Inspired by a talk in FrOSCon on Sunday, I went and implemented OpenID support into Midgard on the flight back. OpenID is a quite cool system for cross-site single sign-on and auto-registration. With OpenID your user identity is tied to a web address you control, for example http://bergie.iki.fi/. Every time I want to log in to an OpenID-enabled website, that site will ask my authentication status from my site and let me in. The way this works is the following:

I go to a page that requires authentication, or to MidCOM’s login URL and I get a login form allowing me to either input a local username/password combination or my OpenID:

(yes, I know this screen still needs some CSS love)

If this is the first time I’m using OpenID for this particular site, or I haven’t yet logged in to my OpenID provider, it will next ask me for confirmation:

(this step is skipped if I already have authorized login for the site and am logged in)

After this a MidCOM login session is generated for the OpenID identity and I’m logged in to the Midgard site. I even get a nice notice about this:

The OpenID implementation is now available in MidCOM SVN. It should be reasonably useful already now, but I will still make some improvements to it, including:

• Adding the OpenID user to a group specified in component configuration
• Using Simple Registration Extension together with Midgard's account registration schema to pull in more information about the OpenID user if available

It would also be nice to enable using Midgard as an OpenID provider, but for now URL delegation is needed.

Technorati Tags: authentication, midcom, midgard, openid, sso