LLMpediaThe first transparent, open encyclopedia generated by LLMs

OpenID

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Internet Architecture Board Hop 3
Expansion Funnel Raw 77 → Dedup 5 → NER 4 → Enqueued 4
1. Extracted77
2. After dedup5 (None)
3. After NER4 (None)
Rejected: 1 (not NE: 1)
4. Enqueued4 (None)
OpenID
NameOpenID
GenreAuthentication protocol

OpenID is an open, decentralized authentication protocol that enables users to sign in to multiple Yahoo!-like services using a single identity managed by an independent provider. It was designed to reduce password proliferation across sites such as Google, Microsoft, Facebook, and Twitter, while allowing relying parties like Wikipedia, Stack Overflow, Reddit, and GitHub to delegate authentication to identity providers including Yahoo!, AOL, NetMesh, and later commercial operators. The protocol influenced federated identity initiatives involving organizations like Facebook, Google, Mozilla, PayPal, and standards bodies including the World Wide Web Consortium and the Internet Engineering Task Force.

Overview

OpenID operates as a federated sign-on mechanism connecting identity providers and relying parties; early adopters included portals such as AOL, Verizon, Comcast, Orange S.A., and interest groups such as O’Reilly Media communities. The design sought interoperability with protocols and frameworks adopted by Microsoft's identity efforts, IBM's enterprise services, Oracle's middleware, and academic deployments at institutions like MIT and Stanford University. By leveraging redirects, user agents, and provider discovery, the protocol positioned itself alongside contemporaries and successors like SAML, OAuth 2.0, and OpenID Connect in identity landscapes navigated by enterprises such as Salesforce, SAP, and Cisco.

History

The protocol emerged from work by developers associated with early social web and portal ecosystems, intersecting with projects involving Brad Fitzpatrick, David Recordon, and other contributors linked to LiveJournal, Six Apart, and Flickr. Adoption accelerated as organizations such as Yahoo!, AOL, and Verizon experimented with single sign-on, and it became part of identity discussions at conferences like SXSW, DEF CON, and RSA Conference. Standardization efforts involved coordination with the IETF community and influenced later specifications from the OpenID Foundation and stakeholders including PayPal, Mozilla, Google, and Microsoft.

Technical architecture

The architecture separates the roles of user agent, identity provider, and relying party, with trust established through discovery, association, and token exchange mechanisms used by sites like Wikipedia and services run by Amazon Web Services and Google Cloud Platform. Discovery methods rely on identifiers and metadata comparable to techniques used in DNS-based systems and in federated protocols adopted by Shibboleth deployments at universities like Harvard University and University of California, Berkeley. Transport security commonly uses TLS as implemented by certificate authorities such as DigiCert, Let's Encrypt, and Symantec; message flows resemble those in implementations by vendors like Ping Identity and Okta. Extensions and integrations connected with attribute exchange, user profile retrieval, and session management drew concepts from enterprise projects at IBM, Oracle, and Microsoft Azure.

Security and privacy concerns

Security analyses by researchers associated with institutions such as Carnegie Mellon University, Stanford University, and University of Cambridge highlighted risks including phishing, token replay, cross-site request forgery, and provider compromise; recommended mitigations referenced practices from NIST guidance and cryptographic toolkits used by OpenSSL and BoringSSL. Privacy advocates at organizations like Electronic Frontier Foundation and Privacy International raised concerns about centralized tracking by major identity providers including Google and Facebook, and regulatory regimes exemplified by European Union data protection frameworks influenced deployment choices for companies like SAP and Salesforce. Incident responses and vulnerability disclosures echoed patterns seen in breaches involving firms such as Yahoo! and Equifax and prompted changes in recommended flows and session lifetimes.

Adoption and implementations

Implementations appeared across consumer, academic, and enterprise ecosystems with libraries and projects maintained by communities around Apache Software Foundation, Eclipse Foundation, and language ecosystems supported by GitHub repositories. Commercial and hosted identity services from Akamai, Okta, Ping Identity, AWS Cognito, and Auth0 incorporated concepts from the protocol while platforms like WordPress, Drupal, MediaWiki, Joomla, and Magento provided plugins and extensions. Mobile and native integrations referenced developer platforms such as Android and iOS and were discussed at developer conferences by companies like Microsoft and Google.

Criticisms and controversies

Criticism centered on usability, security trade-offs, and centralization when major providers like Google, Facebook, and Microsoft dominated authentication traffic, echoing concerns raised by privacy groups such as Electronic Frontier Foundation and regulatory attention from bodies like the European Commission. Some web communities argued that reliance on third-party providers reduced user autonomy, comparable to debates involving platforms like Amazon, Apple, and Facebook over control of identity and data. Technical controversies included disputes between implementers and standards bodies such as the OpenID Foundation and the IETF, and competitive tensions with protocols championed by Microsoft and consortiums involving IBM and Oracle.

Category:Authentication protocols