that.
OpenID delegation is useful. I can authenticate as, and it's delegated to livejournal so I don't have to run any software on
60 second associations? Not nice. :(

Also, no worky with simple test:
% nc 80 <<END
POST /services/ HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 07 Dec 2006 22:52:13 GMT
Server: Apache/2.0.58 (Unix) PHP/4.3.10
Connection: close
Content-Type: text/html

<p>This is an openid server.</p>
Hm. Apparently you have to set content-type.
Oh, yeah I had the associate set at 60 seconds for testing. I guess it could be longer than that, what's reasonable? an hour? a day? a month?

Or, I suppose I could try myself against another identity server like livejournal. :)
It really depends. How long do you want to have to maintain the state on your end? If your design is like mine (stateless), then you can make the association infinite.
Oh, yeah my server is stateless. My code is pretty hacky, but it's pretty much self-contained. if you're curious. That's the sanitized version with my secrets replaced by FIXME. :)
Ah, you don't support check_authentication! No wonder your version is so simple.
Heh yeah. Enough to make it work minimally with the couple of sites I tried it with.
That's because most of them are smart consumers that can use associations.
No trust_root/return_to checking either. Sheesh. for the one I wrote. It's PHP, but it gives you an idea of how much more has to be done to have a secure IdP.
Six months ago i couldnt spel programur. Now i are one!
Greg Hewgill <>