0
OpenID Authentication
                      by example
                                            BPW2007
               ...
usernames & passwords
                                   suck



Saturday 27 October 2007                           2
signing up for new
                           accounts is a pain


Saturday 27 October 2007                        3
my online identity
                   exists in multiple
                (hard to manage) places


Saturday 27 October 200...
user database theft



Saturday 27 October 2007                         5
password/cc info theft



Saturday 27 October 2007                      6
too much passwords,
                             too much userids


Saturday 27 October 2007                         7
we need single signon



Saturday 27 October 2007                      8
unified, trusted
                               identity


Saturday 27 October 2007                     9
OpenID is a
                            decentralized
                           mechanism for
                           ...
OpenID is a URL



Saturday 27 October 2007                     11
http://vertonghen.livejournal.com




Saturday 27 October 2007                                       12
http://vertonghen.myopenid.com




Saturday 27 October 2007                                    13
http://chris.vertonghen.org




Saturday 27 October 2007                                 14
The OpenID protocol
                    lets you prove that you
                      own a specific URL


Saturday 27 Octo...
An OpenID can be
                       used as an
                 authentiation credential


Saturday 27 October 2007   ...
Site: “Who are you?”



Saturday 27 October 2007                          17
Me: “I’m chris.vertonghen.org”




Saturday 27 October 2007                           18
Site: “Prove it”



Saturday 27 October 2007                      19
(some magic happens)



Saturday 27 October 2007                    20
Site: “ok you’re in!”



Saturday 27 October 2007                           21
Picking an OpenID is
                    like picking an email
                  provider - you find one
                  ...
If you have the ability to
                  run your own server
                software, you can do so
                 ...
http://www.wooblelab.com/
                                            (demo)



Saturday 27 October 2007                  ...
So my users don’t
                           have to sign up for an
                                 account?



Saturday ...
Not necessarily




Saturday 27 October 2007                     26
An OpenID tells you
                           very little about a user




Saturday 27 October 2007                      ...
You don’t know
                             their name




Saturday 27 October 2007                    28
You don’t know
                           their e-mail address




Saturday 27 October 2007                          29
You don’t know
                           if they’re a person
                             or an evil robot



Saturday 27...
You have to ask them!




Saturday 27 October 2007                           31
OpenID can help them answer




Saturday 27 October 2007                                 32
(demo)
                           http://www.welovelocal.com/




Saturday 27 October 2007                                 33
So how does
                           OpenID work?


Saturday 27 October 2007                  34
Saturday 27 October 2007   35
Saturday 27 October 2007   36
Use multiple OpenIDs to
                           maintain multiple online
                                  personas



...
professional
                              social
                              secret
                                ......
OpenID and web
                            service APIs naturally
                           complement each other



Satu...
Me: “I’m
                           vertonghen.myopenid.com”




Saturday 27 October 2007                              40
Site fetches HTML,
                           discovers identity provider




Saturday 27 October 2007                    ...
Establishes shared secret
                            with identity provider
                              (Using Diffie-He...
Redirects you to the
                            identity provider




Saturday 27 October 2007                          43
when you’re logged in there,
                        you get redirected back




Saturday 27 October 2007                 ...
How does my identity
                           provider know who I am?




Saturday 27 October 2007                      ...
OpenID deliberately
                             doesn’t specify




Saturday 27 October 2007                         46
username/password
                               is common




Saturday 27 October 2007                       47
But providers can
                           use other methods if
                               they want to



Saturday ...
Client SSL certificates




Saturday 27 October 2007                            49
Out of band
                           authentication via SMS,
                              e-mail or Jabber



Saturday ...
No authentication at all
                                 (just say “Yes”)
                           (which is the OpenID...
What if I decide I
                           suddenly hate my provider?




Saturday 27 October 2007                     ...
Use your own
                           domain name




Saturday 27 October 2007                  53
and delegate to a
                            provider you trust




Saturday 27 October 2007                         54
Saturday 27 October 2007   55
Saturday 27 October 2007   56
perl OpenID client



Saturday 27 October 2007                        57
Net::OpenID::Consumer
                              by Brad Fitzpatrick (of course)




Saturday 27 October 2007          ...
use Net::OpenID::Consumer;

                  my $csr = Net::OpenID::Consumer->new(
                     ua    => LWPx::Pa...
Thank you.

                           Questions?


Saturday 27 October 2007                60
Upcoming SlideShare
Loading in...5
×

OpenID Authentication by example

28,682

Published on

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and identify yourself as you.

This is a short by-example talk about OpenID, what it does and can provide for your website. The talk includes a sample implementation in perl.

(talk given at Belgian Perl Workshop, 27 November 2007)

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
28,682
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
300
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "OpenID Authentication by example"

  1. 1. OpenID Authentication by example BPW2007 chrisv.cpan.org (introductory slides: thanks to Simon Willison) Saturday 27 October 2007 1
  2. 2. usernames & passwords suck Saturday 27 October 2007 2
  3. 3. signing up for new accounts is a pain Saturday 27 October 2007 3
  4. 4. my online identity exists in multiple (hard to manage) places Saturday 27 October 2007 4
  5. 5. user database theft Saturday 27 October 2007 5
  6. 6. password/cc info theft Saturday 27 October 2007 6
  7. 7. too much passwords, too much userids Saturday 27 October 2007 7
  8. 8. we need single signon Saturday 27 October 2007 8
  9. 9. unified, trusted identity Saturday 27 October 2007 9
  10. 10. OpenID is a decentralized mechanism for single signon Saturday 27 October 2007 10
  11. 11. OpenID is a URL Saturday 27 October 2007 11
  12. 12. http://vertonghen.livejournal.com Saturday 27 October 2007 12
  13. 13. http://vertonghen.myopenid.com Saturday 27 October 2007 13
  14. 14. http://chris.vertonghen.org Saturday 27 October 2007 14
  15. 15. The OpenID protocol lets you prove that you own a specific URL Saturday 27 October 2007 15
  16. 16. An OpenID can be used as an authentiation credential Saturday 27 October 2007 16
  17. 17. Site: “Who are you?” Saturday 27 October 2007 17
  18. 18. Me: “I’m chris.vertonghen.org” Saturday 27 October 2007 18
  19. 19. Site: “Prove it” Saturday 27 October 2007 19
  20. 20. (some magic happens) Saturday 27 October 2007 20
  21. 21. Site: “ok you’re in!” Saturday 27 October 2007 21
  22. 22. Picking an OpenID is like picking an email provider - you find one that you trust Saturday 27 October 2007 22
  23. 23. If you have the ability to run your own server software, you can do so yourself Saturday 27 October 2007 23
  24. 24. http://www.wooblelab.com/ (demo) Saturday 27 October 2007 24
  25. 25. So my users don’t have to sign up for an account? Saturday 27 October 2007 25
  26. 26. Not necessarily Saturday 27 October 2007 26
  27. 27. An OpenID tells you very little about a user Saturday 27 October 2007 27
  28. 28. You don’t know their name Saturday 27 October 2007 28
  29. 29. You don’t know their e-mail address Saturday 27 October 2007 29
  30. 30. You don’t know if they’re a person or an evil robot Saturday 27 October 2007 30
  31. 31. You have to ask them! Saturday 27 October 2007 31
  32. 32. OpenID can help them answer Saturday 27 October 2007 32
  33. 33. (demo) http://www.welovelocal.com/ Saturday 27 October 2007 33
  34. 34. So how does OpenID work? Saturday 27 October 2007 34
  35. 35. Saturday 27 October 2007 35
  36. 36. Saturday 27 October 2007 36
  37. 37. Use multiple OpenIDs to maintain multiple online personas Saturday 27 October 2007 37
  38. 38. professional social secret ... Saturday 27 October 2007 38
  39. 39. OpenID and web service APIs naturally complement each other Saturday 27 October 2007 39
  40. 40. Me: “I’m vertonghen.myopenid.com” Saturday 27 October 2007 40
  41. 41. Site fetches HTML, discovers identity provider Saturday 27 October 2007 41
  42. 42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange) Saturday 27 October 2007 42
  43. 43. Redirects you to the identity provider Saturday 27 October 2007 43
  44. 44. when you’re logged in there, you get redirected back Saturday 27 October 2007 44
  45. 45. How does my identity provider know who I am? Saturday 27 October 2007 45
  46. 46. OpenID deliberately doesn’t specify Saturday 27 October 2007 46
  47. 47. username/password is common Saturday 27 October 2007 47
  48. 48. But providers can use other methods if they want to Saturday 27 October 2007 48
  49. 49. Client SSL certificates Saturday 27 October 2007 49
  50. 50. Out of band authentication via SMS, e-mail or Jabber Saturday 27 October 2007 50
  51. 51. No authentication at all (just say “Yes”) (which is the OpenID version of bugmenot.com) Saturday 27 October 2007 51
  52. 52. What if I decide I suddenly hate my provider? Saturday 27 October 2007 52
  53. 53. Use your own domain name Saturday 27 October 2007 53
  54. 54. and delegate to a provider you trust Saturday 27 October 2007 54
  55. 55. Saturday 27 October 2007 55
  56. 56. Saturday 27 October 2007 56
  57. 57. perl OpenID client Saturday 27 October 2007 57
  58. 58. Net::OpenID::Consumer by Brad Fitzpatrick (of course) Saturday 27 October 2007 58
  59. 59. use Net::OpenID::Consumer; my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => quot;http://chris.vertonghen.org/quot;, ); # a user entered, say, quot;bradfitz.comquot; as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object: my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;); # now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc. my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}; my $check_url = $claimed_identity->check_url( return_to => $script_name . quot;?return=true&hurl=$hurl&oid=quot; . $m->interp()->apply_escapes($identity), trust_root => quot;http://chris.vertonghen.org/quot;, ); # so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print quot;<BR><h1>Validation Error</h1>quot;; print 'There was an error in validating your identity. The error was ', $openid_con->err . quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;; } } Saturday 27 October 2007 59
  60. 60. Thank you. Questions? Saturday 27 October 2007 60
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×