OpenID Authentication
by example
BPW2007
chrisv.cpan.org
(introductory slides: thanks to Simon Willison)
Saturday 27 October 2007 1

usernames & passwords
suck
Saturday 27 October 2007 2

signing up for new
accounts is a pain
Saturday 27 October 2007 3

my online identity
exists in multiple
(hard to manage) places
Saturday 27 October 2007 4

user database theft
Saturday 27 October 2007 5

password/cc info theft
Saturday 27 October 2007 6

too much passwords,
too much userids
Saturday 27 October 2007 7

we need single signon
Saturday 27 October 2007 8

unified, trusted
identity
Saturday 27 October 2007 9

OpenID is a
decentralized
mechanism for
single signon
Saturday 27 October 2007 10

OpenID is a URL
Saturday 27 October 2007 11

http://vertonghen.livejournal.com
Saturday 27 October 2007 12

http://vertonghen.myopenid.com
Saturday 27 October 2007 13

http://chris.vertonghen.org
Saturday 27 October 2007 14

The OpenID protocol
lets you prove that you
own a specific URL
Saturday 27 October 2007 15

An OpenID can be
used as an
authentiation credential
Saturday 27 October 2007 16

Site: “Who are you?”
Saturday 27 October 2007 17

Me: “I’m chris.vertonghen.org”
Saturday 27 October 2007 18

Site: “Prove it”
Saturday 27 October 2007 19

(some magic happens)
Saturday 27 October 2007 20

Site: “ok you’re in!”
Saturday 27 October 2007 21

Picking an OpenID is
like picking an email
provider - you find one
that you trust
Saturday 27 October 2007 22

If you have the ability to
run your own server
software, you can do so
yourself
Saturday 27 October 2007 23

http://www.wooblelab.com/
(demo)
Saturday 27 October 2007 24

So my users don’t
have to sign up for an
account?
Saturday 27 October 2007 25

Not necessarily
Saturday 27 October 2007 26

An OpenID tells you
very little about a user
Saturday 27 October 2007 27

You don’t know
their name
Saturday 27 October 2007 28

You don’t know
their e-mail address
Saturday 27 October 2007 29

You don’t know
if they’re a person
or an evil robot
Saturday 27 October 2007 30

You have to ask them!
Saturday 27 October 2007 31

OpenID can help them answer
Saturday 27 October 2007 32

(demo)
http://www.welovelocal.com/
Saturday 27 October 2007 33

So how does
OpenID work?
Saturday 27 October 2007 34

Saturday 27 October 2007 35

Saturday 27 October 2007 36

Use multiple OpenIDs to
maintain multiple online
personas
Saturday 27 October 2007 37

professional
social
secret
...
Saturday 27 October 2007 38

OpenID and web
service APIs naturally
complement each other
Saturday 27 October 2007 39

Me: “I’m
vertonghen.myopenid.com”
Saturday 27 October 2007 40

Site fetches HTML,
discovers identity provider
Saturday 27 October 2007 41

Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)
Saturday 27 October 2007 42

Redirects you to the
identity provider
Saturday 27 October 2007 43

when you’re logged in there,
you get redirected back
Saturday 27 October 2007 44

How does my identity
provider know who I am?
Saturday 27 October 2007 45

OpenID deliberately
doesn’t specify
Saturday 27 October 2007 46

username/password
is common
Saturday 27 October 2007 47

But providers can
use other methods if
they want to
Saturday 27 October 2007 48

Client SSL certificates
Saturday 27 October 2007 49

Out of band
authentication via SMS,
e-mail or Jabber
Saturday 27 October 2007 50

No authentication at all
(just say “Yes”)
(which is the OpenID version of bugmenot.com)
Saturday 27 October 2007 51

What if I decide I
suddenly hate my provider?
Saturday 27 October 2007 52

Use your own
domain name
Saturday 27 October 2007 53

and delegate to a
provider you trust
Saturday 27 October 2007 54

Saturday 27 October 2007 55

Saturday 27 October 2007 56

perl OpenID client
Saturday 27 October 2007 57

Net::OpenID::Consumer
by Brad Fitzpatrick (of course)
Saturday 27 October 2007 58

use Net::OpenID::Consumer;
my $csr = Net::OpenID::Consumer->new(
ua => LWPx::ParanoidAgent->new,
cache => Some::Cache->new,
args => $cgi,
consumer_secret => ...,
required_root => \"http://chris.vertonghen.org/\",
);
# a user entered, say, \"bradfitz.com\" as their identity. The first
# step is to fetch that page, parse it, and get a
# Net::OpenID::ClaimedIdentity object:
my $claimed_identity = $csr->claimed_identity(\"bradfitz.com\");
# now your app has to send them at their identity server's endpoint
# to get redirected to either a positive assertion that they own
# that identity, or where they need to go to login/setup trust/etc.
my $script_name = \"http://\" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'};
my $check_url = $claimed_identity->check_url(
return_to => $script_name
. \"?return=true&hurl=$hurl&oid=\"
. $m->interp()->apply_escapes($identity),
trust_root => \"http://chris.vertonghen.org/\",
);
# so you send the user off there, and then they come back to
# openid-check.mhtml, then you see what the identity server said;
if ($return) {
if ( $setup_url = $openid_con->user_setup_url ) {
print $m->redirect($setup_url);
}
elsif ( $verify_identity = $openid_con->verified_identity ) {
$verified_url = $verify_identity->url;
print 'Congratulations your identity has been verified.<BR><BR>';
}
elsif ( $openid_con->user_cancel ) {
$m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page
}
else {
print \"<BR><h1>Validation Error</h1>\";
print 'There was an error in validating your identity. The error was ', $openid_con->err
. \"<BR><BR>Please <a href=\\\"javascript: history.go(-1);\\\">go back and try again</a>.<BR><BR>\";
}
}
Saturday 27 October 2007 59

Thank you.
Questions?
Saturday 27 October 2007 60