OpenID Authentication by example
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OpenID Authentication by example

on

  • 31,660 views

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and ...

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and identify yourself as you.

This is a short by-example talk about OpenID, what it does and can provide for your website. The talk includes a sample implementation in perl.

(talk given at Belgian Perl Workshop, 27 November 2007)

Statistics

Views

Total Views
31,660
Views on SlideShare
31,444
Embed Views
216

Actions

Likes
2
Downloads
267
Comments
0

5 Embeds 216

http://www.slideshare.net 113
http://localhost 98
http://translate.googleusercontent.com 2
https://www.linkedin.com 2
http://localhost.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OpenID Authentication by example Presentation Transcript

  • 1. OpenID Authentication by example BPW2007 chrisv.cpan.org (introductory slides: thanks to Simon Willison) Saturday 27 October 2007 1
  • 2. usernames & passwords suck Saturday 27 October 2007 2
  • 3. signing up for new accounts is a pain Saturday 27 October 2007 3
  • 4. my online identity exists in multiple (hard to manage) places Saturday 27 October 2007 4
  • 5. user database theft Saturday 27 October 2007 5
  • 6. password/cc info theft Saturday 27 October 2007 6
  • 7. too much passwords, too much userids Saturday 27 October 2007 7
  • 8. we need single signon Saturday 27 October 2007 8
  • 9. unified, trusted identity Saturday 27 October 2007 9
  • 10. OpenID is a decentralized mechanism for single signon Saturday 27 October 2007 10
  • 11. OpenID is a URL Saturday 27 October 2007 11
  • 12. http://vertonghen.livejournal.com Saturday 27 October 2007 12
  • 13. http://vertonghen.myopenid.com Saturday 27 October 2007 13
  • 14. http://chris.vertonghen.org Saturday 27 October 2007 14
  • 15. The OpenID protocol lets you prove that you own a specific URL Saturday 27 October 2007 15
  • 16. An OpenID can be used as an authentiation credential Saturday 27 October 2007 16
  • 17. Site: “Who are you?” Saturday 27 October 2007 17
  • 18. Me: “I’m chris.vertonghen.org” Saturday 27 October 2007 18
  • 19. Site: “Prove it” Saturday 27 October 2007 19
  • 20. (some magic happens) Saturday 27 October 2007 20
  • 21. Site: “ok you’re in!” Saturday 27 October 2007 21
  • 22. Picking an OpenID is like picking an email provider - you find one that you trust Saturday 27 October 2007 22
  • 23. If you have the ability to run your own server software, you can do so yourself Saturday 27 October 2007 23
  • 24. http://www.wooblelab.com/ (demo) Saturday 27 October 2007 24
  • 25. So my users don’t have to sign up for an account? Saturday 27 October 2007 25
  • 26. Not necessarily Saturday 27 October 2007 26
  • 27. An OpenID tells you very little about a user Saturday 27 October 2007 27
  • 28. You don’t know their name Saturday 27 October 2007 28
  • 29. You don’t know their e-mail address Saturday 27 October 2007 29
  • 30. You don’t know if they’re a person or an evil robot Saturday 27 October 2007 30
  • 31. You have to ask them! Saturday 27 October 2007 31
  • 32. OpenID can help them answer Saturday 27 October 2007 32
  • 33. (demo) http://www.welovelocal.com/ Saturday 27 October 2007 33
  • 34. So how does OpenID work? Saturday 27 October 2007 34
  • 35. Saturday 27 October 2007 35
  • 36. Saturday 27 October 2007 36
  • 37. Use multiple OpenIDs to maintain multiple online personas Saturday 27 October 2007 37
  • 38. professional social secret ... Saturday 27 October 2007 38
  • 39. OpenID and web service APIs naturally complement each other Saturday 27 October 2007 39
  • 40. Me: “I’m vertonghen.myopenid.com” Saturday 27 October 2007 40
  • 41. Site fetches HTML, discovers identity provider Saturday 27 October 2007 41
  • 42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange) Saturday 27 October 2007 42
  • 43. Redirects you to the identity provider Saturday 27 October 2007 43
  • 44. when you’re logged in there, you get redirected back Saturday 27 October 2007 44
  • 45. How does my identity provider know who I am? Saturday 27 October 2007 45
  • 46. OpenID deliberately doesn’t specify Saturday 27 October 2007 46
  • 47. username/password is common Saturday 27 October 2007 47
  • 48. But providers can use other methods if they want to Saturday 27 October 2007 48
  • 49. Client SSL certificates Saturday 27 October 2007 49
  • 50. Out of band authentication via SMS, e-mail or Jabber Saturday 27 October 2007 50
  • 51. No authentication at all (just say “Yes”) (which is the OpenID version of bugmenot.com) Saturday 27 October 2007 51
  • 52. What if I decide I suddenly hate my provider? Saturday 27 October 2007 52
  • 53. Use your own domain name Saturday 27 October 2007 53
  • 54. and delegate to a provider you trust Saturday 27 October 2007 54
  • 55. Saturday 27 October 2007 55
  • 56. Saturday 27 October 2007 56
  • 57. perl OpenID client Saturday 27 October 2007 57
  • 58. Net::OpenID::Consumer by Brad Fitzpatrick (of course) Saturday 27 October 2007 58
  • 59. use Net::OpenID::Consumer; my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => quot;http://chris.vertonghen.org/quot;, ); # a user entered, say, quot;bradfitz.comquot; as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object: my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;); # now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc. my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}; my $check_url = $claimed_identity->check_url( return_to => $script_name . quot;?return=true&hurl=$hurl&oid=quot; . $m->interp()->apply_escapes($identity), trust_root => quot;http://chris.vertonghen.org/quot;, ); # so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print quot;<BR><h1>Validation Error</h1>quot;; print 'There was an error in validating your identity. The error was ', $openid_con->err . quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;; } } Saturday 27 October 2007 59
  • 60. Thank you. Questions? Saturday 27 October 2007 60