OpenID Guerrillas: The Importance Of Using OpenID ...
OpenID Guerrillas: The Importance Of Using OpenID Delegation And Keeping A Backup Identity
(or How Random Internet Funkiness Can Spoil Your Basecamp Experience) At the end of last week's hacking session, I was happy to report that I had a working PlusNet beta OpenID and was able to use it to access my Basecamp account. That following Saturday I wanted to show off to my partner (who uses Verisign PIP for OpenID) my working PlusNet OpenID by logging into Basecamp. It didn't work. PlusNet's server wasn't responding. "Ah well", I said, "as it's a beta, maybe it's only accessible from within the PlusNet network. I'll switch back to logging into Basecamp with my username and password like before." Oh no, I won't! I clicked the "Login with your username and password" link to switch to the conventional login form and found that I still couldn't get in. Mild panic ensued. As it turns out, registering an OpenID against a Basecamp account disables the password-based login! Fortunately, my partner is also the administrator of my Basecamp account. She was able to login, de-register the OpenID from my account and set up a new username/password combination to let me get in. It was only a minor inconvenience but it worried me for a while. What if my partner's OpenID provider goes offline? The administrator of a Basecamp account being locked out would be a major inconvenience. The problem here isn't with OpenID as such. It's a problem with the implementation of OpenID on Basecamp but it highlighted for me the good practice of having a backup identity provider for important services. The OpenID specification has an elegant solution to the problem - delegation. My OpenID identifying URL isn't my PlusNet one, it's the URL of my blog. Placing a couple of META tags in my blog header template allows me to redirect the relying party to my identity provider of choice. So, in the situation I found myself in, where my primary identity provider was not available, using delegation allows me to switch to my backup identity provider as and when I need to. Footnote: PlusNet's beta OpenID server was taken off-line last weekend as a security measure to protect it and our customers from an attack that had been perpetrated against one of my colleagues' accounts. That's a correct reponse that any provider of OpenID identities will instigate from time to time. Beware random internet funkiness!