distributed identities with openid
DESCRIPTION
Talk about distributed identities with OpenID and OpenID Connect for WebTech 2010TRANSCRIPT
![Page 1: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/1.jpg)
Bastian Hofmann, VZnet Netzwerke Ltd.
Distributed Identities with OpenID
Dienstag, 12. Oktober 2010
![Page 2: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/2.jpg)
Agenda
•What are Identities?
•The history of Identity Providers
•Trying it the open way: OpenID
•The rise of Social
•OpenIDs futureDienstag, 12. Oktober 2010
![Page 3: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/3.jpg)
Identities in real life
Dienstag, 12. Oktober 2010
![Page 4: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/4.jpg)
Do you have really only one identity?Lothar Krappmann:
- Identity is conveyed by communication
- Identity is not fixed but recreated by every communication with your fellows
- Expectations of different people result in different identities
Dienstag, 12. Oktober 2010
![Page 5: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/5.jpg)
Example:
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
Dienstag, 12. Oktober 2010
![Page 6: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/6.jpg)
Identities in the Web
Dienstag, 12. Oktober 2010
![Page 7: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/7.jpg)
Register, Register, Register, ...
Dienstag, 12. Oktober 2010
![Page 8: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/8.jpg)
Single Sign on
ul_Marga
Dienstag, 12. Oktober 2010
![Page 9: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/9.jpg)
Microsoft Passport / Live ID
•Windows Live ID•Launched 1999 as .net Passport
•Used mainly for Microsoft Services but not much outside
•OpenID Provider since 2008
Dienstag, 12. Oktober 2010
![Page 10: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/10.jpg)
OpenID
•Open decentralized user authentication
http://openid.net/
Dienstag, 12. Oktober 2010
![Page 11: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/11.jpg)
The Client
Dienstag, 12. Oktober 2010
![Page 12: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/12.jpg)
Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />
<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
Delegation
Dienstag, 12. Oktober 2010
![Page 13: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/13.jpg)
Connection Flow
Dienstag, 12. Oktober 2010
![Page 14: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/14.jpg)
DEMO
Dienstag, 12. Oktober 2010
![Page 15: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/15.jpg)
Authentication vs Authorization
Who is the user?Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
Dienstag, 12. Oktober 2010
![Page 16: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/16.jpg)
But there are Spec Extensions
decafinata
Dienstag, 12. Oktober 2010
![Page 17: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/17.jpg)
Simple Registration
•Allows to specify certain fields in request that must or should be returned by the Identity Provider
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Dienstag, 12. Oktober 2010
![Page 18: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/18.jpg)
Attribute Exchange
•Two-Way exchange of data possiblepenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
![Page 19: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/19.jpg)
Attribute Exchange
•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
![Page 20: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/20.jpg)
Attribute Exchange
•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
Dienstag, 12. Oktober 2010
![Page 21: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/21.jpg)
OpenID + OAuth
•Combines OpenID Authentication and OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
Dienstag, 12. Oktober 2010
![Page 22: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/22.jpg)
OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+
Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/
Dienstag, 12. Oktober 2010
![Page 23: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/23.jpg)
Failures of OpenID 2.0
•Complex to implement
•No marketing–Do you have an OpenID?–What is it?
•URL as identifier => Bad User Experience
Dienstag, 12. Oktober 2010
![Page 24: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/24.jpg)
Proprietary strikes back
Dienstag, 12. Oktober 2010
![Page 25: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/25.jpg)
Facebook Connect
Dienstag, 12. Oktober 2010
![Page 26: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/26.jpg)
Twitter @Anywhere
Dienstag, 12. Oktober 2010
![Page 27: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/27.jpg)
And there are much, much more
Dienstag, 12. Oktober 2010
![Page 28: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/28.jpg)
Nascar problem
Vaguely Artistic
Dienstag, 12. Oktober 2010
![Page 29: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/29.jpg)
Phishing
Dienstag, 12. Oktober 2010
![Page 30: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/30.jpg)
How to fix it?
Moff
Dienstag, 12. Oktober 2010
![Page 31: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/31.jpg)
Aggregation: Janrain
http://www.janrain.com/
Dienstag, 12. Oktober 2010
![Page 32: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/32.jpg)
OpenID Connect
•Goals:–Easier to implement–More simple specification–Better user experience
•=> wider adption•Built on top of OAuth 2.0
Dienstag, 12. Oktober 2010
![Page 33: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/33.jpg)
What‘s wrong with OAuth?
•Does not work well with non web or JavaScript based clients
•The „Invalid Signature“ Problem
•Complicated Flow, many requests
Dienstag, 12. Oktober 2010
![Page 34: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/34.jpg)
What‘s new in OAuth2? (Draft 10)
•Different client profiles•No signatures•No Token Secrets•Cookie-like Bearer Token•Mandatory TSL/SSL•No Request Tokens•Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
Dienstag, 12. Oktober 2010
![Page 35: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/35.jpg)
Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Dienstag, 12. Oktober 2010
![Page 36: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/36.jpg)
User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
Dienstag, 12. Oktober 2010
![Page 37: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/37.jpg)
What happend to signatures?
•Ongoing controvers discussion
•Bearer Tokens are fine over secure connection
•Vulnerable if discovery is introduced
•Or TSL/SSL is not possible
Dienstag, 12. Oktober 2010
![Page 38: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/38.jpg)
Scopes
•Optional parameter for provider specific implementations
•For example–Additional return values–Access Control
Dienstag, 12. Oktober 2010
![Page 39: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/39.jpg)
OpenID Connect?
•Scope: „openid“
•With access token additional values are returned–UserID: URL to Portable Contacts endpoint–Signature–Timestamp
http://openidconnect.com/
Dienstag, 12. Oktober 2010
![Page 40: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/40.jpg)
DEMO
Dienstag, 12. Oktober 2010
![Page 41: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/41.jpg)
OpenID Connect Discovery
•Get Identifier of user
•Call /.well-know/host-meta file at the domain of the user‘s provider
•Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Dienstag, 12. Oktober 2010
![Page 42: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/42.jpg)
When will it be available at VZ?
NOW in BETA
http://developer.studivz.net/wiki/index.php/VZ-Loginhttp://github.com/vznet/vz_os_clientlibrary_php
Dienstag, 12. Oktober 2010
![Page 43: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/43.jpg)
FOAF+SSL (WebID)
http://esw.w3.org/Foaf%2Bssl
Dienstag, 12. Oktober 2010
![Page 44: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/44.jpg)
DEMO
Dienstag, 12. Oktober 2010
![Page 45: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/45.jpg)
Problems
•Bad browser UI
•Syncing between different computers?
•More than one user on the same computer?
Dienstag, 12. Oktober 2010
![Page 46: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/46.jpg)
UX Mockups Mozilla Weave
Dienstag, 12. Oktober 2010
![Page 47: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/47.jpg)
Summing it up
•We need a single sign on system for the web
•OpenID is cool, but has some problems
•Proprietary solutions are bad for users, site owners and developers
•A new more simple and flexible spec is coming up
•Browser vendors are working to solve this problem in the browser
Dienstag, 12. Oktober 2010
![Page 48: Distributed Identities with OpenID](https://reader033.vdocuments.site/reader033/viewer/2022042814/54c8c5794a79591b0f8b4583/html5/thumbnails/48.jpg)
Thank you
http://studivz.net/bastianhttp://twitter.com/BastianHofmannhttp://slideshare.net/bashofmann
http://github.com/vznethttp://developer.studivz.net
Dienstag, 12. Oktober 2010