Let’s say that you’re visiting a new web site that supports OpenID. When signing in, you will see a form that looks something like:
Notice that with the OpenID log-in system you only have to type in one thing: your OpenID.
This example shows what you would enter if you were Bob Smith and your OpenID were bobsmith2000.myopenid.com.
After you submit the login form, your browser takes you from the web site you are visiting to your OpenID provider’s web site.
In this example, the provider is MyOpenID.com.
The provider—MyOpenID.com in this example—receives a message. This message asks the provider:
“Somebody is claiming to be bobsmith2000.myopenid.com. Is he actually Bob Smith? Can he log in to our web site?”
At this point, your provider checks to see if you are who you say you are.
If you are already logged in with your OpenID provider, you pass automatically and move to step 4.
Otherwise, you submit your username and password for your OpenID account. This is your OpenID provider’s way of making sure you are really you.
Now you’ve proven to your provider that you really are who you say you are. Next, your provider wants to make sure that you want to log into the requesting web site and that you are willing to share information with it.
These days, web sites usually just want your provider to verify that you own a particular OpenID, but some web sites want to know other things, like your e-mail address, so that they don’t have to bother you to get it.
Your provider asks you which of this information you’re willing to give out and which not. You usually also have the option of giving it out just this once or giving it out automatically whenever the website asks for it. That will look something like this:
All you have to do is choose how much information to give and whether to give it just once or whenever the web site asks.
Now, your provider sends you back to the web site you were visiting and gives it the information you allowed. You are now logged in!