OpenID Authentication by example

31,948 views
31,572 views

Published on

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and identify yourself as you.

This is a short by-example talk about OpenID, what it does and can provide for your website. The talk includes a sample implementation in perl.

(talk given at Belgian Perl Workshop, 27 November 2007)

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
31,948
On SlideShare
0
From Embeds
0
Number of Embeds
256
Actions
Shares
0
Downloads
332
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OpenID Authentication by example

  1. 1. OpenID Authentication by example BPW2007 chrisv.cpan.org (introductory slides: thanks to Simon Willison) Saturday 27 October 2007 1
  2. 2. usernames & passwords suck Saturday 27 October 2007 2
  3. 3. signing up for new accounts is a pain Saturday 27 October 2007 3
  4. 4. my online identity exists in multiple (hard to manage) places Saturday 27 October 2007 4
  5. 5. user database theft Saturday 27 October 2007 5
  6. 6. password/cc info theft Saturday 27 October 2007 6
  7. 7. too much passwords, too much userids Saturday 27 October 2007 7
  8. 8. we need single signon Saturday 27 October 2007 8
  9. 9. unified, trusted identity Saturday 27 October 2007 9
  10. 10. OpenID is a decentralized mechanism for single signon Saturday 27 October 2007 10
  11. 11. OpenID is a URL Saturday 27 October 2007 11
  12. 12. http://vertonghen.livejournal.com Saturday 27 October 2007 12
  13. 13. http://vertonghen.myopenid.com Saturday 27 October 2007 13
  14. 14. http://chris.vertonghen.org Saturday 27 October 2007 14
  15. 15. The OpenID protocol lets you prove that you own a specific URL Saturday 27 October 2007 15
  16. 16. An OpenID can be used as an authentiation credential Saturday 27 October 2007 16
  17. 17. Site: “Who are you?” Saturday 27 October 2007 17
  18. 18. Me: “I’m chris.vertonghen.org” Saturday 27 October 2007 18
  19. 19. Site: “Prove it” Saturday 27 October 2007 19
  20. 20. (some magic happens) Saturday 27 October 2007 20
  21. 21. Site: “ok you’re in!” Saturday 27 October 2007 21
  22. 22. Picking an OpenID is like picking an email provider - you find one that you trust Saturday 27 October 2007 22
  23. 23. If you have the ability to run your own server software, you can do so yourself Saturday 27 October 2007 23
  24. 24. http://www.wooblelab.com/ (demo) Saturday 27 October 2007 24
  25. 25. So my users don’t have to sign up for an account? Saturday 27 October 2007 25
  26. 26. Not necessarily Saturday 27 October 2007 26
  27. 27. An OpenID tells you very little about a user Saturday 27 October 2007 27
  28. 28. You don’t know their name Saturday 27 October 2007 28
  29. 29. You don’t know their e-mail address Saturday 27 October 2007 29
  30. 30. You don’t know if they’re a person or an evil robot Saturday 27 October 2007 30
  31. 31. You have to ask them! Saturday 27 October 2007 31
  32. 32. OpenID can help them answer Saturday 27 October 2007 32
  33. 33. (demo) http://www.welovelocal.com/ Saturday 27 October 2007 33
  34. 34. So how does OpenID work? Saturday 27 October 2007 34
  35. 35. Saturday 27 October 2007 35
  36. 36. Saturday 27 October 2007 36
  37. 37. Use multiple OpenIDs to maintain multiple online personas Saturday 27 October 2007 37
  38. 38. professional social secret ... Saturday 27 October 2007 38
  39. 39. OpenID and web service APIs naturally complement each other Saturday 27 October 2007 39
  40. 40. Me: “I’m vertonghen.myopenid.com” Saturday 27 October 2007 40
  41. 41. Site fetches HTML, discovers identity provider Saturday 27 October 2007 41
  42. 42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange) Saturday 27 October 2007 42
  43. 43. Redirects you to the identity provider Saturday 27 October 2007 43
  44. 44. when you’re logged in there, you get redirected back Saturday 27 October 2007 44
  45. 45. How does my identity provider know who I am? Saturday 27 October 2007 45
  46. 46. OpenID deliberately doesn’t specify Saturday 27 October 2007 46
  47. 47. username/password is common Saturday 27 October 2007 47
  48. 48. But providers can use other methods if they want to Saturday 27 October 2007 48
  49. 49. Client SSL certificates Saturday 27 October 2007 49
  50. 50. Out of band authentication via SMS, e-mail or Jabber Saturday 27 October 2007 50
  51. 51. No authentication at all (just say “Yes”) (which is the OpenID version of bugmenot.com) Saturday 27 October 2007 51
  52. 52. What if I decide I suddenly hate my provider? Saturday 27 October 2007 52
  53. 53. Use your own domain name Saturday 27 October 2007 53
  54. 54. and delegate to a provider you trust Saturday 27 October 2007 54
  55. 55. Saturday 27 October 2007 55
  56. 56. Saturday 27 October 2007 56
  57. 57. perl OpenID client Saturday 27 October 2007 57
  58. 58. Net::OpenID::Consumer by Brad Fitzpatrick (of course) Saturday 27 October 2007 58
  59. 59. use Net::OpenID::Consumer; my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => quot;http://chris.vertonghen.org/quot;, ); # a user entered, say, quot;bradfitz.comquot; as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object: my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;); # now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc. my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}; my $check_url = $claimed_identity->check_url( return_to => $script_name . quot;?return=true&hurl=$hurl&oid=quot; . $m->interp()->apply_escapes($identity), trust_root => quot;http://chris.vertonghen.org/quot;, ); # so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print quot;<BR><h1>Validation Error</h1>quot;; print 'There was an error in validating your identity. The error was ', $openid_con->err . quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;; } } Saturday 27 October 2007 59
  60. 60. Thank you. Questions? Saturday 27 October 2007 60

×