I had a bit of a read about OpenID this morning.

Essentially, how it works for non-developers is this:

* you sign up for an account at a site such as http://www.myopenid.com
* they give you a URL, such as http://sminnee.myopenid.com
* you go to a site that accepts openid authentication, and type this URL in.
* myopenid.com will be responsible for authenticating you and providing profile information (name, nickname, date of birth, country, etc) that you choose to provide.

The benefits to the user are roughly:
* a single password for all your sites
* those sites never know your password, myopenid just tells them whether to let you in or not
* you have a lot of control over what you let different sites see, in a nice interface. you can also see stats about sites you've signed into and things.

The disadvantages:
* You've got to sign up for an account at myopenid.com before doing anything
* You need to use a URL instead of an email address or a username to sign up - this would probably take some getting used to.

Both of these disadvantages are pretty trivial, but OpenID is still something that should be an optional authentication scheme on a site.

SilverStripe has an authentication system built into the core. Perhaps it would be worth offering OpenID authentication as part of this?

What have other people's experiences with OpenID been?

I've been following this a little; at BarCamp London 2 and Future of Web apps (FOWA) both of which happened in the same week it was buzzy and everyone was into it. There are some fundamental security issues with OpenID 1 however. Microsoft's head of identity, Kim Cameron, has written about this which I blogged here:

http://www.julianonsoftware.com/?p=1746

Everyone's announcing OpenId support -- digg.com, yahoo, etc. So it's in vogue but I'd want to follow the 'middle man' vulnerability closely...

I'm interested in doing an optional integration as part of GSOC. These are some of my insights:

> * you sign up for an account at a site such as http://www.myopenid.com

Any SilverStripe site can enable a feature that allows itself to become an OpenID server (ie. act as an identity provider).

> * they give you a URL, such as http://sminnee.myopenid.com

A user blogging using SilverStripe can use his/her blog URL as the username.

> * myopenid.com will be responsible for authenticating you and providing profile information (name, nickname, date of birth, country, etc) that you choose to provide.

A SilverStripe site that supports OpenId caches user information from other identity providers, and provides identity information to relying parties (consumer sites) _as_ an identity provider.

Those are good thoughts. SilverStripe's got it own application-wide authentication and profile system that covers everything from mailing lists to CMS log-in to forum and blog posting. The best bet would be to provide some kind of OpenID gateway for this.

You would want to ammend LoginForm to optionally include an OpenID field (not all sites are good candidates for open-id), and create mirror records in the Member table as appropriate.

One important thing to think about will be assessing what rights a new user extracted from open id will have. You don't want people to log in with their open id to a private forum, for instance! Permission codes are assigned to groups in the security section of the CMS, so you probably want to be able to define a number of groups that new users from open id are assigned to - either on a site-by-site basis or a LoginForm by LoginForm basis.

mootaccount, look forward to seeing your GSoC application!

Email me if you want something urgently, given there's not many days left until the deadline for submissions.

Thanks Sam and Sigurd for the ideas and help. I am integrating them into my application. If I remember it correctly, you can still comment on my proposal even after I submit them to the GSOC website, and I can still edit it. I am submitting within the day (GMT+8). My name is Prem.