Distributed Identities with OpenID
Upcoming SlideShare
Loading in...5
×
 

Distributed Identities with OpenID

on

  • 1,267 views

Slides of my Devlink talk about OpenID, why it fails, how it can be fixed and how browser vendors could help to fix the identity problem of the web.

Slides of my Devlink talk about OpenID, why it fails, how it can be fixed and how browser vendors could help to fix the identity problem of the web.

Statistics

Views

Total Views
1,267
Views on SlideShare
1,264
Embed Views
3

Actions

Likes
1
Downloads
13
Comments
0

1 Embed 3

http://lanyrd.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Distributed Identities with OpenID Distributed Identities with OpenID Presentation Transcript

  • Distributed Identitieswith OpenIDBastian HofmannVZnet Netzwerke Ltd.
  • OpenID is dead
  • „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
  • „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
  • Facebook Connect250,000,000 monthly users
  • So why are you here?
  • • Why identity management is still a problem• OpenID how it works, and why it fails• OpenID Connect & OAuth2: OpenIDs future?• What can browser vendors do?
  • Questions? Ask!
  • http://slideshare.net/bashofmann
  • Only one identity?
  • Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
  • Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
  • Sign up again and again
  • Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  • Single Sign On
  • Microsoft Live IDLaunched 1999 as .net Passport
  • Facebook Connect
  • And there are much more
  • Nascar problem
  • Aggregationhttp://www.janrain.com/
  • OpenIDhttp://openid.net/
  • The Client
  • Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" /> Delegation<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
  • Connection Flow
  • DEMO
  • Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  • But there are Spec Extensions
  • Simple Registration• Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
  • Attribute Exchange• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  • Attribute Exchange• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  • Attribute Exchange• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2• Store Responsopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
  • http://oauth.net/
  • OAuth 1.0a Flow+----------+ +---------------+| -+----(B)-- Request Token -------->| || End-user | | Authorization || at |<---(C)-- User authenticates --->| Server || Browser | | || -+----(D)-- Verifier -------------<| |+-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | |+---------+ | || |>---(A)-- Redirect URL ---------------| || Web |<---(A)-- Request Token + Secret -----| || Client |>---(E)-- Request Token, Verifier ---- || |<---(E)-- Access Token + Secret -------------+---------+ Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/
  • OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  • Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
  • How to fix it?
  • Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
  • What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
  • http://oauth.net/
  • What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  • Web-Server Profile+----------+ Client Identifier +---------------+| -+----(A)--- & Redirect URI ------>| || End-user | | Authorization || at |<---(B)-- User authenticates --->| Server || Browser | | || -+----(C)-- Authorization Code ---<| |+-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | |+---------+ | || |>---(D)-- Client Credentials, -------- || Web | Authorization Code, || Client | & Redirect URI || | || |<---(E)----- Access Token -------------------+---------+ (w/ Optional Refresh Token)
  • User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | |End <--+ - - - +----(B)-- User authenticates -->| Authorization |User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  • What happend to signatures? Ongoing controvers discussionBearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
  • Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
  • Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
  • https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
  • DEMO
  • OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
  • Phishing
  • @ E-mail address equals identity?
  • Can the browser help?
  • FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
  • DEMO
  • Bad browser UISyncing between different computers? More than one user on the same computer?
  • Mozilla UX Mockups
  • https://browserid.org/
  • DEMO
  • Summing it up• We need a single sign on system for the web• OpenID is cool, but has some problems• Proprietary solutions are bad for users, site owners and developers• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
  • h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmannmail@bas2anhofmann.de