OpenID Authentication by example
Upcoming SlideShare
Loading in...5
×
 

OpenID Authentication by example

on

  • 31,124 views

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and ...

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and identify yourself as you.

This is a short by-example talk about OpenID, what it does and can provide for your website. The talk includes a sample implementation in perl.

(talk given at Belgian Perl Workshop, 27 November 2007)

Statistics

Views

Total Views
31,124
Views on SlideShare
30,908
Embed Views
216

Actions

Likes
2
Downloads
262
Comments
0

5 Embeds 216

http://www.slideshare.net 113
http://localhost 98
http://translate.googleusercontent.com 2
https://www.linkedin.com 2
http://localhost.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OpenID Authentication by example OpenID Authentication by example Presentation Transcript

  • OpenID Authentication by example BPW2007 chrisv.cpan.org (introductory slides: thanks to Simon Willison) Saturday 27 October 2007 1
  • usernames & passwords suck Saturday 27 October 2007 2
  • signing up for new accounts is a pain Saturday 27 October 2007 3
  • my online identity exists in multiple (hard to manage) places Saturday 27 October 2007 4
  • user database theft Saturday 27 October 2007 5
  • password/cc info theft Saturday 27 October 2007 6
  • too much passwords, too much userids Saturday 27 October 2007 7
  • we need single signon Saturday 27 October 2007 8
  • unified, trusted identity Saturday 27 October 2007 9
  • OpenID is a decentralized mechanism for single signon Saturday 27 October 2007 10
  • OpenID is a URL Saturday 27 October 2007 11
  • http://vertonghen.livejournal.com Saturday 27 October 2007 12
  • http://vertonghen.myopenid.com Saturday 27 October 2007 13
  • http://chris.vertonghen.org Saturday 27 October 2007 14
  • The OpenID protocol lets you prove that you own a specific URL Saturday 27 October 2007 15
  • An OpenID can be used as an authentiation credential Saturday 27 October 2007 16
  • Site: “Who are you?” Saturday 27 October 2007 17
  • Me: “I’m chris.vertonghen.org” Saturday 27 October 2007 18
  • Site: “Prove it” Saturday 27 October 2007 19
  • (some magic happens) Saturday 27 October 2007 20
  • Site: “ok you’re in!” Saturday 27 October 2007 21
  • Picking an OpenID is like picking an email provider - you find one that you trust Saturday 27 October 2007 22
  • If you have the ability to run your own server software, you can do so yourself Saturday 27 October 2007 23
  • http://www.wooblelab.com/ (demo) Saturday 27 October 2007 24
  • So my users don’t have to sign up for an account? Saturday 27 October 2007 25
  • Not necessarily Saturday 27 October 2007 26
  • An OpenID tells you very little about a user Saturday 27 October 2007 27
  • You don’t know their name Saturday 27 October 2007 28
  • You don’t know their e-mail address Saturday 27 October 2007 29
  • You don’t know if they’re a person or an evil robot Saturday 27 October 2007 30
  • You have to ask them! Saturday 27 October 2007 31
  • OpenID can help them answer Saturday 27 October 2007 32
  • (demo) http://www.welovelocal.com/ Saturday 27 October 2007 33
  • So how does OpenID work? Saturday 27 October 2007 34
  • Saturday 27 October 2007 35
  • Saturday 27 October 2007 36
  • Use multiple OpenIDs to maintain multiple online personas Saturday 27 October 2007 37
  • professional social secret ... Saturday 27 October 2007 38
  • OpenID and web service APIs naturally complement each other Saturday 27 October 2007 39
  • Me: “I’m vertonghen.myopenid.com” Saturday 27 October 2007 40
  • Site fetches HTML, discovers identity provider Saturday 27 October 2007 41
  • Establishes shared secret with identity provider (Using Diffie-Hellman key exchange) Saturday 27 October 2007 42
  • Redirects you to the identity provider Saturday 27 October 2007 43
  • when you’re logged in there, you get redirected back Saturday 27 October 2007 44
  • How does my identity provider know who I am? Saturday 27 October 2007 45
  • OpenID deliberately doesn’t specify Saturday 27 October 2007 46
  • username/password is common Saturday 27 October 2007 47
  • But providers can use other methods if they want to Saturday 27 October 2007 48
  • Client SSL certificates Saturday 27 October 2007 49
  • Out of band authentication via SMS, e-mail or Jabber Saturday 27 October 2007 50
  • No authentication at all (just say “Yes”) (which is the OpenID version of bugmenot.com) Saturday 27 October 2007 51
  • What if I decide I suddenly hate my provider? Saturday 27 October 2007 52
  • Use your own domain name Saturday 27 October 2007 53
  • and delegate to a provider you trust Saturday 27 October 2007 54
  • Saturday 27 October 2007 55
  • Saturday 27 October 2007 56
  • perl OpenID client Saturday 27 October 2007 57
  • Net::OpenID::Consumer by Brad Fitzpatrick (of course) Saturday 27 October 2007 58
  • use Net::OpenID::Consumer; my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => quot;http://chris.vertonghen.org/quot;, ); # a user entered, say, quot;bradfitz.comquot; as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object: my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;); # now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc. my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}; my $check_url = $claimed_identity->check_url( return_to => $script_name . quot;?return=true&hurl=$hurl&oid=quot; . $m->interp()->apply_escapes($identity), trust_root => quot;http://chris.vertonghen.org/quot;, ); # so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print quot;<BR><h1>Validation Error</h1>quot;; print 'There was an error in validating your identity. The error was ', $openid_con->err . quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;; } } Saturday 27 October 2007 59
  • Thank you. Questions? Saturday 27 October 2007 60