Sign in

Identity Provider FAQ

What is an identity provider?

An identity provider is somebody that you can sign in with, whether by providing a username and password, a client certificate, a smart card, a fingerprint, a retinal scan, or whatever other means for identification works for them and you.

Once you pass their test, whatever it is, they can then, via the magic of protocols like OpenID, certify to us that you have indeed done so, and since we've decided we're willing to take their word for it (at least on some things), we can go from there.

What's the point?

We hate managing passwords and you hate having to remember them all, especially for random websites like this that you may not use very often. Also if we manage passwords, then we become a target for nefarious people who like to collect other people's passwords; we'd rather they go elsewhere, so...

With protocols like OpenID this all becomes Somebody Else's Problem, and we just piggyback off of a password that you're already using for multiple Other Things, and are thus more likely to remember (and also more likely to be careful with).

Which provider should I choose?

Chances are, you already have an account with one of the providers we support; if it's one you use really often (e.g., if it's where you read your email every day, like Google/Gmail, Yahoo, AOL) that would be a good choice.

What if I want to have a separate username and password for kcdems?

Then you can pick a provider, any one of the ones we list, create a fresh account there, and not use it for anything else. There will be, however, two complications to consider:

  1. You will now have to remember this username+password.
  2. If the provider is one where you (or some other member of your household who shares your computer) already have an account, you'll need to be sure you're not signed into that account whenever you're trying to access this site. Otherwise this site, not having that account associated with anyone (or with the wrong person), will not be able to sign you in as you.

For a particularly bare-bones identity without any the baggage that social-media companies like to attach to their accounts, you can create an ActionID. ActionID is a provider run by NGP-VAN, the same company that produces Votebuilder and NGP, which also both accept ActionID, meaning if you use ActionID to sign-in here, you can arrange for the same ID to access this site, Votebuilder and NGP.

Do I have to choose just one?

No. You only need to pick one to get started. If you have other provider accounts you can add them later. In fact, you'll probably want to have at least two, just in case Something Bad happens at your first provider (e.g., you forget your password and their recovery procedure doesn't work, or they get annoyed at you for some reason and unceremoniously cancel your account out from under you, or they just Become Evil and you want nothing to do with them any more. Stuff happens...).

What about GMail? or Blogger? or YouTube?

GMail, Blogger, and YouTube are all run by Google and use the same userids. Just sign in with Google.

What about Windows LiveID? Skype? Hotmail? MSN? OneDrive?

These are all Microsoft services and they likewise all share the same account IDs. Just sign in with Microsoft.

What about Twitter or Tumblr?

These use OAuth 1.0, the original version of OAuth which has been superceded by OAuth 2.0 and is thus technically obsolete, but still works for what it was designed to do. Thus far, we have not yet implemented an OAuth 1.0 interface, but we could …

What about other providers?

If you have some other provider that you use, let us know and we can think about adding it.

But if I use the same password for you and other sites, won't you be able to get into our accounts on other websites?

No, because with OpenID, we don't get to see your password, only the provider does. All we get is the certificate from the provider, which is specific to our site and thus won't be recognized by anyone else (and is thus useless for getting into anywhere else).

Isn't it dangerous to be using the same password for everything?

First of all, nobody said you have to use the same password for everything; see next question. It's up to you how you want to compartmentalize things (e.g., you can have a provider for all of your Democratic Party stuff, another for your bank accounts, another for your p0rn sites, and so on...)

Secondly, a password you don't use very much is one you'll tend to forget, so you write it on a post-it note and stick it to the screen. And then somebody comes by, reads it, and gets into your stuff. Contrast this with a password that you use all the time, therefore have no trouble remembering, so it doesn't need to go on a post-it note; and because you're using it for lots of things, you'll be a lot more careful with it, and so it's actually much less likely to be revealed.

It's a bit of a paradox, but security is like that.

What is OpenID Connect and how is that different from OpenID? What is OAuth?

They're all protocols, ways of structuring a conversation between computers to accomplish a particular purpose. It's probably best to think of OpenID Connect as OpenID 3.0, since it is intended to supercede OpenID 2.0, even if it is radically different under the hood.

OAuth is a general framework for authorization which can be adapted to establish identity the way OpenID (1.0/2.0) does. Openid Connect is a particular adaptation, the protocols used by Microsoft and Facebook are similar but slightly different adaptations.

Where can I find out more about this?

The OpenID and OAuth websites have a wealth of information on this topic.