Configure an API with OpenID.
OpenID is an open decentralized standard for authenticating users. It can be used for access control and allows users to log on to different services with the same digital identity where these services trust the authentication body. OpenID simplifies the authentication process because only one username and password to remember.
OpenID 2.0 defines the following roles of users and applications:
The platform supports version 2.0 of OpenID using OAuth 2.0 or OAuth 1.0a.
If you are a Site or API Administrator you can set up OAuth Provider definitions in the Site Administration > Domains section. You create a domain for each OpenID Provider scenario and these configurations are then available for selection using the API OAuth function in the APIs that are part of your deployment.
A Relying Party is service provider (e.g., website, application) that can verify the end-user's identifier. The OpenID Provider is a service that specializes in registering OpenID URLs or XRIs. OpenID enables an end-user to communicate with a relying party. This communication is done through the exchange of an identifier (e.g., URL or XRI chosen by the end-user to name the end-user's identity). An OpenID Provider provides the OpenID authentication.
The relying party discovers the OpenID provider URL by requesting the XRDS document (i.e., Yadis document), with the content type application/xrds+xml. This document may be available at the target URL and is always available for a target XRI. The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.
The difference between using OpenID versus OAuth for authentication is as follows:
If the user grants access, the application retrieves the identifier for establishing the identity using the APIs. In both cases access to the Identity Provider involves authentication to the Identity Provider.
Summary:
There are two ways you can configure your API with an OpenID Provider. Using the OAuth Details function on the API Details page, you can configure OAuth for your API and:
An OpenID discovery URL represents the location of the relying party's OpenID endpoints that are published using the Yadis protocol. OpenID 2.0 providers advertise the location of their endpoints, as well as the versions and extensions that they support using Yadis. For example, the Google discovery URL is (https://www.google.com/accounts/o8/id).
The OpenID provider verifies a relying party's realm and endpoints by making a Yadis request to the openid.realm to discover the realm's OpenID endpoints. If the OpenID Provider is unable to verify the realm and endpoints, the user will be warned that the user is signing into an unverified site.
A "realm" is a pattern that represents the part of URL-space for which an OpenID Authentication request is valid. A realm is designed to give the end user an indication of the scope of the authentication request. OpenID providers must present the realm when requesting the end user's approval for an authentication request. The realm must be used by OpenID providers to uniquely identify Relying Parties. For example, OpenID providers may use the realm to allow the end user to automate approval of authentication requests.