Configure an API with OpenID.
OpenID is an open decentralized standard for authenticating users. It can be used for access control and allows users to log on to different services with the same digital identity where these services trust the authentication body. OpenID simplifies the authentication process because there is only one username and password to remember.
OpenID 2.0 defines the following roles of users and applications:
The platform supports version 2.0 of OpenID using OAuth 2.0 or OAuth 1.0a.
Before your API can use OpenID, your site administrator must perform some setup steps in the Site Administration > Domains section to make the OpenID domain available.
If your installation is not set up to support OpenID, contact your Administrator for assistance.
For more information on the Site Administrator's role, see How do I configure an OpenID Relying Party domain?
A Relying Party is service provider (for example, a website or application) that can verify the end-user's identifier. The OpenID Provider is a service that specializes in registering OpenID URLs or XRIs. OpenID enables an end-user to communicate with a relying party. This communication is done through the exchange of an identifier (e.g., URL or XRI chosen by the end-user to name the end-user's identity). An OpenID Provider provides the OpenID authentication.
The relying party discovers the OpenID provider URL by requesting the XRDS document (i.e., Yadis document), with the content type application/xrds+xml. This document may be available at the target URL and is always available for a target XRI. The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.
The difference between using OpenID versus OAuth for authentication is as follows:
If the user grants access, the application retrieves the identifier for establishing the identity using the API. In both cases access to the Identity Provider involves authentication with the Identity Provider.
Summary:
There are two ways you can configure your API with an OpenID Provider. Using the OAuth Details function on the API Details page, you can configure OAuth for your API and do either of the following:
An OpenID discovery URL represents the location of the relying party's OpenID endpoints that are published using the Yadis protocol. OpenID 2.0 providers advertise the location of their endpoints, as well as the versions and extensions that they support using Yadis. For example, the Google discovery URL is (https://www.google.com/accounts/o8/id).
The OpenID provider verifies a relying party's realm and endpoints by making a Yadis request to the openid.realm to discover the realm's OpenID endpoints. If the OpenID Provider is unable to verify the realm and endpoints, the user will be warned that the user is signing into an unverified site.
A "realm" is a pattern that represents the part of URL-space for which an OpenID Authentication request is valid. A realm is designed to give the end user an indication of the scope of the authentication request. OpenID providers must present the realm when requesting the end user's approval for an authentication request. The realm must be used by OpenID providers to uniquely identify Relying Parties. For example, OpenID providers can use the realm to allow the end user to automate approval of authentication requests.