Distributed Identities with OpenID

Distributed Identitieswith OpenIDBastian HofmannVZnet Netzwerke Ltd.

About me

OpenID is dead

„OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html

„OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID

Facebook Connect250,000,000 monthly users

So why are you here?

• Why identity management is still a problem• OpenID how it works, and why it fails• OpenID Connect & OAuth2: OpenIDs future?• What can browser vendors do?

Questions? Ask!

Only one identity?

Identity is conveyed by communicationIdentity is not ﬁxed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann

Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2

Sign up again and again

Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections

Single Sign On

Microsoft Live IDLaunched 1999 as .net Passport

Facebook Connect

And there are much more

Nascar problem

Aggregation: Janrainhttp://www.janrain.com/

OpenIDhttp://openid.net/

The Client

Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" /> Delegation<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />

Connection Flow

Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)

But there are Spec Extensions

Simple Registration• Allows to specify certain ﬁelds in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male

Attribute Exchange• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41

Attribute Exchange• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41

Attribute Exchange• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2• Store Responsopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success

OAuth 1.0a Flow+----------+ +---------------+| -+----(B)-- Request Token -------->| || End-user | | Authorization || at |<---(C)-- User authenticates --->| Server || Browser | | || -+----(D)-- Verifier -------------<| |+-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | |+---------+ | || |>---(A)-- Redirect URL ---------------| || Web |<---(A)-- Request Token + Secret -----| || Client |>---(E)-- Request Token, Verifier ---- || |<---(E)-- Access Token + Secret -------------+---------+ Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/

OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890

Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identiﬁer => Bad User Experience

How to ﬁx it?

Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple speciﬁcation wider adption

What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests

What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client proﬁles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more ﬂexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2

Web-Server Proﬁle+----------+ Client Identifier +---------------+| -+----(A)--- & Redirect URI ------>| || End-user | | Authorization || at |<---(B)-- User authenticates --->| Server || Browser | | || -+----(C)-- Authorization Code ---<| |+-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | |+---------+ | || |>---(D)-- Client Credentials, -------- || Web | Authorization Code, || Client | & Redirect URI || | || |<---(E)----- Access Token -------------------+---------+ (w/ Optional Refresh Token)

What happend to signatures? Ongoing controvers discussionBearer Tokens are ﬁne over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible

Scopes Optional parameter for provider speciﬁc implementationsAdditional return values Access Control

Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/

OpenID Connect DiscoveryGet Identiﬁer of user Call /.well-‐known/host-‐meta ﬁle at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD

Phishing

@ E-mail address equals identity?

Can the browser help?

FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl

Bad browser UISyncing between different computers? More than one user on the same computer?

UX Mockups Mozilla Weave

Summing it up• We need a single sign on system for the web• OpenID is cool, but has some problems• Proprietary solutions are bad for users, site owners and developers• A new more simple and ﬂexible spec is coming up• Browser vendors are working to solve this problem in the browser

h"p://twi"er.com/Bas2anHofmannh"p://joind.in/2874h"p://studivz.net/bas2anh"p://slideshare.net/bashofmannbhofmann@vz.neth"p://developer.studivz.net

http://www.berejeb.com	22
http://lanyrd.com	5
http://feeds.feedburner.com	4
http://www.devetdesign.com	4
http://twitter.com	1

Distributed Identities with OpenID

by Bastian Hofmann

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 36

Statistics

Distributed Identities with OpenID Presentation Transcript