• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Identity Problem of the Web and how to solve it

The Identity Problem of the Web and how to solve it






Total Views
Views on SlideShare
Embed Views



4 Embeds 18

http://lanyrd.com 8
http://speakerrate.com 6
http://a0.twimg.com 3
http://us-w1.rockmelt.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    The Identity Problem of the Web and how to solve it The Identity Problem of the Web and how to solve it Presentation Transcript

    • Bastian HofmannResearchGate GmbHThe Identity Problem of the Weband how to solve it
    • Questions? Ask!
    • http://slideshare.net/bashofmann
    • Only one identity?
    • Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
    • Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
    • Sign up again and again
    • Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
    • Single Sign On
    • Microsoft Live IDLaunched 1999 as .net Passport
    • Facebook Connect
    • And there are much more
    • Nascar problem
    • Aggregationhttp://www.janrain.com/
    • OpenID http://openid.net/
    • The Client
    • http://bhofmann.myopenid.com
    • http://bhofmann.myopenid.com
    • HTTP POST http://bhofmann.myopenid.comstackoverflow.com
    • bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com HTTP GET
    • bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com <link rel="openid2.provider" href="http:// www.myopenid.com/server" />
    • myopenid.com/ server HTTP POST http://bhofmann.myopenid.comstackoverflow.com Establish shared secret (Diffie-Hellman)
    • HTTP Redirect http://myopenid.com/server? openid.identity=http:// bhofmann.myopenid.com&...stackoverflow.com
    • HTTP GET myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
    • Login myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
    • Grant permission myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
    • HTTP Redirecthttp://stackoverflow.com/?assertion... myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
    • HTTP GETstackoverflow.comVerify assertion
    • DEMO http://stackoverflow.com/https://www.myopenid.com/
    • Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
    • But there are Spec Extensions
    • Additional parameters on the redirects
    • Simple Registration
    • openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.genderopenid.sreg.fullname=Bastian&openid.sreg.gender=male
    • Attribute Exchange
    • penid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
    • openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
    • openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
    • openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
    • http://oauth.net/
    • Pre Registration of Client atTwitter: twitter.com- Shared Consumer Key- Shared Consumer Secret lanyrd.com
    • HTTP POST Connect with Twitterlanyrd.com
    • twitter.com HTTP POST Connect with Twitter HTTP GETlanyrd.com Consumer Key Redirect URI Signature (Consumer Secret)
    • twitter.com HTTP POST Connect with Twitterlanyrd.com Request Token Request Token Secret
    • HTTP Redirect http://twitter.com/authorize? requestToken=...&consumerKey=...lanyrd.com
    • HTTP GET twitter.com/ authorize
    • Login twitter.com/ authorize
    • Grant permission twitter.com/ authorize Create verifier and bind it to User and Request Token
    • HTTP RedirectRedirect URI?verifier=...&requestToken=.. twitter.com/ authorize
    • HTTP GET lanyrd.com(RedirectURI? verifier=...)
    • twitter.com HTTP GET HTTP GETlanyrd.com Consumer Key, RequestToken Verifier Signature (Consumer & Request Token Secret)
    • twitter.com HTTP GETlanyrd.com Access Token Access Token Secret
    • twitter.com HTTP GETlanyrd.com API Request Consumer Key, Access Token Signature (Consumer & Access Token Secret)
    • OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
    • OpenID is dead
    • „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
    • „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
    • Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
    • Facebook Connect250,000,000 monthly users
    • So let‘s all use Facebook?
    • How to fix it?
    • Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
    • What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
    • http://oauth.net/
    • What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
    • Web-Server Profile
    • Pre Registration of Client atTwitter: twitter.com- Shared Client ID- Shared Client Secret- Redirect URI lanyrd.com
    • HTTP(S) POST Connect with Twitterlanyrd.com
    • HTTPS Redirect http://twitter.com/authorize?&clientId=...lanyrd.com
    • HTTPS GET twitter.com/ authorize
    • Login twitter.com/ authorize
    • Grant permission twitter.com/ authorize Create authorization code and bind it to User and ClientID
    • HTTPS RedirectRedirect URI?authorizationCode=... twitter.com/ authorize
    • HTTPS GET lanyrd.com (RedirectURI?authorizationCode= ...)
    • twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Authorization Code Consumer Secret
    • twitter.com HTTPS GETlanyrd.com Access Token (Refresh Token)
    • twitter.com HTTPS GETlanyrd.com HTTPS API Request Access Token
    • twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Refresh Token Consumer Secret
    • twitter.com HTTPS GETlanyrd.com Access Token Refresh Token
    • User-Agent Profile
    • lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...
    • lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize HTTPS GET
    • lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Login
    • lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Grant Permission
    • lanyrd.comtwitter.com/ lanyrd.comauthorize HTTPS Redirect RedirectURI# RedirectURI#acces accessToken sToken
    • lanyrd.comParse Access Token from Fragment Send it to opening window Close popup lanyrd.com RedirectURI# accessToken
    • Same Origin Policy
    • lanyrd.com HTTPS Ajax twitter.com Request to API Access Token
    • Same Origin Policy
    • JSONP
    • Cross Origin Request Sharing (CORS)
    • Client Backendlanyrd. api.twitter.comcom AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/
    • What happend to signatures? Bearer Tokens are fine over secure connection Vulnerable if discovery is introducedOr if TSL/SSL is not possible So OAuth 1.0 signatures alternatively available
    • Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
    • Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
    • https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
    • DEMO
    • OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
    • http://example.com/.well- known/host-metahttp://tools.ietf.org/html/draft-nottingham-site-meta
    • http://code.google.com/p/webfinger/
    • http://www.oexchange.org/
    • Phishing
    • @ E-mail address equals identity?
    • Can the browser help?
    • FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
    • DEMO http://trunk.ontowiki.net/http://www.w3.org/wiki/Foaf%2Bssl/IDP
    • Bad browser UISyncing between different computers? More than one user on the same computer?
    • Mozilla UX Mockups
    • https://browserid.org/
    • DEMO http://myfavoritebeer.org/https://addons.mozilla.org/en-US/firefox/addon/browser- sign-in/
    • Summing it up• We need a single sign on system for the web• Proprietary solutions are bad for users, site owners and developers• OpenID is cool, but has some problems• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
    • Rate and Comment http://spkr8.com/t/8738
    • h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmannmail@bas2anhofmann.de