Definition
The Web as we know it today is site-centric, which results in users having multiple passwords and profiles. Web users face the burden of managing this increasing number of accounts and passwords, which leads to “password fatigue”.
- password fatigue leads users to devise coping strategies that degrade the strength of their credentials
OpenID is a decentralized WSSO solution. It is a free protocol and users can choose or even setup their own OpenID provider
Open ID connect uses OAuth 2.0 as the basic access authorization protocol and adds identity and interoperability features
- OAuth is an authorization protocol that allows users to access resources without sharing passwords
How does it work
- Login Request: A user selects an identity provider or enters her OpenID URL via a login form presented by an relying party (the website the user is logging in)
- Auth Request: the relying party fetches the document on the given OpenID URL to discover the identity provider’s endpoint, and then redirects the user to the identity provider for authentication
- The user authenticates to the identity provider by entering username and password, and then consents to the release of her profile information
- Auth Response: the identity provider redirects the user back to the relying party with the user’s OpenID identifier and profile attributes, both of which are signed by the identity provider
Known issues with OpenID
- phishing attack that redirects users to a malicious replica of an identity provider
- a MiTM (man-in-the-middle) attack between identity provider and relying party
- a DoS (Denial of Service) attack on both identity provider or relying party