Introduction

The OpenID protocol is the original federated identity protcol from the OpenID Foundation. SimpleID supports versions 1.1 and 2.0 of the protocol.

It has been superceded by the OpenID Connect protocol.

Modules

The core OpenID protocol is implemented in the SimpleID\Protocols\OpenID\OpenIDModule module. This module is enabled by default.

Additional modules related to the OpenID protocol are set out in the table below.

Module Description Enabled by default?
SimpleID\Protocols\OpenID\Extensions\SRegOpenIDExtensionModule Implements the Simple Registration Extension Yes
SimpleID\Protocols\OpenID\Extensions\AXOpenIDExtensionModule Implements the Attribute Exchange Extension No
SimpleID\Protocols\OpenID\Extensions\PAPEOpenIDExtensionModule Implements the Provider Authentication Policy Extension No

User configuration

User configuration for the OpenID protocol is set out under the openid object in the user file.

In order to use the OpenID protocol, the user configuration must contain an identity value, containing the OpenID identifier for the user. For example:

openid: 
    identity: "http://example.com/"

Identifier

Under the OpenID specifications, an identifier can be a URI or an XRI. In most cases, an identifier will be a URL, a form of a URI. This section assumes that you will choose an identifier in the form of a URL.

It is very important that you follow the requirements in this section carefully. A substantial number of problems encountered when using SimpleID is caused by not having the identifier specified correctly.

The identifier must satisfy the following requirements.

  • The identifier must be unique. An identifier can be associated with only one identity. If you choose an identifier which is shared with another identity, unexpected results can occur.

  • The identifier must be accessible from the Internet. Other web sites must be able to access the URL in order to obtain information about where your SimpleID installation is.

    In addition, your identifier should be accessible without using any redirects. To check this, go to the web page with your identifier URL in your web browser and check that the URL displayed in the address bar is exactly the same as your identifier URL.

    Pay particular attention to whether or not your identifier URL contains a trailing slash (/). Web servers may automatically append a trailing slash to your identifier URL if your URL points to a directory rather than a file.

  • The identifier must be "claimable". You must be able to edit the web page with your identifier URL to include information about your SimpleID installation.

Simple Registration Extension

The extension module SimpleID\Protocols\OpenID\Extensions\SRegOpenIDExtensionModule implements the OpenID Simple Registration Extension. It allows you to specify details which you normally provide when you register for web sites (such as your name and e-mail address), and have SimpleID provide them automatically to web sites which request them.

The registration information is specified under the sreg object under the openid object in the user file. For what can be specified in this section, see the specifications. Note that the registration information in the identity file are specified without the openid.sreg. prefix.

An example is given below.

openid:
    ax:
        nickname: Example
        email: example@example.com
        fullname: Example
        dob: 2000-00-00
        gender: M
        postcode: 1234
        country: en
        language: au
        timezone: Australia/Sydney

Attribute Exchange Extension

The extension module SimpleID\Protocols\OpenID\Extensions\AXOpenIDExtensionModule partially implements the OpenID Attribute Exchange Extension. It allows you to specify identity information, and have SimpleID provide them automatically to web sites which request them.

This module only implements the fetch message section of the specification. That is, it allows relying parties to retrieve identity data from SimpleID, but it does not allow relying parties to push data back to SimpleID.

The attributes are specified under the ax object under the openid object in the user file. For what can be specified in this section, see the specifications. For a list of common attributes, see the draft specifications.

An example is given below.

openid:
    ax:
        "http://openid.net/schema/company/name": Example Company Limited
        "http://openid.net/schema/company/title": Managing Director
        "http://openid.net/schema/contact/web/blog": http://simpleid.sourceforge.net/

Client configuration

None. All clients (OpenID relying parties) register with the SimpleID server dynamically.

Other configuration

Claiming your identifier

Claiming your identifier is the way you show that you have control over that identifier. This involves editing the page with the identifier URL to embed information about your SimpleID installation. This then allows web sites to find out where to find SimpleID when you attempt to log into them using OpenID authentication.

There are various ways in which you can claim your identifier.

Use <link> tags

The easiest way to claim your identifier is to use <link> tags.

To do this, edit the web page returned by the identifier URL. Copy and paste the following section between the <head> and </head> tags:

<link rel="openid.server" href="http://www.example.com/simpleid/" />
<link rel="openid2.provider" href="http://www.example.com/simpleid/" />

Replace the URL http://www.example.com/simpleid/ with one which points to where you have moved the www directory of the SimpleID installation.

The URL specified by these link tags must contain a trailing slash, unlike the canonical_base_path configuration option in your config.php. Otherwise, your installation may not work for certain web sites.

Use the YADIS Protocol

You can also use the YADIS protocol to claim your identifier. In short, the YADIS protocol requires you to create an XML file called an XRD document, then modifying the web page returned by the identifier URL to point to that document.

SimpleID automatically generates a XRD document for you, which should be suitable in most cases. Go to http://www.example.com/simpleid/index.php?q=xrds/username, where http://www.example.com/simpleid/ is where you have moved the www directory of the SimpleID installation, and username is your user name. SimpleID should return a file, which you can then download and open with a text editor.

The YADIS protocol specifies three ways in which you can modify the web page returned by the identifier URL to point to the XRD document.

  1. If the web page returned by the identifier URL is generated programmatically, you can detect whether the Accept HTTP header contains the MIME type application/xrds+xml, and if so, return the document directly or redirect the response to the document.

  2. If the web page returned by the identifier URL is generated programmatically, you can also return the following HTTP header in your response:

    X-XRDS-Location: http://www.example.com/simpleid/index.php?q=xrds/username

  3. Otherwise, you can include the following section between the <head> and </head> tags.

<meta http-equiv="X-XRDS-Location" content="http://www.example.com/simpleid/index.php?q=xrds/username" />

Using OpenID

Logging in

To log in into an OpenID-enabled site:

  1. You should see an OpenID log in box on your site, which should look like the following.

    OpenID login box

  2. Type your identifier URL and submit the form. The site will now contact your SimpleID server to establish a secure connection. Depending on the speed of your web server, this may take about half a minute.

  3. If you have not logged into SimpleID, SimpleID will ask you to do so.

  4. When you log into an OpenID-enabled site for the first time, you will be presented with a page that is similar to the following.

    Site login page

    The page will vary depending the extensions you have installed.

  5. To continue logging in to the site, click OK. The site will then become one of your trusted sites.

    If you select the Automatically send my information to this site for any future requests check box, this page won't appear again the next time you log in to this site.

Some sites require you to log into SimpleID before logging into the site.

You can only log in to each SimpleID installation as one user (and so one OpenID identifier) at any one time.