XMPP auth for OpenID

OpenID is a decentralized digital identity system, in which any user’s online identity is given by URL (such as for a blog or a home page) [...], and can be verified by any server running the protocol. (wikipedia)

Okay so that’s cool – the idea is that you want to sign in on a web-site that you’ve never seen before, so you give it your OpenID and *poof* you’re in. As part of the package, the web-site can also request some profile information from your OpenID provider, so you don’t have to re-type it. Lots of work has happened behind the scenes to make sure who you say you are is valid, so that the web-site can trust your OpenID.

Unfortunatly you still have to log into your OpenID provider with a username and password. “I thought OpenID was supposed to help with this horrid multiple username and password problem”, I hear you cry – at least you (hopefully) trust your OpenID provider more than you do some abritary web-site.

Unlike most single sign-on architectures, OpenID does not specify the authentication mechanism. (wikipedia)

Cool! So we can pick our own. How about a password-less authentication, that uses your instant messenger identity to confirm your OpenID?

It’s actually easy, you just take a copy of the PHP Standalone OpenID Server, add the required PHP OpenID library, and add a sprinkle of XMPP XEP-0070 support in form of a patch. Bake for a short while, and be sure to serve hot :-)

6 comments on “XMPP auth for OpenID

  1. Pingback: fh » OpenID Verification via XMPP / XEP 0070

  2. Will this patch work on version 1.1 of the standalone php openid server? I can’t find version 1.0 for download to do a diff and see if affected code is changed. Thank you!

  3. Michael: I haven’t had time to check it personally. Please go ahead and try, and if it doesn’t work feel free to fix and and send me an updated patch.

  4. Hmm. It was up yesterday but seems down this morning. Xmppid.net seems cool also, but its bot does not seem to be working as I don’t get send the auth code.

  5. Cool post, sounds like a interesting alternative to passwords. I work for Vidoop and we run a password less OpenID provider as well.

    Instead of a password, each user chooses from a number of “categories”, like airplanes, cars or keys. At time of login, myVidoop displays an array of images including an airplane, a car, or a key, along with several other unrelated images. Without knowledge of the secret, the display appears completely random to other observers. The user spots the secret categories known only to him and sees a series of digits that act as the one-time access code. Since other observers do not know the user’s categories, they do not know which of the displayed access codes to use as the key. Only the user can interpret the one-time access code from the display.

    Its pretty neat technology, we also have a password manager to store your normal logins/passwords…

    Cheers for anyone trying to actually get rid of passwords!

  6. You should try myid.asemantics.com, as an alternative to xmpp.za.net…that I really was not able to get working… :(

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>