The Identity Problem of the Web and how to solve it

2,586 views
2,501 views

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,586
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Identity Problem of the Web and how to solve it

  1. 1. Bastian HofmannResearchGate GmbHThe Identity Problem of the Weband how to solve it
  2. 2. Questions? Ask!
  3. 3. http://slideshare.net/bashofmann
  4. 4. Only one identity?
  5. 5. Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
  6. 6. Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
  7. 7. Sign up again and again
  8. 8. Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  9. 9. Single Sign On
  10. 10. Microsoft Live IDLaunched 1999 as .net Passport
  11. 11. Facebook Connect
  12. 12. And there are much more
  13. 13. Nascar problem
  14. 14. Aggregationhttp://www.janrain.com/
  15. 15. OpenID http://openid.net/
  16. 16. The Client
  17. 17. http://bhofmann.myopenid.com
  18. 18. http://bhofmann.myopenid.com
  19. 19. HTTP POST http://bhofmann.myopenid.comstackoverflow.com
  20. 20. bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com HTTP GET
  21. 21. bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com <link rel="openid2.provider" href="http:// www.myopenid.com/server" />
  22. 22. myopenid.com/ server HTTP POST http://bhofmann.myopenid.comstackoverflow.com Establish shared secret (Diffie-Hellman)
  23. 23. HTTP Redirect http://myopenid.com/server? openid.identity=http:// bhofmann.myopenid.com&...stackoverflow.com
  24. 24. HTTP GET myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  25. 25. Login myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  26. 26. Grant permission myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  27. 27. HTTP Redirecthttp://stackoverflow.com/?assertion... myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  28. 28. HTTP GETstackoverflow.comVerify assertion
  29. 29. DEMO http://stackoverflow.com/https://www.myopenid.com/
  30. 30. Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  31. 31. But there are Spec Extensions
  32. 32. Additional parameters on the redirects
  33. 33. Simple Registration
  34. 34. openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.genderopenid.sreg.fullname=Bastian&openid.sreg.gender=male
  35. 35. Attribute Exchange
  36. 36. penid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  37. 37. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  38. 38. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
  39. 39. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
  40. 40. http://oauth.net/
  41. 41. Pre Registration of Client atTwitter: twitter.com- Shared Consumer Key- Shared Consumer Secret lanyrd.com
  42. 42. HTTP POST Connect with Twitterlanyrd.com
  43. 43. twitter.com HTTP POST Connect with Twitter HTTP GETlanyrd.com Consumer Key Redirect URI Signature (Consumer Secret)
  44. 44. twitter.com HTTP POST Connect with Twitterlanyrd.com Request Token Request Token Secret
  45. 45. HTTP Redirect http://twitter.com/authorize? requestToken=...&consumerKey=...lanyrd.com
  46. 46. HTTP GET twitter.com/ authorize
  47. 47. Login twitter.com/ authorize
  48. 48. Grant permission twitter.com/ authorize Create verifier and bind it to User and Request Token
  49. 49. HTTP RedirectRedirect URI?verifier=...&requestToken=.. twitter.com/ authorize
  50. 50. HTTP GET lanyrd.com(RedirectURI? verifier=...)
  51. 51. twitter.com HTTP GET HTTP GETlanyrd.com Consumer Key, RequestToken Verifier Signature (Consumer & Request Token Secret)
  52. 52. twitter.com HTTP GETlanyrd.com Access Token Access Token Secret
  53. 53. twitter.com HTTP GETlanyrd.com API Request Consumer Key, Access Token Signature (Consumer & Access Token Secret)
  54. 54. OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  55. 55. OpenID is dead
  56. 56. „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
  57. 57. „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
  58. 58. Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
  59. 59. Facebook Connect250,000,000 monthly users
  60. 60. So let‘s all use Facebook?
  61. 61. How to fix it?
  62. 62. Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
  63. 63. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
  64. 64. http://oauth.net/
  65. 65. What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  66. 66. Web-Server Profile
  67. 67. Pre Registration of Client atTwitter: twitter.com- Shared Client ID- Shared Client Secret- Redirect URI lanyrd.com
  68. 68. HTTP(S) POST Connect with Twitterlanyrd.com
  69. 69. HTTPS Redirect http://twitter.com/authorize?&clientId=...lanyrd.com
  70. 70. HTTPS GET twitter.com/ authorize
  71. 71. Login twitter.com/ authorize
  72. 72. Grant permission twitter.com/ authorize Create authorization code and bind it to User and ClientID
  73. 73. HTTPS RedirectRedirect URI?authorizationCode=... twitter.com/ authorize
  74. 74. HTTPS GET lanyrd.com (RedirectURI?authorizationCode= ...)
  75. 75. twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Authorization Code Consumer Secret
  76. 76. twitter.com HTTPS GETlanyrd.com Access Token (Refresh Token)
  77. 77. twitter.com HTTPS GETlanyrd.com HTTPS API Request Access Token
  78. 78. twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Refresh Token Consumer Secret
  79. 79. twitter.com HTTPS GETlanyrd.com Access Token Refresh Token
  80. 80. User-Agent Profile
  81. 81. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...
  82. 82. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize HTTPS GET
  83. 83. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Login
  84. 84. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Grant Permission
  85. 85. lanyrd.comtwitter.com/ lanyrd.comauthorize HTTPS Redirect RedirectURI# RedirectURI#acces accessToken sToken
  86. 86. lanyrd.comParse Access Token from Fragment Send it to opening window Close popup lanyrd.com RedirectURI# accessToken
  87. 87. Same Origin Policy
  88. 88. lanyrd.com HTTPS Ajax twitter.com Request to API Access Token
  89. 89. Same Origin Policy
  90. 90. JSONP
  91. 91. Cross Origin Request Sharing (CORS)
  92. 92. Client Backendlanyrd. api.twitter.comcom AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/
  93. 93. What happend to signatures? Bearer Tokens are fine over secure connection Vulnerable if discovery is introducedOr if TSL/SSL is not possible So OAuth 1.0 signatures alternatively available
  94. 94. Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
  95. 95. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
  96. 96. https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
  97. 97. DEMO
  98. 98. OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
  99. 99. http://example.com/.well- known/host-metahttp://tools.ietf.org/html/draft-nottingham-site-meta
  100. 100. http://code.google.com/p/webfinger/
  101. 101. http://www.oexchange.org/
  102. 102. Phishing
  103. 103. @ E-mail address equals identity?
  104. 104. Can the browser help?
  105. 105. FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
  106. 106. DEMO http://trunk.ontowiki.net/http://www.w3.org/wiki/Foaf%2Bssl/IDP
  107. 107. Bad browser UISyncing between different computers? More than one user on the same computer?
  108. 108. Mozilla UX Mockups
  109. 109. https://browserid.org/
  110. 110. DEMO http://myfavoritebeer.org/https://addons.mozilla.org/en-US/firefox/addon/browser- sign-in/
  111. 111. Summing it up• We need a single sign on system for the web• Proprietary solutions are bad for users, site owners and developers• OpenID is cool, but has some problems• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
  112. 112. Rate and Comment http://spkr8.com/t/8738
  113. 113. h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmannmail@bas2anhofmann.de

×