Translated from a series of articles by a foreign expert, there are 46 articles in total. They are not easy to organize, and the content is detailed and only available to those who need it. Understand, please download.
File: n459.com/file/25127180-479629106 Access password: 551685
The following are irrelevant:
-------------------------------------------Dividing line----- ----------------------------------------
When we want to use the functions of a website, we generally need to register the account we want to use. There are many Internet applications now. After a while, you will find that you have registered a bunch of account passwords, which you can't remember.
You might think that all websites use the same username and password. Although this can solve the problem of account management, it also increases the risk of account password leakage.
Although the current website provides SMS verification code login technology, today we are going to talk about a relatively "old" technology-OpenID, and see how the previous technology solves the problem of too many passwords that are not easy to manage.
The purpose of writing this article is more of interest, because in practice it is unlikely that you will simply log in with OpenID, and there are almost no websites that support OpenId in China, at least not supported by mainstream manufacturers. But I personally feel that not using it does not mean that you do not need to know. Knowing the history of technological development can not only give us a reference, but also enhance your own technological background. (Haha, a bit of X~~)
Basic concepts#
Before officially introducing OpenID, let me talk about a few basic concepts.
Authentication: Identity authentication, abbreviated as authentication, is simply how to identify you as someone;
Authorization Server/Identity Provider: The service responsible for authentication is called AuthorizationServer or IdentityProvider, or IDP for short;
Authorisation: Resource access, abbreviated as authorization, simply means to grant certain permissions to someone;
Service Provider/Resource Server: The service responsible for providing resources (API calls) is called ResourceServer or ServiceProvider, SP for short
Several concepts related to OpenID
User: The browser
RP operated by the website visitor : Relying Party; the service provider is the website that the user wants to visit.
OP: OpenID Provider; OpenID provider is a service provider that provides OpenID registration.
Introduction to OpenID#
OpenID is a set of identity verification system developed by LiveJournal and SixApart. It is a user-centric digital identity recognition framework with features such as openness, decentralization, and freedom.
The creation of OpenID is based on the concept: we can authenticate the unique identity of a website through URI (also called URL or website address), and similarly, we can also use this method to authenticate users. It is not based on the registration process of a certain application website, and is not limited to the login use of a single website. The OpenID account can be used on any OpenID application website, thus avoiding the tedious process of multiple registration and filling in identity information. Simply put, OpenID is a user-centric decentralized authentication system. After users only need to register to obtain OpenID, they can use this OpenID account to log in and use between multiple websites freely, without the need for each website. Both need to register an account.
OpenID's workflow#
Assuming that you already have an OpenID account registered on website A (website A is the OP role), website B (website B is the RP role) supports OpenID account login and you have never logged in. At this time, when you enter your OpenID account on the corresponding login interface of website B to log in, the browser will automatically turn to a page of website A for identity verification. At this time, you only need to enter the password you provided when registering on the A website to log in to the A website, and after verifying the management of the B website (permanently allowed, only allowed once or not allowed), the page will automatically go to the B website. If you choose to allow, you will log in to the B website. At this time, you can implement all the functions of website B as your OpenID account.
It is described above that website B uses the OpenID provided by website A to log in. You can also use this OpenId to log in to other websites that support OpenID.
OpenID acquisition process
First, the user selects an OpenID service provider to register an OpenID account (it is no different from traditional website registration). After registration, the user gets an OpenID URL (OpenID URL), such as http:/collinye.openid.com, which can be simply understood as username.
Visit a website that supports OpenID. When logging in, enter your OpenID URL. Usually, the input box of this type of login page will have the OpenID logo as shown in the figure above, and then click to log in.
After that, you will be redirected to the website of your OpenID service provider, and you will be asked to enter the password you filled in during registration. After the password is verified, you will be asked if you allow the website to log in with your OpenID. After permission, you will be redirected back to the original Website, and show that the login is successful, then you can visit the website as a registrant.
Certification process
The end user requests to log in to the RP website, and the user chooses to log in with OpenID;
RP returns the OpenID login interface to the end user; the
user enters OpenID, and the RP website standardizes the user’s OpenID. This process is more complicated because OpenID may be a URI , Or it may be XRI, so the standardized methods are different;
RP and OP are connected;
RP requests OP to check user identity, OP checks user login, if the user has not logged in, request user login authentication;
user logs in OP , After logging in, check what information is requested by the RP, if there is no useful fill-in (OpenID is mainly responsible, the user may need other necessary information for the first login and registration, which can be filled in this step);
The OP returns the login result to the RP, and the RP analyzes the result of the OP. After the RP analysis, if the user is legal, it returns that the user has successfully logged in and can use the RP service.
OPENID advantages and disadvantages#
advantages#
for users
Simplified registration and login process: To a certain extent, the cumbersome process of repeating registration and filling in identity information is avoided, and registration email confirmation is not required, making login faster.
One place to register, everywhere: save the trouble of memorizing a large number of accounts, one OpenID can log in freely on any website that supports OpenID.
Reduce the risk of password leakage: frequent login to various websites, it is easy to be secretly collected passwords and information by spam websites, or send spam messages as users.
The user has the right to control the account information: According to the trust level of the website, the user can clearly control which profile information can be shared, such as name, address, phone number, etc.
To the website
Sharing user resources: brings value to all websites that support OpenID.
There are already a considerable number of high-end registered users who can use it directly without starting from scratch;
You can not bear the development costs, equipment, bandwidth, and security costs needed to establish your own membership system or login function;
User data is safe. User data is not stored uniformly. Users can choose and replace the stored server at will. There is no organization, no place can be root, no organization or individual can profit from it.
Disadvantages#
Anyone can set up a website to provide OpenID verification services, but the performance of the website is uneven, resulting in the OpenID verification process is not very stable.
If a website that provides OpenID verification services is suddenly closed, a large number of users may not be able to use the services of multiple websites.
At present, almost all websites that support OpenID are cautiously using it as an alternative login method, which will hinder the development of OpenID to a large extent.
Currently, there are not many websites that support OpenID, and its unique method of use is not familiar to most users.
Password security is reduced. As long as the OpenID password is leaked, basically all websites will be leaked. This corresponds to "register one place, use everywhere", that is, "leak one place, leak everywhere".
OpenID is not really Open. Many websites support OpenID on the surface. In fact, they continue to harass OpenID users by registering accounts on their websites and secretly accumulating OpenID users behind their backs. Therefore, at present, OpenID is feasible for the user system of the subsidiaries within the group, and it is necessary to be cautious about whether to use OpenID with external companies.
The development history
of OpenID- OIDC# The original OpenID, which is OpenID 1.0, is not a real commercial application, but this protocol allows industry leaders to think about what is possible.
OpenID 2.0 has a more complete design and provides good security guarantees. However, it has some design limitations, the most fatal is that the relying party must be a web page, but not a native application; in addition, it also depends on XML, which will cause some application problems.
OIDC, OpenID Connect is the third generation of OpenID technology. OpenID Connect draws a lot from SAML and OpenID 1.0/2.0. OIDC not only supports user authentication, but also user authorization.
The related content of OIDC will be introduced in the following article.