inf 123 sw arch, dist sys & interop lecture 16 prof. crista lopes
Post on 22-Dec-2015
216 views
TRANSCRIPT
Objectives
Understanding the difference between Authentication and Authorization
Understanding OpenID and OAuth
Identity on the Web
Millions of Web sites, each with their own users
Each user needs to remember N usernames+passwords
…why not interoperate identity? …why not interoperate more data?
OpenID in Action
“OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.”
www.stackoverflow.com
How it works
http://yahoo.com
http://openid.net/developers/specs/
How it works, in 11 steps
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 1, 2 – Post Identifier
<form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table></form>
How it works – Discovery
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 3, 4 – Normalization & Discovery
Yadis ProtocolContent-Type: application/xrds+xml when performing an HTTP GET on the identity URL
Step 3 – XRDS response<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD></xrds:XRDS>
Steps 3, 4 – Normalization & Discovery
Plain HTTP
Returned document must contain a <link /> element:
<link rel=“openid2.provider” href=“http://endpoint”/>
How it works – Redirect 1
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 5 – First redirect
Relying party parses XDSR or <link /> and retrieves the OpenID provider end point.
Then redirects (302, 303 or 307) user agent to it with query params appended to the URL:
HTTP/1.1 303 See OtherLocation: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123
How it works – Login
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 6, 7, 8, 9 – Login
Undefined in the Spec Usually regular login form with POST May include further verification with user This is a vulnerable point in the process
more later
How it works – Final Redirect
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 10 – Final Redirect
OpenID Provider End Point redirects user agent back to the “return_to” URL.
HTTP/1.1 303 See OtherLocation: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature
Step 10
Relying party must verify a few things before deciding that the user is authenticated return_to matches identifier matches nonce is unique signature is valid
How it works – Finally!
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Final Remarks
The whole point of OpenID is to authenticate users your web app wants to verify that user
jonh.smith @ yahoo.com really is john.smith at yahoo.com
OpenID knows nothing about authorization after establishing identity, your application
must deciding which resources this user is allowed to access
authentication ≠ authorization
OAuth
The goal of OAuth is to acquire an access token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list)
Facebook/Google
user data
Your app
access user data
OpenID+OAuth
Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password