How to use OpenID?
February 14, 2008 4:18 pm GeneralIt appers I already have an OpenID or two, having Yahoo (for flickr) and AOL (for AIM) accounts.
The only problem is that I have not seen an easy explanation of how to actually go about logging in.
I have a URL, which I can put into the OpenID field, but what do I put in the email and password fields, if anything? For AOL and Yahoo, for example, how do I find out what’s expected?
This may be a stupid question, but it’s the kind of magic step that I often notice is missing in explanations of new stuff, because it’s “obvious”. It might be obvious to others, but not to me.
February 14th, 2008 at 4:35 pm
When you’re logging into a website with an OpenID you’re only supposed to enter the url (http:// may be omitted). If it’s your first time on that website, ie you’re actually registering, the website can make a so called SREG request, which is a request for additional information such as full name, email and address. gender etc. All these should be optional, you enter them once on your provider’s form and will be stored for such future requests.
February 14th, 2008 at 5:01 pm
What happens when you press log in, is that you’re redirected to Yahoo/AOL. They take care of accepting your password, so the site you’re logging in to shouldn’t even ask for one.
Email – that can be transmitted from your OpenID provider to the site you’re logging in to, so that should be filled in automatically when you’re done. It doesn’t have to be, though, so you could type an email if you want.
No info you type into any field except for the URL is transmitted from the site you’re logging in to, to the server, so from an OpenID point of view, all other fields are ignored.
February 14th, 2008 at 5:04 pm
Good point, Either you use an openid url or an username/password combo.
In short – just input your openid url and nothing else.
I might be wrong ofcourse 🙂
February 14th, 2008 at 5:20 pm
For OpenID, typically there is only one field required: the openID URL. You enter that. After submitting, if you havent already done so, it should redirect you to the openID url to confirm that you want to login to that site. Typically you should only have to confirm a domain once.
Note that you must already be logged in on the OpenID domain or it may ask you for a password before you confirm the login to the domain you were at.
For example, I have a MyOpenID.com login. I go to a site, say thisReallyCoolDomain.com, and want to login. Typically it will only ask for the openID URL. I enter it (eg. yourUserName.myopenid.com), it then redirect you to the OpenID domain and asks you to confirm that you want to allow thisReallyCoolDomain.com to log you in and see your login information. After you confirm you should be taken back to thisReallyCoolDomain.com and be logged in.
February 14th, 2008 at 5:27 pm
The simple registration extension allows for a provider to pass on some information stored about you when a consumer requests your identity. So if the consumer supports this extension, you can leave them blank and they’ll be filled in automatically. I agree that it’s a bit confusing when a consumer asks you for them anyway, like the WordPress extension on your blog does, but that’s just so people can leave info even if they don’t have an OpenID.
– Chris
February 14th, 2008 at 5:33 pm
You just put in the OpenID URL. That’s it.
The website goes and asks your OpenID provider (Yahoo or AOL in your case) if you are allowed to use that URL. The provider can authenticate you however it likes.
February 14th, 2008 at 5:36 pm
For a blog – first time using OpenID commenting on that blog, not currently logged in to your openid provider:
1. enter openid url
2. type comment
3. press submit
4. redirected to a screen that says you need to approve this site
5. open a new window/tab and go to your openid provider, login
6. In the other tab/window, allow the blog to connect once or always
7. your post goes up, you’re done!
If you are logged in to your OpenID provider there would be one less step, and if you let the blog always authenticate, next time you just enter your url and press submit.
I don’t know about yahoo and aol, but myopenid.com lets you sign in with a client ssl cert. – very convenient!
Also, it would be a good idea to set your blog up as an openid relay, so you can use http://blogs.gnome.org/bolsh/ as your url, and so you can change your provider freely.
February 14th, 2008 at 5:44 pm
Chris: So you have to fill in name, etc. on a blog if you don’t have simple reg.? I know you would if you where signing up for a forum or something, but I didn’t realize that was the case on blogs.
That’s one disadvantage of Yahoo – they don’t currently support simple reg. I don’t know about AOL.
February 14th, 2008 at 5:48 pm
Firstly, there is some bug here, it thinks I’m logged in as Kelly Clowers and tells me my comment is awaiting moderation. OpenID plugin not working correctly.
Secondly, you’re not missing anything obvious. Fact is OpenID is freakin confusing. I use my homepage URL as my OpenID, and it references an open ID provider (in this case Verisign) but would allow me to change to a different OpenID provider at any time and keep the same URL.
February 14th, 2008 at 5:50 pm
If you see this comment and if you didn’t see my last comment, there is a bug. here.
February 14th, 2008 at 6:00 pm
I don’t know how to use my openid either, so I am trying it for this blog comment. 🙂
February 14th, 2008 at 6:36 pm
o_O
That’s a little weird, but it seems to have worked out in the end.
February 14th, 2008 at 7:09 pm
1) discard OpenID URL.
2) enter username and password
3) have actual security
OpenID has huge gaping security flaws you could drive a truck through, and doesn’t even provide the basic guarantee that a given OpenID represents the same user from one login to another. Not only does it not provide the benefits it claims to provide, it doesn’t even provide the benefits a simple username and password provide. Allowing OpenID ends up worse than anonymity, because with OpenID you *think* you have user continuity and no impersonation, but you don’t.
February 14th, 2008 at 10:52 pm
AOL: http://openid.aol.com/
Yahoo! http://me.yahoo.com
AOL supports 1.1, Yahoo! is only 2.0
February 14th, 2008 at 11:08 pm
Just wanted to test if my openID works, I haven’t figured it all out myself either
February 14th, 2008 at 11:55 pm
On your site, I just put http://openid.aol.com/michaelrhead (where michaelrhead is my AIM id) along with my name and email address. Hopefully it’ll work when I submit the comment.
February 14th, 2008 at 11:56 pm
And yeah, when I submitted, it popped me through to an AOL login page where I put my AIM password in.
February 15th, 2008 at 12:02 am
That’s a usability problem with the form you’re filling out — which is probably the blogs.gnome.org login or comment forms, right? 🙂
In this case, you can just enter your OpenID and ignore the other two fields, and let the OpenID provider hand them over (if it doesn’t have them, or doesn’t pass them over, WordPress will be as cranky at you if you didn’t put them in manually).
Ideally, the form would only ask for what it needs, and handle a lack of info from the OpenID provider gracefully (by showing an additional page, for instance). But the WordPress OpenID plugin basically just co-opts the normal form, and can’t make it quite that simple just yet. 🙂