OpenID - An in depth look at what it is, and how you can use it

An in-depth look at what it is, and how you can use it

What is OpenID? • quot;OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Difﬁe- Hellman)” • An ID is a URI or XRI • Federated, not delegated SSO (Facebook Connect, Sign-In with Twitter)

History • 1.0 (5/2005) Original speciﬁcation by Brad Fitzpatrick • 1.1 (5/2006) First revision by Brad Fitzpatrick and David Recordon • 2.0 (12/5/2007) Signiﬁcant Changes • Added directed identity, extensions, nonces, SHA256 support • Versioned • Yadis for discovery

Terminology • Identiﬁer (URI or XRI) • End User (EU) • Relying Party (RP, Consumer) • OpenID Provider (OP, Identity Provider, IdP, Server) • OP Endpoint URL

Simple Overview • End User presents an identiﬁer to a RP, claiming to own it • RP directs the end user to the OP to log in and authorize • End User is directed back to RP, who veriﬁes the claim

A closer look • EU supplies identifier to RP • RP performs discovery on EU supplied identifier • RP optionally creates an association (shared secret) with OP • RP Builds auth request URL and redirects EU to it • EU logs in to OP, authorizes the request, is redirected back to RP • RP receives auth response, and verifies the assertion

HTML Discovery

Yadis Discovery (yet another discovery protocol)

Discovery History • 1.x: HTML • 2.0:Yadis/XRDS, HTML • Future: LRDD/XRD

OpenID Protocol Messages • All OpenID messages are key/value pairs • Indirect Requests are GET parameters • Direct Requests use POST • Response KV format for direct requests is quot;key:valuenquot; • Keys contain 'openid.' preﬁx, as in “openid.claimed_id”

OpenID Modes • associate (direct communication) • Optional, but recommended • Establish a shared secret between RP and OP • checkid_immediate (indirect communication) • OP should not interact with EU • checkid_setup (indirect communication) • OP should interact with EU • check_authentication (direct communication) • Verify an assertion directly with OP (no association)

Associations • Uses Difﬁe-Hellman protocol for establishing shared secrets over unencrypted transports (HTTP) • sha1 or sha256 • Can use “no-encryption” if the connection is over HTTPS

Extensions • Ofﬁcially supported in 2.0 • Does not require an identiﬁer • Popular extensions • Simple Registration (SREG) • Attribute Exchange (AX) • OpenID OAuth Extension (OAUTH) • Provider Authentication Policy Extension (PAPE) • User Interface (UI)

OpenID Libraries • PHP • JanRain (openidenabled.com) Very Complete • PEAR (RP support only as of this writing) • Zend Framework • CakePHP • Python • JanRain (openidenabled.com) • Ruby, C#, C++, Perl, Java, ColdFusion, Apache 2

Outsourcing OpenID • RPX (JanRain) • Vidoop Connect

OpenID - An in depth look at what it is, and how you can use it

by Bill Shupp on May 21, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 5

Statistics

OpenID - An in depth look at what it is, and how you can use it — Presentation Transcript

http://www.slideshare.net	3
http://www.blogger.com	1
http://busstoped.blogspot.com	1