I am researching about OpenId and seeing if it is a good solution for my website and some things confused me. Correct me if I am wrong.
“My understanding is that OpenID works in a way that user sends the credential to authorization server and that TRUSTED server will say whether this user is legitimate or not.”
Now, let’s take example of Stackoverflow. I see all these icons for Yahoo and Google and everything and I guess Stackoverflow says these are my trusted providers and if they trust you, I trust you.
Now, there is also one button which says OpenID and I can go ahead and register there as well. Now is that an independent authorization server? Who is the provider for that?
If I want to embed openID to my web project. Which authorization server should I be using?
I am seeing this OAuth as an option whenever I search about OpenId; is it an authorization server?
OpenID is a standard, not an auth provider.
OAuth is supplementary to OpenID.
[ Google has a reasonably good flow explanation:
https://developers.google.com/accounts/docs/OpenID ]
Many websites provide options for particular auth providers just to simplify the process. OpenID URIs are not uniform, so you can’t tell (for example) what the URI would be from an email address.
Some auth providers (like Google) make it kind of hard to find out what your OpenID actually is, presumably in an effort to make the login more transparent for users (and subsequently add branding to relying parties’ websites).
If you know what your OpenID URI is, you should be able to enter that on any compatible site, without going through the “select a known provider” step. Whether that option is available, however, is at the discretion of the author.
[ As for the “trustedness” of auth providers, there are some potential issues:
http://en.wikipedia.org/wiki/OpenID#Security ]
[ The OpenID Foundation has the official answers: http://openid.net/get-an-openid/ ]