With the recent press covering big companies adopting OpenID, I decided to see what the fuss was about, and to take it a step further, modify Confluence to be an OpenID consumer. With some time to kill on a Saturday, I finished a fully functional prototype.
OpenID is an open, decentralized, free framework for user-centric digital identity. It basically allows you to log into one application using another for authentication. For example, AOL now supports OpenID, so the 63 million AOL Instant Messenger logins can now be used with any OpenID consumer. I modified Confluence to allow a user to use their OpenID account, an AIM account in my test case, to log into Confluence.
Let’s walk through how it works:
Step 1 – Enter your OpenID identifier
At the login screen, I added an OpenID text field for your OpenID identifier. In this screenshot, I’m using my AOL OpenID account:
Step 2 – Login on the OpenID server
When I submitted my OpenID account on the Confluence login page, I was redirected to the login page of my OpenID provider, in this case AOL. I entered my AIM user name and password and clicked “Submit”.
I’m automatically redirected back to Confluence and now I’m logged in. Notice in the upper right my name is just my OpenID identifier for now. If my OpenID server supports it, other attributes like my full name, email address, and any thing else could be retrieved from the OpenID server.
The implementation in Confluence was pretty straight forward, however, it was difficult working with the OpenID library I chose, OpenID4Java. There really isn’t any solid Java library right now as OpenID seems to be currently more active in the Python and Ruby camps. OpenID4Java worked ok, once you get past the zero documentation and outdated code examples in the javadocs.
In Confluence, I created an OpenIdAuthenticator, which extended the usual ConfluenceAuthenticator. Other than the authenticator and related configuration, the only other change was the new OpenID text field on the login form.
If this code went into production, we’d probably need to spend a day or so cleaning it up, adding better error handling/reporting, and adding a couple of features:
- The ability to enable or disable OpenID logins in the Global Settings
- A signup form for new OpenID users when the required information cannot be retrieved from the OpenID server (for example, their email address)
I’d also like to see Confluence as an OpenID server. This has a lot of potential, thanks to the personal space feature of Confluence, because in the ideal case, your identity is tied to “your” home page for that application.
Finally, I’m curious how far you could take OpenID, particularly for companies. We could turn the Atlassian website into an OpenID server, then allow any of our apps, including those hosted elsewhere, the ability to log in using their Atlassian id. The lure of decentralized identity management is certainly powerful, particularly for non-heterogeneous such as the Internet.