Tips for reliable OpenID with your own domain

Question

I'm trying to build a personal OpenID-based online identity using my domain name as identifier. I want to be able to accomplish all this:

• Make http://alvaro.es/ my identifier.
• Be able to switch providers transparently.
• Log into any third-party site that accepts OpenID.
• Be able to provide personal details (e-mail, time zone, avatar...) and get prompted whether to send them or not to sites that request them.
• Accept OpenID in my own (PHP-powered) sites without the need of purchasing SSL hosting.

I've read the usual doc and I've been evaluating several OpenID providers (Google, Yahoo, myOpenID... and even running my own server). The fact is that I've been using OpenID for a while and:

• Providers offer very scarce documentation or none at all.
• No matter what provider I choose, there are always sites where log-in fails (typically without an error message).
• I have little control (or none at all) on the identifier returned by the provider.
• I still can't understand how all this really works.

I'm looking for general advice but I understand that can be subjective so I'll make a few specific questions.

---

So far, I'm trying out myOpenId as provider and LightOpenID as consumer. My questions are:

1. My URL provides an HTTP header:

    X-XRDS-Location: http://kalvaro.myopenid.com/?xrds=1
   

   ... and the following HTML tags:

    <link rel="openid.server openid2.provider" href="http://www.myopenid.com/server">
    <link rel="openid.delegate openid2.local_id" href="http://kalvaro.myopenid.com">
   

   Is it correct? Is it enough?

2. myOpenID provides Your Domains, a feature to register your own domain name but I haven't dared to test it (it needs changes to the DNS) and the configuration form suggests I have to choose between http://openid.alvaro.es/username and http://username.alvaro.es/ as identifier (not http://alvaro.es/). However, Stackoverflow still reports alvaro.es as my identifier without this feature. Do I need to use it?

3. When implementing LightOpenID, I match the local user against $openid->identity (where $openid is the instance of the LightOpenID object). This attribute appears to be the URL supplied by the user. Is it correct?

4. Are there more adequate providers or consumer libraries than the ones I chose?

Answer 1

1. It is correct. It is more than enough. While providing an X-XRDS-Location is a good thing, as it sepeeds up the discovery process, it isn't sctrictly necessary.
2. As far as I understand it, "Your Domains" is useful when you want to have multiple accounts in your domain. Anyway, you don't need to use it at all.
3. It is correct. The url is also called a Claimed Identifier, i.e. what the user claims to be.
4. As the author of LightOpenID, my answer is obvious and possibly biased -- I've created it, because I couldn't find a good, existing library.

Other things you might want to know:

• Delegation won't work with Google, and any other provider who uses select_identifier (i.e. each account has the same url, and then the provider asks you for your login).
• Your delegation, as shown in 1., will let you switch providers transparently and log in to any site that supports OpenID, just as you want.
• As for the personal details, it depends completely on the provider, whether it sends them or not, what kind of personal information it supports, etc.. For example, Google doesn't let you choose what to send, only whether to send something (and everything the website claims to require) at all.
• Some implementations are buggy and indeed fail. Try logging in for a second time, it works sometimes.
• The identifier returned by your provider shouldn't matter if you use delegation. The website you're logging into should use your claimed identifier.

As for how the openid works, see some answers to that question on SO.