OpenID – a clash of expectations?

Via Dan Connolly, this from the mod_auth_openid FAQ:

Q: Is it possible to limit login to some users, like htaccess/htpasswd does?

A: No. It is possible to limit authentication to certain identity providers (by using AuthOpenIDDistrusted and AuthOpenIDTrusted, see the main page for more info). If you want to restrict to specific users that span multiple identity providers, then OpenID probably isn’t the authentication method you want. Note that you can always do whatever vetting you want using the REMOTE_USER CGI environment variable after a user authenticates.

Funny, this is just what I thought was most interesting about OpenID: it lets you build sites where you can offer a varying experiences (including letting them in or not) to differ users based on what you know about them. OpenID itself doesn’t do everything out of the box, but by associating public URIs with people, it’s a very useful step.

A year ago I sketched a scenario in this vein (and it seems to have survived sanity check from Simon Willison, or at least he quotes it). It seems perhaps that OpenID is all things to all people…?

Published by danbri

Click here to type

Join the Conversation


  1. This criticism often stems from a confusion between authentication and authorization. OpenID only serves to authenticate a user and has nothing to do with authorization. In mod_auth_openid I sought only to provide specific utilities related solely to the OpenID standard and nothing more. Authorization libraries for the web are abundant and easy to use and would easily play well with mod_auth_openid.

    That said, I did eventually decide to add support in the recent version for an external authorization program to make it that much easier.


Leave a comment