Web Login and Authentication – OpenID
One of the challenges I have is keeping up with all of the developments and new technologies that are not the ones I use on a daily basis. I had seen references to OpenID but had not spent anytime researching it. Luckily, Scott Hanselman covered OpenID in a recent Hanselminutes. Scott describes OpenID and how it is used to allow someone to login into a web site and provide that website with selected information.
I decided to play around with OpenID myself. First, I created an account on MyOpenID, a free OpenID server. When you create an account, you are assigned a URL that you can then use to login to sites that support OpenID. In my case, the URL is “http://mensming.myopenid.com”. I also created 2 personas – sets of information I can choose to reveal to a site. I created a minimal persona as the default and a fully populated persona which I named “full”.
Once I had my account set up, I wanted to try it out. MyOpenID includes a directory of sites that support OpenID. I chose Stikis which is a web based sticky note site. I put my OpenID URL into the appropriate login box, mensming.myopenid.com, and clicked on the login button. I was redirected to the MyOpenID site where I was prompted for my password. After successfully logging in, I was presented with a screen informing me that stikis.com was requesting my nickname (required) and my email address (optional). I had the option to select a different persona and decide what to reveal. I also had the choice “Allow Forever”, “Allow Once” or “Deny”. Once I made my choice (“Allow Once”), I was redirected back to the site and was logged in.
However, I really don’t want my ID to be this URL assigned to me by MyOpenID. I would really like to be able to use my own URL. There are 2 ways to do this. One is to install an OpenID server at your URL. (I really don’t want to do that…) The other is to add some items to the HTML header on the home page of the URL. I added the following to the HEAD section of the home page at meesqa.com.
<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://mensming.myopenid.com/" />
With this in place, I can now use meesqa.com as my OpenID. (Note: In the HEAD section of http://mensming.myopenid.com/, you only see the openid.server setting.)
Why is this in a blog dedicated to software testing? I think it is important to understand how emerging technologies (which may or may not be accepted) work and become familiar with them before we need to test a product with them. If I were testing a site that used OpenID, I would make sure I verified:
As well as the various persona options and error conditions that may arise when communicating to a system outside of the one being tested.