I see OpenID logins available everywhere, and decided that I should look into implementing my own provider on my server so I can control my information and my login.
This is, surprisingly, quite complicated and difficult.
Even though many sites allow OpenID logins (such as this one), I am discovering the following issues:
- Many simple "roll-your-own" single identity OpenID Provider solutions are now vaporware.
- There have been pretty severe ongoing security issues with OpenID:
http://en.wikipedia.org/wiki/OpenID#Security
- Many OpenID Providers seem to have disappeared (MyOpenID.com, getopenid.com, etc..)
- The protocol seems to be constantly changing with previous versions dropped (perhaps due to security issues?)
As an example, this solution on SO from Aug'13 about using Google Plus/Profiles as a delegate now gets an error from Google saying that OpenID 2.0 support is being removed from Google by this April and replaced with OpenID Connect:
Delegate OpenID to Google (NOT Google Apps)
Does anyone even offer a simple OpenID Connect single identity provider? Looking at OpenID's list of OpenID provider software doesn't mention any OpenID Connect solutions at all, not to mention that the page hasn't been updated in 4 years!
http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
Looking through all this information, it makes me really happy I shelved my plan a couple years ago to implement OpenID 2.0 on my server, since that looks like it's becoming obsolete already, and I can't figure out an easy way to just prove my identity. It's surprising that I can't just do a single package install and edit a config file and go. Most of the simpler implementations involve installing and using PHP, which has it's own security issues that need to be learned about.
So - anyone who is an expert on OpenID and where it is going who can give me some advice on how to just setup my on identity provider or if it's worth the difficulty? I'd love to have control over my information and distribution of my email address as well as have a permanent identity, but if the standard is going to keep changing then it's not really permanent.