OpenID and OAuth

  • 6,215 views
Uploaded on

An technical introduction to OpenID and OAuth

An technical introduction to OpenID and OAuth

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,215
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
214
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. An introduction to OpenID and OAuth http://andrea-chiodoni.myopenid.com/ Lugano, 16 March 2011martedì, 15 marzo 2011
  • 2. Agenda • Why OpenID and OAuth. • What is OpenID for users, engineers and developers. • What is OAuth for users, engineers and developers. • Conclusions.martedì, 15 marzo 2011
  • 3. Why OpenID and OAuth • Everyone is using more and more SaaS and social WEB. • There is a vast amount of data (and functionalities) available. • WEB based APIs are there to be used. • It’s a great time to be a developer: you can take advantage of data and functionalities available “in the cloud”.martedì, 15 marzo 2011
  • 4. ... great but: • too many identities! • how to deal with authorization?martedì, 15 marzo 2011
  • 5. <!-- Here we begin with OpenID --> <OpenID terminology="OpenID"> <![CDATA[martedì, 15 marzo 2011
  • 6. <!--.... for users...-->martedì, 15 marzo 2011
  • 7. OpenID for users • Sign-in to multiple websites with one OpenID identity, from http://openid.net: • Identities are URI: http://andrea-chiodoni.myopenid.com/ • So, how can I get an OpenID? • google.com, yahoo.com, flicker.com, .... • myopenid.com, claimid.com, clavid.com, ... • http://en.wikipedia.org/wiki/List_of_OpenID_providers • Just use it!martedì, 15 marzo 2011
  • 8. <!--.... for engineers...-->martedì, 15 marzo 2011
  • 9. OpenID for engineers • OpenID is an identity technology (mainly a protocol). • I’ll cover (mainly) OpenID 2.0 (December 2007). • Authentication as a Service (AaaS) enabling Single Sign-on. • Free and open: •A foundation (http://openid.net/foundation/) promotes, protects and nurtures OpenID community and technologies. • Swiss OpenID community http://www.openid.ch/en/martedì, 15 marzo 2011
  • 10. OpenID for engineers “Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.” Brad Fitzpatrick (Founder of LiveJournal weblog community and father of OpenID)martedì, 15 marzo 2011
  • 11. OpenID for engineers • Decentralised. No central authority must approve or register Relying Parties or OpenID Providers. An end user can freely choose which OpenID Provider to use, and can preserve their Identifier if they switch OpenID Providers. • Attribute exchange: support for shorter registrations. • No need of JavaScript (see SAML SSO Browser/POST profile). • User-Supplied, Claimed and OP-Local Identifiers. • OpenID discovery protocol: XRI, XRDS and Yadis.martedì, 15 marzo 2011
  • 12. OpenID for engineers (2) Normalization, Discovery of OP endpoint (5) Authentication(7) Verification (3) Association OpenID Relying Party Provider (4) Authentication request: HTTP 302 (6) Authentication response: HTTP 302 + Assertion (1) Initiation: HTTP POST [positive, negative] openid_identifier User-agent OpenID Authentication protocol 2.0 (http://openid.net/developers/specs/)martedì, 15 marzo 2011
  • 13. OpenID for real engineers (4) Authentication request: HTTP 302 (URL decoded) http://www.myopenid.com/server?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http:// andrea.chiodoni.myopenid.com/&openid.identity=http://andrea.chiodoni.myopenid.com/ &openid.return_to=http://localhost:7070/postcards/ j_spring_openid_security_check&openid.realm=http://localhost:8080/&openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/ srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://axschema.org/contact/ email&openid.ext1.type.firstName=http://axschema.org/namePerson/ first&openid.ext1.type.lastName=http://axschema.org/namePerson/last&openid.ext1.type.email2=http:// schema.openid.net/namePerson&openid.ext1.type.fullName=http://schema.openid.net/contact/ email&openid.ext1.required=email,firstName,lastName,email2,fullNamemartedì, 15 marzo 2011
  • 14. OpenID for real engineers (6) Authentication response: HTTP 302 + Assertion (URL decoded) http://localhost:7070/postcards/j_spring_openid_security_check?openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==} &openid.ax.count.email=0&openid.ax.count.email2=1&openid.ax.count.firstName=0&openid.ax.count.f ullName=1&openid.ax.count.lastName=0&openid.ax.mode=fetch_response&openid.ax.type.email=htt p://axschema.org/contact/email&openid.ax.type.email2=http://schema.openid.net/ namePerson&openid.ax.type.firstName=http://axschema.org/namePerson/ first&openid.ax.type.fullName=http://schema.openid.net/contact/ email&openid.ax.type.lastName=http://axschema.org/namePerson/ last&openid.ax.value.email2.1=Andrea Chiodonia.Myopenid.Com&openid.ax.value.fullName. 1=andrea.chiodoni@gmail.com&openid.claimed_id=http://chiodonia.myopenid.com/ &openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http:// specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http:// www.myopenid.com/ server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost: 7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/ Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.f ullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax .type.lastName,ax.value.email2.1,ax.value.fullName. 1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed See: http://en.wikipedia.org/wiki/Cryptographic_noncemartedì, 15 marzo 2011
  • 15. <!--.... for developers...-->martedì, 15 marzo 2011
  • 16. OpenID RP for developers Easy for spring developers using spring security: <input id="openid_identifier" name="openid_identifier" type="text"/> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>${spring.security.version}</version> </dependency> <http auto-config="true" ...> You may need a mapping <openid-login/> between your existing user identity and their OpenID! </http> For the rest of the Java community: http://code.google.com/p/openid4java/martedì, 15 marzo 2011
  • 17. ]]> </OpenID> <!-- Here we begin with OAuth --> <OAuth terminology="OAuth"> <![CDATA[martedì, 15 marzo 2011
  • 18. <!--.... for users...-->martedì, 15 marzo 2011
  • 19. OAuth for users User <<Resource Owner>> Use-case: a user wants to send postcards using the PostCards SaaS. Addresses are taken from a second service on the cloud Browser call Contacts (see REST API). <<User-agent>> /contacts /postcards <<Authorization Server>> <<Client>> <<Resource Server>> /contacts/mycontacts <<REST/JSON API>>martedì, 15 marzo 2011
  • 20. OAuth for users • Issues: • Clients are required to store Resource owner creds for Resource Servers. • Clients need to support Resource servers authentication protocols. • Clients gain full access to Resource owner protected resources. • Resource owner cant revoke access. • OAuth is a security protocol that enables users to grant third- party access to their web resources without sharing their passwords, from http://oauth.net: • Passwords are not nuts: don’t give them away!martedì, 15 marzo 2011
  • 21. <!--.... for engineers...-->martedì, 15 marzo 2011
  • 22. OAuth for engineers • OAuth is a security authorization protocol. • OAuth 1.0 (IETF RFC5849), around since 2006. • OAuth 2.0 (IETF draft, V2-13) will obsoletes RFC5849. • OAuth 2.0 is incompatible with OAuth 1.0. • OAuth 1.0 must used by OAuth 2.0 adoption is ramping-up (Facebook, Google since 14.3.2011). • OAuth 2.0 focus on client simplicity (less cryptographic). • I’ll cover (mainly) OAuth 2.0, 3-Legged OAuth flow.martedì, 15 marzo 2011
  • 23. OAuth for engineers • While OAuth can be used with other transport protocols, it is only defined (bindings) for HTTP(s) resources. • OAuth can be used on other use-cases, see grant types: • Authorization code: the one we are going treat. • Implicit grant: suited for applications residing in a user-agent. • Resource Owner password credentials: resource owner has a trust relationship with the client. • Client credentials: when the client is requesting access to the protected resources under its control. • Additional grant types (extensions) like the OAuth-SAML bridgemartedì, 15 marzo 2011
  • 24. OAuth for engineers <<Authorization Endpoint>> User (2.1) Obtaining <<Resource Owner>> Authorization (2.2) Authentication (2.3) Grant access Browser <<User-agent>> <<Authorization Server>> <<Token Endpoint>> (2.5) Obtaining (2.4) <<Redirection URI>> Authorization (1) Authentication /contacts (2.6) Protected Resources (3) Accessing /postcards <<Resource Server>> <<Client>> <<API>> OAuth protocol 2.0: Authorization Code Flow (http://oauth.net/2/)martedì, 15 marzo 2011
  • 25. OAuth for real engineers (2) Obtaining Authorization: Authorization Code (URL decoded) (2.1) Authorization Request: client redirects to authorization endpoint HTTP/1.1 302 Found Location: http://localhost:8080/contacts/oauth/user/authorize?client_id=postcards&redirect_uri=http:// localhost:7070/postcards/contacts&response_type=code (2.2) Authorization Response: authorization server issues an authorization code and redirects back to the redirection URI HTTP/1.1 302 Found Location: http://localhost:7070/postcards/contacts?code=lrbwoF OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)martedì, 15 marzo 2011
  • 26. OAuth for real engineers (2.5) Access Token Request: client POST to token endpoint POST /contacts/oauth/authorize HTTP/1.1 Accept: application/json, application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&redirect_uri=http://localhost:7070/postcards/ contacts&code=lrbwoF&client_id=postcards (2.6) Access Token Response (Issuing an Access Token): HTTP response to (5.1) HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "access_token": "4f919d60-5751-4860-8f3a-253c5700b9c1", "expires_in": 43199, "refresh_token": "611ef1d8-d7ed-4a02-9fcb-4dd36468d00c", "token_type": "undefined" } OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)martedì, 15 marzo 2011
  • 27. OAuth for real engineers (3) Accessing Protected Resources GET /contacts/mycontacts HTTP/1.1 Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1 Accept: application/json ... even with curl... curl -i -H Accept:application/json -H "Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1" http://localhost:8080/contacts/mycontacts ... and without a valid OAuth token! curl -i -H Accept:application/json http://localhost:8080/contacts/mycontacts HTTP/1.1 302 Found WWW-Authenticate: OAuth2 OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)martedì, 15 marzo 2011
  • 28. <!--.... for developers...-->martedì, 15 marzo 2011
  • 29. OAuth for developers Easy for spring developers using spring security and OAuth extension: On the both client and resource server: <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth</artifactId> <version>${spring.security.oauth.version}</version> </dependency> For the rest of the Java community: http://code.google.com/p/oauth/martedì, 15 marzo 2011
  • 30. OAuth for developers On the client: Modify your spring security context: <oauth:client /> <oauth:resource id="contacts" type="authorization_code" clientId="postcards" accessTokenUri="http://localhost:8080/contacts/oauth/authorize" userAuthorizationUri="http://localhost:8080/contacts/oauth/user/authorize" /> Use the OAuth REST template: org.springframework.security.oauth2.consumer.OAuth2RestTemplatemartedì, 15 marzo 2011
  • 31. OAuth for developers ... and the resource server: Modify your spring security context: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean> <oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider> <oauth:client-details-service id="clientDetails"> <oauth:client clientId="postcards" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service> Provide an approval page, see accessConfirmation.jspmartedì, 15 marzo 2011
  • 32. ]]> </OAuth>martedì, 15 marzo 2011
  • 33. Conclusions • “Free” identities, make data portable! • Today OpenID is the most successful way to AaaS, maybe not free of issues (http://www.infoq.com/news/2011/01/OpenID). OpenID 3.0 should fix most of those issues. • Initiatives around DataPortability (http://en.wikipedia.org/wiki/ DataPortability): • OData, http://www.odata.org/ (Microsoft) • GData, http://code.google.com/intl/it-IT/apis/gdata/ (Google) • You may be interested in http://www.springsource.org/spring- social/martedì, 15 marzo 2011
  • 34. Thanks! http://andrea-chiodoni.myopenid.com/martedì, 15 marzo 2011