Using OpenID with Liferay
What is OpenID? #
OpenID is an open, decentralized, free framework for user-centric digital identity.
OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.
(Quote from http://openid.net/)
The benefits of OpenID #
For an end user, the main benefit of OpenID is that he no longer has to register in every website or portal where he wants to have an account. Instead there is only one website (known as the OpenID provider) that has all his information and is able to provide part of it (as approved by the user) to the websites where the user wants to participate.
For website owners, the benefit of OpenID is that it facilitates registration for end users. Considering that many users don't register because of the effort it takes to register in a website this is an important benefit.
The end purpose of OpenID is to keep all the sensible information in the provider so that it's not spread through all the websites where the user has an account. This makes it much easier to protect and keep up to date.
How does it work #
- User selects an OpenID provider and creates an account in it. The provider gives the user a unique URL that identifies him.
- User finds a new website and wants to create an account. He finds out happily that the website supports OpenID (it's an OpenID consumer).
- User logs in with his OpenID URL
- The website uses the URL to contact the OpenID provider of the user and requests it some information to be able to create the new account for the user
- The user is redirected to his provider's website to:
- Login to demonstrate he is the owner of the URL
- Accept the request for information from the original website (the providers usually allow maintaining several profiles and the user can select which one to use)
- The user is then redirected to the original website with all the necessary information
- The website takes that information and creates an account for the user (only the first time) and logs him in
- The user
For more information refer to: http://openid.net/about.bml
Support for OpenID within Liferay #
Portals developed with Liferay can activate OpenID support to allow its users to automatically register and sign in using their OpenID identifier from their preferred OpenID provider. In technical terms this means that Liferay can act as an OpenID consumer.
In order to perform the registration (aka portal account creation) when a user first logins with his/her OpenID Liferay asks the provider for some information about the user: specifically the user's name and email address. The provider must be able to provide this information through any of the following OpenID protocol extensions:
Starting with Liferay 5.1, if the OpenID provider does not support these extensions, or for privacy reason does not provide the necessary user information, the user will be presented a form so that he can enter her details manually.
Liferay has so far been tested with the following providers:
- MyOpenID: http://www.myopenid.com
- Atlassian's CrowdID: http://www.atlassian.com/Crowd
- Yahoo: http://openid.yahoo.com/ (Works since Liferay 5.1)
- LiveJournal: http://www.livejournal.com (Works since Liferay 5.1)
- Verisign Personal Identity Portal (Tested with Liferay 5.1.1)
(Note: this list is still incomplete, feel free to edit and add your provider if it works for you)
Technical details #
Liferay uses OpenId4java as the backend library to implement the OpenID functionality. This library was chosen because:
- It is free software with a License compatible with Liferay's (Apache License 2.0)
- It is developed by a trusted entity: Sxip
- It seems to have the largest community among the alternatives
How to use it #
There are two ways to login using an OpenID:
- The portal login page located at /c/portal/login contains an input box that allows users to enter their OpenID instead of their login and password
- The administrator can also set up the OpenID portlet in any portal page to allow users to login automatically from it.