Using OpenID to authenticate to linked services
August 5, 2010 Leave a comment
I was intrigued by the OpenID idea every time I met references to it. I even tried to use it several times, but apparently my approach was superficial and all I was able to do was to create useless new accounts.
With my recent increase in open source contribution also came more time spent on SourceForge, where I already have several projects hosted. With more time spent online also came more and more logins, since SourceForge timeouts sessions quite quickly.
With SourceForge actively promoting OpenID logins on the main login window, I decided to give it a new try. I clicked on the Get an OpenID and I received the good news: I already have an OpenID, or even several ones, considering the many accounts I have!
The next step was not obvious and, in my case, required some experimenting. Since I already had several Google accounts, I thought I have to go to Google and generate/enable something for the OpenID to work. Nope, all Google accounts have OpenID associated, and there is nothing to configure on the Google side.
The only thing to do is to associate the desired Google account to the SourceForge account. For this, the SourceForge account administration page has a dedicated link, named Manage My OpenIDs (in the right part of the page).
Clicking on the Manage My OpenIDs link shows again the login window. Enter the SourceForge password again, select the OpenID provider, and click the Log-in button.
This will open a custom Google login window. Enter the account you want to use, the password and click on the Sign in button.
After the Google credentials are checked by Google, the OpenID URL is generated and automatically added to the SourceForge account.
From now on, any time the SourceForge login is required, instead of entering the SourceForge credentials I can select Google OpenID and click the right Log-in button.
When doing this, SourceForge contacts Google via the secure OpenID URL, do some inherent magic and login.
But the real magic just begins. After you authenticate to Google, even if you decide not to let the browser cache the password (á la FireFox), the browser still caches something that will allow you to login directly to Google and indirectly with the linked OpenID account, without asking for credentials every time.
Well, for the curious ones, the magic is not that deep: as you could see in the Google login page, the Stay signed in option was enabled, so that each time you want to connect to that Google account you are no longer asked for credentials. So indirectly, when coming via the OpenID, you are also no longer asked for credentials.
I agree that in general this might be a security hole, and I would not use OpenIDs to connect to my Internet banking accounts, but for usual development account this is quite useful.
In addition to SourceForge, I also used OpenID to authenticate to Facebook. The Facebook procedure is even simpler: once you define the OpenID linked account, Facebook will automatically try to login you via the linked account. However, there is a catch: you should use different email addresses for your regular Facebook account and for your linked account, otherwise Facebook will not be able to differentiate between them and you’ll not be able to use the linked account.
OpenID is a simple solution to link one account to another, allowing to authenticate to multiple accounts using one set of credentials. Implementation may differ, and the functionality may be more or less automated, but the idea is the same, to simplify authentication. And, to my surprise, it really works.