Distributed Identity via OpenID

OPENID AND THE CASE OF DISTRIBUTED IDENTITY EXPLORING THE PROBLEM OF DISTRIBUTED IDENTITY AND OFFERING SOME SOLUTIONS 1

WHAT ARE WE TALKING ABOUT? IDENTITY === AUTHENTICATION ? DIGITAL IDENTITY REFERS TO THE ASPECT OF DIGITAL TECHNOLOGY THAT IS CONCERNED WITH THE MEDIATION OF PEOPLE'S EXPERIENCE OF THEIR OWN IDENTITY AND THE IDENTITY OF OTHER PEOPLE AND THINGS. “DIGITAL IDENTITY” ALSO HAS ANOTHER COMMON USAGE AS THE DIGITAL REPRESENTATION OF A SET OF CLAIMS MADE BY ONE DIGITAL SUBJECT ABOUT ITSELF OR ANOTHER DIGITAL SUBJECT. IDENTITY == AUTHENTICATION 2

STANDARD AUTHENTICATION 3

STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE 4

STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? 4

STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? IF NOT, IS THE REQUESTING AGENT AUTHENTICATED? 4

STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? IF NOT, IS THE REQUESTING AGENT AUTHENTICATED? IF NOT, IS THE REQUESTING AGENT REGISTERED? 4

STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... 5

STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... IF “USER” IS NEITHER AUTHENTICATED NOR REGISTERED, THEN PRESENT THE “REGISTRATION” FORM... 5

STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... IF “USER” IS NEITHER AUTHENTICATED NOR REGISTERED, THEN PRESENT THE “REGISTRATION” FORM... SIMILAR PROCESSING; SUCCESS RETURNS TO THE ORIGINAL REQUEST. 5

STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION 6

STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY 6

STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY CREDENTIAL SECURITY PASSWORD STRENGTH 6

STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6

STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY H E A CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6

REP ETIT STANDARD AUTHENTICATION INPUT FILTERING TO ION !!! COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY H E A CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6

REP ETIT STANDARD AUTHENTICATION INPUT FILTERING TO ION !!! COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY A H E FAIL!!! CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6

INT RODUCI NG ! IDENTITY FEDERATION WHY CAN’T SOMEBODY ELSE DO ALL THIS FOR ME? BUT T NE W ! NO IM P R OVED 7

FEDERATED IDENTITY HOW THIS IS SUPPOSED TO WORK... 8

FEDERATION VIA OPENID 9

THAT SEEMS EASY... EVEN EASIER WITH EXISTING LIBRARIES: ZEND_OPENID FOR PHP5 RUBY-OPENID FOR RUBY NET::OPENID FOR PERL MOD_AUTH_OPENID FOR APACHE2 OPENID4JAVA FOR JAVA CHECK THE OPENID.NET WIKI FOR MORE...! 10

LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create complete\"index\" url_for :controller => \"openid\", :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => \"openid\", :action => \"complete\" @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(\"#{RAILS_ROOT}/tmp/openid\")) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try again\" flash[:error] =\"No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = \"You have been logged in as '#{session[:openid]}'\" <p><b><%= endreturn end %> redirect_to :action => \"new\" <% return end { } end <% form_tag \"/openid/create\" do %> # Get an OpenID response <%= text_field_tag \"openid_url\" %> openid_response = openid_consumer.begin openid_url <%= submit_tag \"Log in with OpenID\" %> <% end %> home_url = url_for :controller => \"openid\", :action => \"index\" </body> </html> complete_url = url_for :controller => \"openid\", :action => \"complete\" openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11

TRANSMISSION COMPLETE SOURCES AVAILABLE ON DEL.ICIO.US 12

Distributed Identity via OpenID

0 comments

Notes on slide 1

3 Favorites