Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.


Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w



6 Posts   2158 Views


10 February 2007 at 9:28am Administrator, 685 Posts

I had a bit of a read about OpenID this morning.

Essentially, how it works for non-developers is this:

* you sign up for an account at a site such as
* they give you a URL, such as
* you go to a site that accepts openid authentication, and type this URL in.
* will be responsible for authenticating you and providing profile information (name, nickname, date of birth, country, etc) that you choose to provide.

The benefits to the user are roughly:
* a single password for all your sites
* those sites never know your password, myopenid just tells them whether to let you in or not
* you have a lot of control over what you let different sites see, in a nice interface. you can also see stats about sites you've signed into and things.

The disadvantages:
* You've got to sign up for an account at before doing anything
* You need to use a URL instead of an email address or a username to sign up - this would probably take some getting used to.

Both of these disadvantages are pretty trivial, but OpenID is still something that should be an optional authentication scheme on a site.

SilverStripe has an authentication system built into the core. Perhaps it would be worth offering OpenID authentication as part of this?

What have other people's experiences with OpenID been?


5 March 2007 at 5:12pm Community Member, 17 Posts

I've been following this a little; at BarCamp London 2 and Future of Web apps (FOWA) both of which happened in the same week it was buzzy and everyone was into it. There are some fundamental security issues with OpenID 1 however. Microsoft's head of identity, Kim Cameron, has written about this which I blogged here:

Everyone's announcing OpenId support --, yahoo, etc. So it's in vogue but I'd want to follow the 'middle man' vulnerability closely...


21 March 2007 at 6:11am Community Member, 5 Posts

I'm interested in doing an optional integration as part of GSOC. These are some of my insights:

> * you sign up for an account at a site such as

Any SilverStripe site can enable a feature that allows itself to become an OpenID server (ie. act as an identity provider).

> * they give you a URL, such as

A user blogging using SilverStripe can use his/her blog URL as the username.

> * will be responsible for authenticating you and providing profile information (name, nickname, date of birth, country, etc) that you choose to provide.

A SilverStripe site that supports OpenId caches user information from other identity providers, and provides identity information to relying parties (consumer sites) _as_ an identity provider.


21 March 2007 at 11:17am Administrator, 685 Posts

Those are good thoughts. SilverStripe's got it own application-wide authentication and profile system that covers everything from mailing lists to CMS log-in to forum and blog posting. The best bet would be to provide some kind of OpenID gateway for this.

You would want to ammend LoginForm to optionally include an OpenID field (not all sites are good candidates for open-id), and create mirror records in the Member table as appropriate.

One important thing to think about will be assessing what rights a new user extracted from open id will have. You don't want people to log in with their open id to a private forum, for instance! Permission codes are assigned to groups in the security section of the CMS, so you probably want to be able to define a number of groups that new users from open id are assigned to - either on a site-by-site basis or a LoginForm by LoginForm basis.


21 March 2007 at 3:03pm Forum Moderator, 628 Posts

mootaccount, look forward to seeing your GSoC application!

Email me if you want something urgently, given there's not many days left until the deadline for submissions.


21 March 2007 at 4:19pm Community Member, 5 Posts

Thanks Sam and Sigurd for the ideas and help. I am integrating them into my application. If I remember it correctly, you can still comment on my proposal even after I submit them to the GSOC website, and I can still edit it. I am submitting within the day (GMT+8). My name is Prem.