Oliver Wong wrote:
> Sounds interesting. Can anyone explain how OpenID actually works? I read
> the "How's it work?" section and looked at the "authentication protocol flow
> diagram", but some details don't make sense to me:
>
> (1) So you enter in some URL that you control. Fine.
> (2) The server which wishes to authenticates you checks the URL for a
> special file (some sort of public key?)
> (3) If you never connect to this server before, the authentication fails
> and you have to add the server to a trust list. I guess that special file
> gets updated somehow (perhaps with a public key given to you from the
> server).
> (4) You do so, and now the server sees that you do indeed own that URL.
>
> But now that the magic file is there, what's to prevent someone else from
> entering the same URL that you had entered in, and all the nescessary magic
> files are already present, thus allowing them to masquerade as you?
>
> - Oliver
HI Oliver,
One step the protocol doesn't address, is how you authenticate to your
Identity Provider. In the case of current deployments, you have a
single username/password that you use at your IdP which your URL points
to. Thus in order for your IdP to tell the site you're logging into
that you own the URL, you first have to authenticate to it. This also
has the benefit of if you deploy two-factor authentication at your IdP,
it effectively has been deployed for every site you login to.
--David
|
|
