Back to Top

Wednesday, February 21, 2007

Grokking OpenID and Blogger

I just created my first OpenID account!

If you don't know what OpenID, it is a single sign-on solution (sometimes also called login federation), which ensures that you can have a single login name / password using which you can authenticate in may (web-)places. It is similar to the Microsoft Passport initiative, the difference being (as usual) that it is based on open standards and you don't depend on Microsoft. Here are some resources for a more detailed description:

Here is a list of OpenID providers shamelessly lifted from

I personally went with Verisign because they are a big company with other revenues, so it is fairly probable that they won't disappear overnight. However it is possible to use multiple OpenID providers, as this forum posting points out. But it is too complicated for me, I just go with Verisign for the moment. However I want to keep my options open, so I use my blog address as my identity (Google won't disappear soon either) and create a delegation to the Verisign server, which I can change any time to an other identity provider.

You can do this by editing your template, finding the <head> tag and inserting immediately after the following two lines:

<link href="" rel="openid.server" />
<link href="" rel="openid.delegate" />

If you don't use Verisign as your identity provider, replace the with the address of the server of your service (if the given service doesn't explicitly tell you the address of their server, check out this posting on where he lists the servers for 4 OpenID providers. The second line should contain the ID the service assigned to you. Now save your template and go to any OpenID enabled site and try logging in with your blog address ( in my case).

Have fun and enjoy OpenID!

Update: Since I wrote this post, Blogger became both an OpenID consumer and provider. This means that you can comment on blogger blogs using OpenID accounts, and you can use your blogger blog as an openid account. However you can still use the method described above to redirect to an other OpenID provider.

Update 2: as pointed out in a comment on the stackoverflow blog, this does introduce a further security risk: now you have to worry about either your OpenID provider being hacked or your website being hacked. Because in the later case, the hacker can just redirect the OpenID authentication to an account/provider s/he controls and log into all the sites where you've signed into all the sites where your OpenID is your website. Just a thing to be aware of.


  1. Anonymous11:53 PM

    Have you made blogger work with open id - or just your admin functions?

  2. I just included the code necessary to use my blog hosted on blogger as the ID on OpenID powered sites. Any deeper integration with OpenID (like making it possible to use OpenID while authenticating for leaving comments) would have to be done at server side (ie. by Google).

    P.S. I got some feedback that my blogger page fails to validate as XHTML, mainly because of the template code included in it (about which very little can be done) and because of this some OpenID login code fails, so maybe it is a better solution to create a separate HTML page, include all the needed markup in it, make sure that it's valid XHTML and throw it up on Google Pages for example and use its URL to authenticate.

  3. I am still confused about this. I tried turning my blog to an OpenID account so that I may use it for comments and/or authentications and OpenID tells me I have to pay $25 for registration! :(
    So I must embed some code in the html to do this?

  4. @Mona Trixa: could you please give me exact URL of the page which says that you need to pay for this? It should be available for free.