easy testing on ruby openid consumers
TRANSCRIPT
Easy Testing on Ruby OpenID Consumer
Implementationsby Roman Gonzalez.
Tuesday 24 March 2009
Presentation Highlights
• What is OpenID?
• URL’s as our identity credentials
• OpenID Terminology
• The OpenID authentication process explained
• How to implement RP’s Ruby
Tuesday 24 March 2009
Presentation Highlights
• Testing OpenID RP’s
• Demo (Rails, Merb)
• Q&A’s
Tuesday 24 March 2009
What is OpenID?
• A protocol that promotes the use of a single digital identity (Single Sign On)
• Decentralized
• Simple and light-weight (no high security stuff)
• Built upon Web technologies (HTTP, DNS)
Tuesday 24 March 2009
URL’s are our credentials
• Most of people already have an URL to represent their identity (Facebook, Twitter)
• They are globally unique and ubiquitous
Tuesday 24 March 2009
OpenID Terminology
• Actors
• Identifier (URL of the user)
• User-Agent (normally a Web Browser)
• Relying Party (RP)
• OpenID Provider (OP)
Tuesday 24 March 2009
OpenID Terminology
• Direct Messages
• HTTP POST requests from RP’s to OP’s
• Used for interchange of public keys
Tuesday 24 March 2009
OpenID Terminology
• Indirect Messages
• HTTP Redirects from RP’s to OP’s and back
• Used for the authentication process
Tuesday 24 March 2009
OpenID AuthenticationStep 1. Discovery
Tuesday 24 March 2009
OpenID AuthenticationStep 1. Discovery
HTTP GET
Tuesday 24 March 2009
OpenID AuthenticationStep 1. Discovery
Tuesday 24 March 2009
OpenID AuthenticationStep 1. Discovery
Tuesday 24 March 2009
OpenID AuthenticationStep 1. Discovery
Tuesday 24 March 2009
OpenID AuthenticationStep 2. Association
Tuesday 24 March 2009
OpenID AuthenticationStep 2. Association
HTTP POST
Exchange of public keys
Tuesday 24 March 2009
OpenID AuthenticationStep 3. Give credentials to OP
Tuesday 24 March 2009
OpenID AuthenticationStep 4. Choose which info to give to the RP
Tuesday 24 March 2009
OpenID AuthenticationStep 5. You are _authenticated_
Tuesday 24 March 2009
Implementing OpenID RP’s in Ruby
• Ruby On Rails: open_id_authentication by rails at http://github.com
• Merb: hassox’s merb-auth gem, using the OpenID strategy
• Rack: Using the auth/openid Rack app included in the gem
Tuesday 24 March 2009
Testing OpenID RP’s
• How do we make test on it?
• First naive approach: mocking/stubbing the ruby-openid gem
• Why it is so hard to test?
• Multiple types of communication between the RP and the OP
• The existing OP’s need human interaction
Tuesday 24 March 2009
Introducing ROTS (Ruby OpenID Test Server)
• It provides an “easy” interface for automated testing
• It uses an OP test servers (provided on the gem) and a test API
Tuesday 24 March 2009
DEMO
Tuesday 24 March 2009
Final Thoughts
• ROTS is _not_ a silver bullet
• OpenID is not perfect, and it is not trying to be
Tuesday 24 March 2009
Resources
• http://openidexplained.com
• http://github.com/rails/open_id_auth
• http://github.com/roman/rots
• http://test-id.net
Tuesday 24 March 2009
Q&A’s
Tuesday 24 March 2009
Thanks...Contact Me
Follow: http://twitter/romanandregRead: http://blog.romanandreg.com
Tuesday 24 March 2009