OpenID Authentication by example

OpenID Authentication by example BPW2007 chrisv.cpan.org (introductory slides: thanks to Simon Willison) Saturday 27 October 2007 1

usernames & passwords suck Saturday 27 October 2007 2

signing up for new accounts is a pain Saturday 27 October 2007 3

my online identity exists in multiple (hard to manage) places Saturday 27 October 2007 4

user database theft Saturday 27 October 2007 5

password/cc info theft Saturday 27 October 2007 6

too much passwords, too much userids Saturday 27 October 2007 7

we need single signon Saturday 27 October 2007 8

uniﬁed, trusted identity Saturday 27 October 2007 9

OpenID is a decentralized mechanism for single signon Saturday 27 October 2007 10

OpenID is a URL Saturday 27 October 2007 11

http://vertonghen.livejournal.com Saturday 27 October 2007 12

http://vertonghen.myopenid.com Saturday 27 October 2007 13

http://chris.vertonghen.org Saturday 27 October 2007 14

The OpenID protocol lets you prove that you own a speciﬁc URL Saturday 27 October 2007 15

An OpenID can be used as an authentiation credential Saturday 27 October 2007 16

Site: “Who are you?” Saturday 27 October 2007 17

Me: “I’m chris.vertonghen.org” Saturday 27 October 2007 18

Site: “Prove it” Saturday 27 October 2007 19

(some magic happens) Saturday 27 October 2007 20

Site: “ok you’re in!” Saturday 27 October 2007 21

Picking an OpenID is like picking an email provider - you ﬁnd one that you trust Saturday 27 October 2007 22

If you have the ability to run your own server software, you can do so yourself Saturday 27 October 2007 23

http://www.wooblelab.com/ (demo) Saturday 27 October 2007 24

So my users don’t have to sign up for an account? Saturday 27 October 2007 25

Not necessarily Saturday 27 October 2007 26

An OpenID tells you very little about a user Saturday 27 October 2007 27

You don’t know their name Saturday 27 October 2007 28

You don’t know their e-mail address Saturday 27 October 2007 29

You don’t know if they’re a person or an evil robot Saturday 27 October 2007 30

You have to ask them! Saturday 27 October 2007 31

OpenID can help them answer Saturday 27 October 2007 32

(demo) http://www.welovelocal.com/ Saturday 27 October 2007 33

So how does OpenID work? Saturday 27 October 2007 34

Saturday 27 October 2007 35

Use multiple OpenIDs to maintain multiple online personas Saturday 27 October 2007 37

professional social secret ... Saturday 27 October 2007 38

OpenID and web service APIs naturally complement each other Saturday 27 October 2007 39

Me: “I’m vertonghen.myopenid.com” Saturday 27 October 2007 40

Site fetches HTML, discovers identity provider Saturday 27 October 2007 41

Establishes shared secret with identity provider (Using Difﬁe-Hellman key exchange) Saturday 27 October 2007 42

Redirects you to the identity provider Saturday 27 October 2007 43

when you’re logged in there, you get redirected back Saturday 27 October 2007 44

How does my identity provider know who I am? Saturday 27 October 2007 45

OpenID deliberately doesn’t specify Saturday 27 October 2007 46

username/password is common Saturday 27 October 2007 47

But providers can use other methods if they want to Saturday 27 October 2007 48

Client SSL certiﬁcates Saturday 27 October 2007 49

Out of band authentication via SMS, e-mail or Jabber Saturday 27 October 2007 50

No authentication at all (just say “Yes”) (which is the OpenID version of bugmenot.com) Saturday 27 October 2007 51

What if I decide I suddenly hate my provider? Saturday 27 October 2007 52

Use your own domain name Saturday 27 October 2007 53

and delegate to a provider you trust Saturday 27 October 2007 54

perl OpenID client Saturday 27 October 2007 57

Net::OpenID::Consumer by Brad Fitzpatrick (of course) Saturday 27 October 2007 58

use Net::OpenID::Consumer; my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => quot;http://chris.vertonghen.org/quot;, ); # a user entered, say, quot;bradfitz.comquot; as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object: my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;); # now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc. my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}; my $check_url = $claimed_identity->check_url( return_to => $script_name . quot;?return=true&hurl=$hurl&oid=quot; . $m->interp()->apply_escapes($identity), trust_root => quot;http://chris.vertonghen.org/quot;, ); # so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print quot;<BR><h1>Validation Error</h1>quot;; print 'There was an error in validating your identity. The error was ', $openid_con->err . quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;; } } Saturday 27 October 2007 59

Thank you. Questions? Saturday 27 October 2007 60

http://www.slideshare.net	113
http://localhost	98
http://translate.googleusercontent.com	2
http://localhost.com	1

OpenID Authentication by example

by Chris Vertonghen

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 214

Statistics

OpenID Authentication by example Presentation Transcript