Delegating OpenID

This is a guide to setting up a delegation page.

There may be multiple ways to do this. This guide is kept extremely simple and short; it may imply that the user has some knowledge/abilities like creating a website with whatever HTML code the user wishes to put in the file. (editing a text file and Coding in HTML may provide some details about that, although publicly hosting the file might not be part of those guides at this time. Transferring files can also be helpful with that.)

Note: This may be ideal if you run your own web server and are the only person who can access it. This can also be done if you are hosting web pages with a commercial organization that provides web hosting services. However, keep in mind that if the web host has the technical ability to modify the files on the web server, then they can effectively take control of the ability to log into any site which relies on that web server.

Getting an OpenID

First, have an OpenID.

Note that this is not saying that the OpenID needs to be something you created with a program that is running on a computer you own, nor that the OpenID needs to be on a website that you own, nor that the URL of the OpenID needs to be easy to memorize. None of those are requirements.

Getting an original OpenID might be easier than you realize: you might already have an OpenID that is within your control, even if you don't know about it yet. OpenIDs may be automatically generated on several organizations/companies/sites, like Google and myspace and WordPress and Blogger and SteamPowered.com (Valve's Steam), which many people have created accounts on. So a person could easily have an available OpenID even without trying and without knowing about it. Some people have made lists of organizations that have been known to provide OpenIDs. Those lists include:

If you don't already have one, then make one.

There may be various ways to make one. The only ways currently covered by this simple guide involve using other organizations. (Even then, such information may currently be rather sparse/generalized/untested.)

Google

This can be done using a Google account. There are some different reports about exactly what is needed. Apparently usage of “Google Profiles” is needed, which may involve using Google Plus, although simply using GMail and having Google Profiles enabled may also be options.

To use Google+, StackOverflow answer states, “First you need to enable your Google Profiles.” If you go to Google Profiles, make sure that a profile URL is available.

Stack Exchange

One way to log into StackExchange is to use another OpenID. However, StackExchange can also provide their own OpenID. In fact, the current opinion of this author is that this may be the best way to create accounts on StackExchange. (Do that first. Then, a great thing to do next is to use an option to add other OpenID accounts to the already-created StackExchange profile.)

There may be various ways to do this, involving logging in with other OpenID providers. This brief guide describes one possible way. If you see an opportunity to log in with other OpenID providers, that might be an option if you don't want a Stack Exchange account. However, if you do want a Stack Exchange account anyway, then things might be simpler overall if the first step you take is to make a Stack Exchange profile, and then add other OpenID profiles to that Stack Exchange profile.

This requires giving Stack Exchange a working E-Mail address. They don't need to publish this E-Mail, but it does need to be working.

To proceed with this, Logout of Stack Exchange if needed. Then, go to the web page for Creating a Stack Exchange account. Sign up for Stack Exchange, and Login to Stack Exchange. Then, view your profile by clicking on your name on the top bar.

On the profile page, choose “My logins”, and then “Add more logins”. Then, from the various OpenID providers mentioned, choose the one related to Stack Exchange.

Steam (by Valve)

This is related to Steam for Windows.

First of all, this probably requires an account which is not a “Limited User Account”. (Steam Support: Limited User Accounts describes the need to spend at least $5 with Steam to make an account be not limited. “Receiving a Steam gift” ... “doesn't count”.)

Determine your username. If you are logged in, the username should show up near the upper-right corner of the main Steam application, or the Steam home page's website.

Once you have that, you can check out your own URL on the Steam Community site. (This is discussed slighly further at Steam for Windows: Steam Community Profile.)

Find out the URLs to use
Additional info/side note

As a quick site note, it looks like OpenID for non-SuperUsers shows some different HTML codes than what this guide is designed for. So, there may be different options: different available and working approaches. Then again, that guide does reference YADIS, which was a “working title” at the beginning of OpenID, so maybe that is just old information. Regardless, this guide documents a method which has been verified to work.

To delegate (using the directions that this guide is designed around), you'll need to know a couple of URLs. Specifically, these directions require:

  • the “provider” URL,
  • and the “local_id” URL

Both of these URLs are going to depend on what OpenID provider is being used to provide the OpenID authentication services.

Furthermore, the “local_ID” URL is (or might be?) something that includes information that is custom to a specific account. So, mutliple people who use the same OpenID provider, but whom use different accounts, would have different values for the “local_ID”.

If you're lucky, the organization that serves as an OpenID provider may provide that for you. For example, Stack Exchange will provide such details when manually creating an OpenID account.

Here are some examples:

Google

Some different information has been posted (by different people on forums) about Google's OpenID URLs. This might indicate that things have been known to change as Google makes changes to the “social” sites that Google provides.

At the time of this writing, it seems like the “Provider” URL may be the same for all of Google's login services, which may be:

https://www.google.com/accounts/o8/ud

However, that does leave the “local_id” as something that is still needing some more details. Those details may depend a bit on which Google service is being used:

Using Google Profile

(Note: There are separate instructions for “Google+”.)

For example, StackOverflow: Delegate OpenID to Google, answer by Lawrence Dol provides URLs that look like this:

  • Provider: https://www.google.com/accounts/o8/ud
  • local_id: https://profiles.google.com/profileID

In that example, the “/profileID” needs to be customized. That can be a Google profile ID, or the account name of a Google account (referring to the part of a GMail address that shows up before the “at sign” (“@”)... so if the GMail address is sample@gmail.com then it would just be the word “sample”, so the entire URL would be: https://profiles.google.com/sample

Also, the profileID is a website that should be nicely reachable. (The OpenID standard doesn't mandate a nicely viewable page to be at that address, but that will be the case if Google's account is fully set up.) So you should be able to test the Google OpenID Profile ID URL by visiting it in a web browser.

If a web browser is unable to find that we page, make sure the Google Profiles is enabled. Log into the Google account (log into Google Profiles), and go to the Settings for the profile. Look for an option to set a Google “Profile URL”. From there, you can choose to use a profile ID or another name.

Some of these details may also have been mentioned by StackOverflow: delegating OpenID to a Google account, which provided a slighlty different provider URL:

  • Provider: https://www.google.com/accounts/o8/ud?source=profiles
Google+

(Note: There are separate instructions for “Google Profile”.)

According to information seen in a comment left by StackOverflow: delegating OpenID to a Google account, the URLs to use look something like this:

  • Provider: https://www.google.com/accounts/o8/ud
  • local_id: https://plus.google.com/googleProfileID

In that, the googleProfileID would need to be customized. Details on doing that are likely similar to the information provided in the section about using Google Profile.

Stack Exchange

When creating the Stack Exchange OpenID, information may be provided. The provider URL is:

https://openid.stackexchange.com/openid/provider

The local_id starts with:

https://openid.stackexchange.com/

Then, there is more to the local_id, which is not documented here because it is presumably unique per user. If a “Vanity URL” is not being used, then the part after the domain name may start with /user/ and then contain something that looks like a GUID -- 32 hexadecmial characters plus four hyphens that each appear after some amount of 4 of the hexadecimal characters.

To find the full URL, the following steps ought to help show the full local-id URL.

If you have a “Vanity URL” that you know of:

Enter it into the web browser's address bar. The resulting web page may not initially seem informative. However, the resulting web page may redirect to the long URL. So, after the page loads, check the address bar again. If that shows the /user/(GUID) format, then that is probably the right local_id.

Use logged in access...

or, if the “Vanity URL” route doesn't seem to be a suitable solution, try these steps:

Go to Stack Exchange OpenID site (at the https://openid.stackexchange.com URL).

If you are not logged in yet, use an E-Mail address (which was provided while creating the Stack Exchange ID) to log in.

Finally, click “Use your own URL to log in”. That will show you the local_id URL.

While you're right here, the web page also shows a “Vanity Id” URL if one is set up. If one is not, but you would like one to be, click on “Edit Profile” to set up a shorter “Vanity Id” URL. That wills how two dialog boxes: A “real name” field, and a field for the latter part of the “Vanity Id” URL.

or... The long way

(This may be more steps than necessary, but this process is believed to work. After performing some more verification that the shorter way works fine, this process may be removed from these instructions.)

  • log into Stack Exchange (in any way possible).
  • If you logged on using a different OpenID provider, then click on your display name in the bar at the top of the page, choose “my logins”, “add more logins...”, then the button that says “log in with Stack Exchange”. Sign in with your E-Mail address, and that should finally get you logged in with the OpenID account that is using Stack Exchange as a provider.
  • Follow the steps shown in the previous “Use logged in access...”) section.
Deploying the URLs

Modify a publicly accessible web page that you fully control. For example, we will assume that the web page being modified is at the address of https://example.com/openid/delegate.htm

Place the following in the HEAD tag:

<LINK REL="openid2.provider"
HREF="providerURL">
<LINK REL="openid2.local_id"
HREF="localIDURL">

For instance, the whole HTML page might look like this:

<HTML><HEAD><TITLE>OpenID Delegation</TITLE>

<LINK REL="openid2.provider"
HREF="providerURL">
<LINK REL="openid2.local_id"
HREF="localIDURL">

</HEAD><BODY>
<P>
Some comment could be placed here. </P>
</BODY></HTML>

How, some of that text needs to be customized. It was mentioned before that some URLs were needed. Replace the text providerURL and localIDURL with the URLs that are appropriate for the OpenID provider that is being used.

Finally, this may be used to log into a site. Go to the website that supports OpenID. That website should provide an opportunity to type in a URL. Type in the URL of your web page (which, according to some earlier text, was https://example.com/openid/delegate.htm according to an example being used).

Results

You can “login to”/“log into” websites that support OpenID, by providing the websites with the URL of an OpenID delegation page (e.g. https://example.com/openid/delegate.htm) which can be a page that is entirely under your control.

If there is ever a problem with an OpenID service provider, such as if the provider discontinues the services, then simply update the delegation page that you have complete control over (e.g. https://example.com/openid/delegate.htm). You could, for example, point the delegation page to a different OpenID provider. Any web page that you log into should support the change just fine, since that web page is simply relying on the URL of the delegation page (e.g. https://example.com/openid/delegate.htm) which you provided when creating the login/account. It took a bit of effort to set up, and should be pretty easy going forward.

End user experience

What happens is that the user goes to a web page that supports OpenID. This web page is on a website called the “relying party”. That web page provides the URL of the delegation page, which can be any web page including a web page that the user controls. The website figures out that the delegation page is delegating the authentication responsibility to a specific OpenID provider. The user gets redirected to a web page operated by that specific OpenID provider. The user can provide any necessarily credentials (or may already be logged in) and can choose an option to allow this identity/authentication. The OpenID provider will then let the “relying party” know that authentication is permitted, and the user's web browser is brought back to an appropriate web page at the “relying party”. At this point, the user is logged in.