Distributed Identities with OpenID

2,473 views
2,366 views

Published on

Talk about Distributed Identities with OpenID from the Confoo Conference

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,473
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Distributed Identities with OpenID

  1. 1. Distributed Identitieswith OpenIDBastian HofmannVZnet Netzwerke Ltd.
  2. 2. About me
  3. 3. OpenID is dead
  4. 4. „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
  5. 5. „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
  6. 6. Facebook Connect250,000,000 monthly users
  7. 7. So why are you here?
  8. 8. • Why identity management is still a problem• OpenID how it works, and why it fails• OpenID Connect & OAuth2: OpenIDs future?• What can browser vendors do?
  9. 9. Questions? Ask!
  10. 10. Only one identity?
  11. 11. Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
  12. 12. Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
  13. 13. Sign up again and again
  14. 14. Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  15. 15. Single Sign On
  16. 16. Microsoft Live IDLaunched 1999 as .net Passport
  17. 17. Facebook Connect
  18. 18. And there are much more
  19. 19. Nascar problem
  20. 20. Aggregation: Janrainhttp://www.janrain.com/
  21. 21. OpenIDhttp://openid.net/
  22. 22. The Client
  23. 23. Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" /> Delegation<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
  24. 24. Connection Flow
  25. 25. DEMO
  26. 26. Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  27. 27. But there are Spec Extensions
  28. 28. Simple Registration• Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
  29. 29. Attribute Exchange• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  30. 30. Attribute Exchange• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  31. 31. Attribute Exchange• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2• Store Responsopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
  32. 32. OAuth 1.0a Flow+----------+ +---------------+| -+----(B)-- Request Token -------->| || End-user | | Authorization || at |<---(C)-- User authenticates --->| Server || Browser | | || -+----(D)-- Verifier -------------<| |+-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | |+---------+ | || |>---(A)-- Redirect URL ---------------| || Web |<---(A)-- Request Token + Secret -----| || Client |>---(E)-- Request Token, Verifier ---- || |<---(E)-- Access Token + Secret -------------+---------+ Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/
  33. 33. OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  34. 34. Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
  35. 35. How to fix it?
  36. 36. Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
  37. 37. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
  38. 38. What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  39. 39. Web-Server Profile+----------+ Client Identifier +---------------+| -+----(A)--- & Redirect URI ------>| || End-user | | Authorization || at |<---(B)-- User authenticates --->| Server || Browser | | || -+----(C)-- Authorization Code ---<| |+-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | |+---------+ | || |>---(D)-- Client Credentials, -------- || Web | Authorization Code, || Client | & Redirect URI || | || |<---(E)----- Access Token -------------------+---------+ (w/ Optional Refresh Token)
  40. 40. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | |End <--+ - - - +----(B)-- User authenticates -->| Authorization |User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  41. 41. What happend to signatures? Ongoing controvers discussionBearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
  42. 42. Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
  43. 43. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
  44. 44. DEMO
  45. 45. OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
  46. 46. Phishing
  47. 47. @ E-mail address equals identity?
  48. 48. Can the browser help?
  49. 49. FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
  50. 50. DEMO
  51. 51. Bad browser UISyncing between different computers? More than one user on the same computer?
  52. 52. UX Mockups Mozilla Weave
  53. 53. Summing it up• We need a single sign on system for the web• OpenID is cool, but has some problems• Proprietary solutions are bad for users, site owners and developers• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
  54. 54. h"p://twi"er.com/Bas2anHofmannh"p://joind.in/2874h"p://studivz.net/bas2anh"p://slideshare.net/bashofmannbhofmann@vz.neth"p://developer.studivz.net

×