I wrote an application recently, which relies on OpenID for authentication. A lot of web applications these days are moving to OpenID, insofar that they already have userid/password authentication scheme, and OpenID is just an add-on. Since my application is a new one, I decided that it makes no sense to program separate authentication mechanism based on userid/password, when I can rely on OpenID for all the authentication altogether.

But sure as hell, once I presented the application to a customer, she asked ‘well, how do we create user accounts, and reset their passwords’? Conceptually, she didn’t want to make the users create their own OpenID if they don’t already have one.

I kind-of had a pre-made response to that, which was: ‘You can always run your own OpenID server’. I guess I didn’t put too much thought into this answer though, since many implementations of OpenID server are pretty raw and need a lot of work before they could be run in production.

So, my question is: does anyone here have an experience of running private OpenID server purely for authenticating of her own users. Here are the features I’m looking for it to support out of the box:

• Ability to bulk-load user accounts
• Self-served password resets through verification email
• Administrative features (lock/unlock/disable accounts, troubleshoot, etc)
• Presentable look