• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Technical Background of VZ-ID
 

Technical Background of VZ-ID

on

  • 2,641 views

 

Statistics

Views

Total Views
2,641
Views on SlideShare
2,615
Embed Views
26

Actions

Likes
1
Downloads
3
Comments
0

2 Embeds 26

http://www.bastianhofmann.de 22
http://lanyrd.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Technical Background of VZ-ID Technical Background of VZ-ID Presentation Transcript

    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 VZ-ID The technical background Bastian Hofmann VZnet Netzwerke Ltd.
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Agenda – Sharing • OExchange • OpenGraph – Login • OpenID • OAuth  &  OAuth  2 • OpenID  Connect – VZ-­‐JavaScript  Library
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Sharing
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OExchange• Common  API  for  publishing  sth.  into  social   networks http://www.example.com/share.php?url={URI}&title={title for the content}&description={short description of the content}&ctype=flash&swfurl={SWF URI}&height={preferred SWF height}&width={preferred swf width}&screenshot= {screenshot URI} hQp://www.oexchange.org/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Discovery  over  XRD <?xml version=1.0 encoding=UTF-8?> <XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">     <Subject>http://www.example.com/linkeater</Subject>     <Property        type="http://www.oexchange.org/spec/0.8/prop/vendor">         Examples Inc.</Property>     <Property        type="http://www.oexchange.org/spec/0.8/prop/title">         A Link-Accepting Service</Property>     <Link        rel= "icon" href="http://www.example.com/favicon.ico"        type="image/vnd.microsoft.icon" />     <Link        rel= "http://www.oexchange.org/spec/0.8/rel/offer"        href="http://www.example.com/linkeater/offer.php"        type="text/html" /> </XRD>
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenGraphRetrieves  meta  data  through  meta  tags  in  shared  page<meta property="og:title" content="title" /><meta property="og:description" content="description" /><meta property="og:site_name" content="your site name" /><meta property="og:image" content="http://example.com/thumbnail.jpg" /> hQp://opengraphprotocol.org/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Sharing  examples  @VZhttp://platform-redirect.vz-modules.net/r/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=titlehttp://www.studivz.net/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=title hQp://developer.studivz.net/wiki/index.php/Sharing
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Login
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Iden@@es  in  real  life
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Do  you  have  really  only  one  iden@ty?Lothar  Krappmann:-­‐  IdenVty  is  conveyed  by  communicaVon-­‐  IdenVty  is  not  fixed  but  recreated  by  every    communicaVon  with  your  fellows-­‐  ExpectaVons  of  different  people  result  in    different  idenVVes
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Example:Paul  AdamshQp://www.slideshare.net/padday/the-­‐real-­‐life-­‐social-­‐network-­‐v2
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Iden@@es  in  the  Web
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Register,  Register,  Register,  ...
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Single  Sign  on ul_Marga
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010MicrosoK  Passport  /  Live  ID• Windows  Live  ID• Launched  1999  as  .net  Passport• Used  mainly  for  Microso]   Services  but  not  much  outside• OpenID  Provider  since  2008
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Facebook  Connect
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010TwiSer  @Anywhere
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010And  there  are  much,  much  more
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Nascar  problem Vaguely Artistic
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010How  to  fix  it? Moff
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Aggrega@on:  Janrain hQp://www.janrain.com/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID• Open  decentralized  user  authenVcaVon hQp://openid.net/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Connec@on  Flow
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Authen@ca@on  vs  Authoriza@on Who  is  the  user? Is  this  really  user  X? VS Is  X  allowed  to  do  something? Does  X  have  the  permission? Client sites want more than just a unique identifier (Social Graph)
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010But  there  are  Spec  Extensions decafinata
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  +  OAuth• Combines  OpenID  AuthenVcaVon  and  OAuth   authorizaVon openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 OAuth  1.0a  Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ---- | | |<---(E)-- Access Token + Secret ------------- +---------+                    Every Request: Client Credentials, Nonce, Timestamp, Signature hQp://oauth.net/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Failures  of  OpenID  2.0• Complex  to  implement• No  markeVng – Do  you  have  an  OpenID? – What  is  it?• URL  as  idenVfier  =>  Bad  User  Experience
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect• Goals: – Easier  to  implement – More  simple  specificaVon – BeQer  user  experience• =>  wider  adpVon• Built  on  top  of  OAuth  2.0
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What‘s  wrong  with  OAuth?• Does  not  work  well  with  non  web  or  JavaScript   based  clients• The  „Invalid  Signature“  Problem• Complicated  Flow,  many  requests
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What‘s  new  in  OAuth2?   (DraK  10)• Different  client  profiles• No  signatures• No  Token  Secrets• Cookie-­‐like  Bearer  Token• Mandatory  TSL/SSL• No  Request  Tokens• Much  more  flexible  regarding  extensions hQp://tools.iej.org/html/dra]-­‐iej-­‐oauth-­‐v2
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Web-­‐Server  Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, -------- | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token ------------------- +---------+ (w/ Optional Refresh Token)
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 User-­‐Agent  Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | |End <--+ - - - +----(B)-- User authenticates -->| Authorization |User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What  happend  to  signatures?• Ongoing  controvers  discussion• Bearer  Tokens  are  fine  over  secure  connecVon• Vulnerable  if  discovery  is  introduced• Or  TSL/SSL  is  not  possible
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Scopes• OpVonal  parameter  for  provider  specific   implementaVons• For  example – AddiVonal  return  values – Access  Control
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect?• Scope:  „openid“• With  access  token  addiVonal  values  are  returned – UserID:  URL  to  Portable  Contacts  endpoint – Signature – Timestamp hQp://openidconnect.com/
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect  Discovery• Get  IdenVfier  of  user• Call  /.well-­‐know/host-­‐meta  file  at  the  domain  of   the  user‘s  provider• Look  for  a  link  poinVng  to  the  OpenID  Connect   endpoints  in  the  returned  LRDD
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect  @VZ• Available  now• But  without  the  discovery  part – No  discovering  clients – No  discoverable  enVVes
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010VZ-­‐JavaScript  Library<script src="http://static.pe.studivz.net/Js/id/v3/library.js"data-authority="platform-redirect.vz-modules.net/r"data-authorityssl="platform-redirect.vz-modules.net/r"type="text/javascript"></script><script type="vz/share">   id: shareButton   title: title of your site   description : a description</script> hQp://developer.studivz.net/wiki/index.php/JS-­‐Library
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Login  widget<script type="text/javascript">function callbackMethod(c) {  if (c.error) {    return;  }  var url = c.user_id;  vz.id.login.callApi(url, function(data) {    console.log(data.entry.displayName);  });}</script><script type="vz/login">   client_id : 1234567890abcdef   redirect_uri : http://example.com/callback.html   callback : callbackMethod   fields : name,emails</script> hQp://developer.studivz.net/wiki/index.php/JS-­‐Library
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Callback.html<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>  <head>    <title></title>    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">  </head>  <body>      <script type="text/javascript">        opener.vz.id.authStorage.setAuthParameterHash(location.hash.substr(1));        window.close();      </script>  </body></html>
    • VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 Thank  youhQp://twiQer.com/BasVanHofmannhQp://studivz.net/basVanhQp://slideshare.net/bashofmannbhofmann@vz.nethQp://developer.studivz.net