I see OpenID logins available everywhere, and decided that I should look into implementing my own provider on my server so I can control my information and my login.
This is, surprisingly, quite complicated and difficult.
Even though many sites allow OpenID logins (such as this one), I am discovering the following issues:
- Many simple "roll-your-own" single identity OpenID Provider solutions are now vaporware.
- There have been pretty severe ongoing security issues with OpenID:
http://en.wikipedia.org/wiki/OpenID#Security
- Many OpenID Providers seem to have disappeared (MyOpenID.com, getopenid.com, etc..)
- The protocol seems to be constantly changing with previous versions dropped (perhaps due to security issues?)
As an example, this solution on SO from Aug'13 about using Google Plus/Profiles as a delegate now gets an error from Google saying that OpenID 2.0 support is being removed from Google by this April and replaced with OpenID Connect:
Delegate OpenID to Google (NOT Google Apps)
Does anyone even offer a simple OpenID Connect single identity provider? Looking at OpenID's list of OpenID provider software doesn't mention any OpenID Connect solutions at all, not to mention that the page hasn't been updated in 4 years!
http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
Looking through all this information, it makes me really happy I shelved my plan a couple years ago to implement OpenID 2.0 on my server, since that looks like it's becoming obsolete already, and I can't figure out an easy way to just prove my identity. It's surprising that I can't just do a single package install and edit a config file and go. Most of the simpler implementations involve installing and using PHP, which has it's own security issues that need to be learned about.
So - anyone who is an expert on OpenID and where it is going who can give me some advice on how to just setup my on identity provider or if it's worth the difficulty? I'd love to have control over my information and distribution of my email address as well as have a permanent identity, but if the standard is going to keep changing then it's not really permanent.
OpenID 2.0 is deprecated, and just today the OpenID Foundation approved an OpenID 2.0 to OpenID Connect Migration Guide.
I'm not an expert on OpenID, but it's important to be aware that OpenID Connect is fundamentally different from older versions. In particular, it runs on top of OAuth, so the Relying Party must obtain OAuth credentials from the Service Provider.
There is spec that allows the RP to automatically obtain these OAuth Credentials (called Dynamic Client Registration), but the spec is marked as "optional", it is not widely supported in client libraries, and I severely doubt we'll be seeing many applications implementing Dynamic Client Registration.
The movement to OpenID Connect takes the power away from both users and from application developers (not to mention the smaller identity providers) and gives it all to the large, name-brand service providers. So unfortunately, it looks like the idea of setting up your own personal OpenID Provider is not going to be future proof.
What the future holds is of course hard to predict.
Google has implemented OpenID Connect. They have Discovery implemented, but as a generic OIDC IDP that's not very useful without Dynamic Registration since you still have to register an app and get the keys. That could work in their favour I'm afraid, since people might prefer Google login and thereby not care about OIDC based on user-provided e-mail or URL.
According to OpenID Certifications, very few have Dynamic Registration implemented, but it's still very young and could change.
I sincerely hope that full OpenID Dynamic will get a wide adoption, preferrably by e-mail providers, so that we can have a single sign-on based on your e-mail, something most people can remember rather than some obscure http endpoint.
I am about to make this for my own server; a simple small OIDC and webfinger server in node.js based on openid-connect. It is up to us to make it easily and widely adopted, I'll put a link in a comment here when my miniserver is available with an
npm install
:-)If you want to set up your own OpenID provider, I can suggest two available options that you might like to look at. They're both PHP solutions.
The first is the easiest to implement, phpMyID, has been deprecated by its owner but it has risen again on GitHub. I quickly tested this yesterday using PHP 5.6.8. It's just two PHP files.
The second one is called SimpleID and is what I am currently using. I've used it to log on to a number of sites including this one.
Neither are OpenID Connect, however. I am looking for a solution to that so that I can upgrade (this search drew me to your question). The best candidate that I have found so far is called Gluu but it appears to be a behemoth and I haven't yet tried it.
SimpleID has a Trac ticket and a development branch to support OpenID Connect but it would appear to be dormant.
Another interesting thing I found while searching is web sign in and IndieAuth. Not OpenID, but interesting nonetheless.