I often feel like most of the people I deal with don’t care much about their identity online and who controls it. Plenty of people are fine handing it over to Google, Apple, Microsoft or another large company instead of having some say in it themselves. I’m going to show you a simple method of gaining just a little bit of control back… it’s called delegation.
When I first signed up with an OpenID provider many years ago, I wasn’t exactly happy about giving my identity to someone else, but I didn’t want to run my own OpenID server. The solution is to delegate your identity.
Think of delegation like forwarding. You can forward your phone calls, or forward your email, and the people who contact you never need to know what your actual phone number or email address is… they just use what you give them. And if you change your actual phone number or email address, you don’t need to tell everyone about it, as they are using the one that does the forwarding, and that one still works. It’s like DNS… your domain name stays the same (hopefully!) while the IP address can change. Abstraction is a wonderful thing.
So how do we delegate our OpenID? Well… you’re gonna need a web site… Do you have one? Good! If not, go get one… go ahead, we’ll wait. Come back when you have one.
Got a web site? Good!
We’ll also assume you have an OpenID. You probably have one… If you have an account with Google, or Yahoo!, or LiveJournal, or Flickr, or any of these guys… then you have one.
OK, back to your web site (since you have one now!) You basically need to add a bit of code to the head of your home page.
For instance, if you wanted to use Google, it would look something like this:
<meta http-equiv="X-XRDS-Location" content="http://www.google.com/profiles/[USERNAME]" />
<link rel="openid2.provider" href="https://www.google.com/accounts/o8/ud?source=profiles" />
<link rel="openid2.local_id" href="http://www.google.com/profiles/[USERNAME]" />
Where [USERNAME] is your profile username. You can use the Delegateid tool to figure it out. (See their blog post for more info: Delegation Made Easy.)
If your provider supports the old version of OpenID you may have two more lines, which will say openid rather than openid2. Paste them all into place.
Now when you need to login somewhere that allows you to use OpenID, you can just enter your own URL. You don’t have to remember the URL of your Google profile, or your LiveJournal address, or any of that non-memorable stuff. Your URL is your identity.
In the future, as long as you still have your web site, you can use that as your OpenID. If you ever change your OpenID provider, it should just be a simple matter of updating the delegation code and the magic bits will do the right thing… much less painful than changing your actual phone number or email address and having to tell everyone. With delegation, you just update your own site, and let the machines sort it out from there.