Pinterest Stumbleupon Whatsapp
Ads by Google

openidOpenID is a simple way to log into multiple websites using one basic login account by using a domain name. You might already have an OpenID login, which you might not know about yet.

There are a lot of OpenID providers What Is OpenID? Four Awesome Providers What Is OpenID? Four Awesome Providers Read More , but my favourite is chi.mp is because you can have yourname.mp and not a subdomain like many other OpenID providers. You can see mine here.

But what happens when you want to use your own domain name and not a third party? Well, there is an open-sourced script called phpMyID that you can download which turns your own domain name into an OpenID login.

I have turned my website Jack Cola into my own personal OpenID login. This enables me to log in to any OpenID enabled websites.

Installation is pretty easy. All you have to do is download a small file from the phpMyID website.


phpmyid

Ads by Google

You can either download a tgz or zip file by clicking the highlighted links as seen in the image above.

In the files you have downloaded, there are the basic files such as readme’s and changelogs, just as you would find in any script you download. Pay particular attention to MyID.config.php and MyID.php. These two files are the important ones.

It is best that you upload the files to your server first and edit them online as a few settings need to be checked to make sure your web server is setup correctly. Once you have uploaded your files, visit your website where you have uploaded them. I suggest uploading them to http://yourdomain.com/openID/.

Once uploaded, visit the MyID.config.php file. You will be shown a screen with text similar to this. Click on Login and make sure you can successfully login with the username and password of test.

myidconfig

Make sure you take notice of your Realm. If there is anything after phpMyID, your server is running in safemode and you need to change it in auth_password section. (See below)

To set up phpMyID there are two steps. Edit the MyID.config.php settings and include two lines of code in your webpage’s root directory.

Editing MyID.config.php

Open up MyID.config.php to edit. The names of the settings are pretty self explanatory.

auth_username: This is your login username. Set it to a username that you will remember.

auth_password: This step is a little tricky. For added security, you need to encrypt your password using the MD5 algorithm. To do this, if you are an Linux or OSX user, you can use openssl. Just type in

$ echo -n 'username:realm:password' | openssl md5

and remember to replace username with your username you specified in auth_username, the realm that was shown on the MyID.config.php page when you viewed it in a web browser, and the password that you want to use as your login.

If you are a Windows user, you can download this app, or use this this website to encrypt your password. If you use the website, make sure you use the entire username:realm:password string is used to generate your password. Once you have your encrypted text, set the auth_username value appropriately.

There are other settings in the config file that you don’t really need to touch (unless you want to). Just read the README file provided and it will explain what they mean.

If you want, you can edit your nickname, email, fullname, dob, gender, postcode, country, language and timezone, to use with the OpenID self registration component. Just remember to uncomment the lines out by deleting the # at the start of each line.

Once you have your auth_password, visit the MyID.config.php webpage and make sure you can log in with your new username and password. If you log in successfully, you will see a screen like this.

openidloggedin

If it doesn’t work, have a read in the troubleshooting section in the README file.

Edit your website

Now the authentication is working smoothly, you just have to edit the index (or default) webpage for your website and add two lines of html of code to the head of the file.

<link rel="openid.server" href="http://phpmyid.com/MyID.config.php">
<link rel="openid.delegate" href="http://phpmyid.com/MyID.config.php">

Remember to change the href tag to the location of your MyID.config.php file. Note: If you are using a CMS such as Joomla, you will need to edit the template’s index.php file, and not the actual Joomla root index file.

The Final Step

Well maybe I lied. There is one more step. It is to log in to an OpenID-enabled website to check that everything works properly. I have a WordPress plugin on my blog which allows you to register and log in using OpenID. If the website accepts your OpenID log in (and all is working) you will be prompted to enter your username and password. Remember that the OpenID login is your website’s URL.

openidconfirm

You should now be logged into that site by using your domain name address. If it doesn’t allow you, try a different website, comment below, read the README file or ask in phpMyID’s forum.

  1. Nate
    August 4, 2009 at 9:24 pm

    The big problem with hosting your own openid provider is not so much having a weak password; (it is still VERY important don't get me wrong.) its that you really ought to have SSL on your endpoint. (which can get spendy.)

    The primary benefit of using SSL for your OpenID URL is that it gives the relying party a mechanism to discover if DNS has been tampered with. And while I'm on the subject, It's impossible for the relying party to tell if an OpenID URL with a self-signed certificate has been compromised.

    There are other benefits you get from using SSL on your provider's endpoint URL (easier to establish associations, no eavesdropping on the extension data) which would still hold if you used a self-signed cert, but I would consider those to be secondary.

  2. Peter
    August 3, 2009 at 8:00 pm

    OpenID is a terrible idea. It's exactly like using the same logon and password for every site. If your OpenID is compromised (by whatever means you want to imagine, it really doesn't matter) then ALL your accounts and logons are compromised.
    Using different logons and passwords for every site is kind of a pain, but it prevents the compromise of any single account from jeopardizing all your other accounts.
    OpenID might work for low-value accounts like blogs and newspaper sites, but it's not going to be viable for high value logons until there is much, much better security.

    • Dave
      August 4, 2009 at 8:15 am

      Peter,

      I actually came to the same realization a year or so ago, after really digging my teeth into it. The only reason I keep an OpenID account forwarded (like the above) to my personal URL - is I use Verisign PIP authentication with a OTP (One time password) keychain so that it is more secure than username/password combo. However, let's say someone employed at Verisign decides to hack or compromise account information in some way, then all your accounts are vulnerable.

      Sometimes, the best password policy is to have 3 or 4 passwords you use on different sites to try to help mitigate the effect if one of your account passwords is somehow compromised.

      • Jack Cola
        August 4, 2009 at 8:26 am

        I think that OpenID is good for sites that you hardly visit or of not much great interest to you to think and try and remember a password.

        For example, when posting on other Blogs, or other things that you will visit once in a Blue moon, OpenID is good to have. But seriously, out of all the websites that you have to log in to or register an account for a site that you probably would never visit again, OpenID is great. It is a quick and easy, one step signup. No entering names, emails etc.
        It is hard trying to remember them all, thus remembering those different passwords, so chances are you have one password already that you use on multiple sites. For example, your Myspace, facebook, twitter password is probably the same. What's the difference of using the same password, you my as well use OpenID

        • Peter
          August 4, 2009 at 8:35 am

          "so chances are you have one password already that you use on multiple sites. For example, your Myspace, facebook, twitter password is probably the same. What’s the difference of using the same password, you my as well use OpenID"

          There isn't a whole lot of difference and they are both REALLY bad ideas. Just look at what happened to the Twitter employee who used the same password for multiple accounts.

          Hoever, one big difference is that using the same logon and password for multiple accounts still allows you to change each account if you wish. If you use OpenID they are all using THE SAME logon and password, so if one is compromised they are by definition all compromised. If I happen to use the same logon and password at multiple sites and I fear any one of them has been compromised, I can always go to the others and change my password.

          Use different random passwords for each account and use a product like KeePass or Password Safe to keep all your passwords secure.

        • Dave
          August 4, 2009 at 8:48 am

          +1 For KeePass! I use it almost every day.

  3. Dave
    August 3, 2009 at 3:31 pm

    This can be even simpler. Instead of running your own OpenID software, you can sign up on one of the other providers and just forward to that provider's OpenID page. For example, on your index page of your website, and if you use Google Accounts:

    Login to http://openid-provider.appspot.com/, copy your url for your OpenID (for example, http://openid-provider.appspot.com/username)

    Paste the following code into your index html file in the header (what loads when you go to http://yourwebsite.com/):


    For example:


    You can then use http://yourwebsite.com as the openID login on other webpages. Easy peasy.

    • Jack Cola
      August 4, 2009 at 1:58 am

      Hi Dave,
      It basically pulls information from the script, so when you enter your URL in a login box, it knows it is openID enabled.

      When I was installing this myself for the first time, I forgot to replace the location of the domain when I inserted the code in the header. So I was wondering why my password was test:test.

      If you actually wanted, you could actually put it anywhere you want, on any domain, subdomain, or even leave it as the demo access.

      • Dave
        August 4, 2009 at 8:22 am

        Yeah, my comment basically was saying, you can skip the phpMyID part and use another OpenID provider. You still get the same functionality, of using your domain name as an openID URL.

        I just think that having another OpenID provider running instead of running your own software for OpenID is much more secure. For example, if a security flaw is found in phpMyID it will possibly allow your account to be compromised unless you keep a vigilant eye on it, something other OpenID providers are staking their business on and ostensibly have whole teams dedicated to keeping themselves secure.

        • Jack Cola
          August 4, 2009 at 8:29 am

          For added security, you could probably password protect the OpenId folder on your webserver. Possibly use 2 different passwords or put a 1 before or after it to make it a little bit different.

          But then again, what happens if your third party OpenID provider gets hacked or something? It's a catch 22.

        • Peter
          August 4, 2009 at 8:40 am

          "put a 1 before or after it to make it a little bit different."

          Good idea, no one would ever think of trying that.

          "But then again, what happens if your third party OpenID provider gets hacked or something? It’s a catch 22."

          That's why OpenID is a bad idea. Too much risk. It might make sense for a site where you have to log on to post a comment or newspaper sites that make you log on to read articles, or maybe some other sites that have absolutely no personal information attached to them. But if you think OpenID is a good idea for financial sites, email accounts, or other high-value logons you're crazier that I thought.

        • Peter
          August 4, 2009 at 8:41 am

          “put a 1 before or after it to make it a little bit different.”

          Good idea, no one would ever think of trying that.

          (My sarcasm tag didn't display properly)

        • Jack Cola
          August 4, 2009 at 8:55 am

          I wouldn't recomond using OpenID for any website that you have personal details stored. But for those little sites, it may come in handy. If you don't want to use PHPMyID, as I mentioned chi.mp is great for OpenID and other things.

          Ok, it doesn't have to be a 1, maybe a 2, or qaz? If someone was to guess it, it would take them much longer then if it was the same. Or you can check this post out. http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/

Leave a Reply

Your email address will not be published. Required fields are marked *