Your SlideShare is downloading. ×
OpenID Authentication
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

OpenID Authentication


Published on

Slides from the Google TechTalk (Zurich, Switzerland) in April 2007. A technical overview of OpenID. …

Slides from the Google TechTalk (Zurich, Switzerland) in April 2007. A technical overview of OpenID.

Originally posted:

Published in: Technology, Design

1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Distributed SSO Cédric Hüsler CTO Google TechTalk Zürich - April 2007
  • 2. Quick Poll Who always use the same PW for every new account on a new site? Who has a blog? Who has an OpenID?
  • 3. BA BA SII SC CS prove you are really who you suppose to be S Authentication Username & Password Challenge-response Public-Private Key vs. what are you allowed to do Authorization ACL (Access Control List) RBAC (Role-based Access Control)
  • 4. BA BA SIIC S CS ability to uniquely identify yourself S Identity Your Name AHV-Nr / SSN Fingerprint vs. ability to control what others know about you Privacy Can you keep a secret? Virtualization Opt-in
  • 5. BA BA SII SC CS how much can I depend on you? S trust vs. control how much information am I going to give?
  • 6. BA BA SII SC CS S SSO Single-Sign-On   using the same automatic credentials to access authentication beyond multiple services session and service
  • 7. = Authentication Delegation = Identity Manager = Open API ≠ Authentication ≠ Trust
  • 8. Use a URL as user name! I own the domain: - why not using it as user name?
  • 9. Time for demo!
  • 10. Login Process Overview Download at
  • 11. ...with trusted site auto login on the identity provider
  • 12. HTTP Level - Part 1/3 User Agent <> RP GET: %site%/login.html POST: %site%/login with OpenID RP <> IdP GET: openid url mime:application/xrds+xml (Yadis Discovery) <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type></Type> <Type></Type> <URI></URI> <openid:Delegate></openid:Delegate> </Service> </XRD> </xrds:XRDS> Fallback: GET: openid url mime:*/*
  • 13. HTTP Level - Part 2/3 RP <> IdP (continued) ASSOCIATE REQUEST openid.dh_gen=Ag%3D%3D openid.session_type=DH-SHA1 openid.mode=associate openid.assoc_type=HMAC-SHA1 openid.dh_consumer_public=AMEJSFuaf%2Fi73z6uGonyKZUoIJQyI7PWSZJZBhACK8qQ48%2FIkplhKv%2BajPhSiNXz43%2Bb7nO% 2FyL86LQNlzNM3rFSP7nfAVoDZXUPyuQeacsCqg8vliMwTJUzu9MecZz4ngCgNLk8tOkBazhGJ7%2BCnx1g53dUVGvvV0LHMMMjUQMSo openid.dh_modulus=ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX% 2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI% 2BXUkKJX8Fvf8W8vsixYOr ASSOCIATE RESPONSE assoc_type:HMAC-SHA1 assoc_handle:netmesh-u-1168177185-50172100 expires_in:2592000 session_type:DH-SHA1 dh_server_public:AIAkjwdpUn1lCHyQEzstI40wSnbsznGV/t+AepW/he/ChsS2N2WF9DTIpNyLtGBTECmF6w/ +DgtcjfVrujm1Z26CJBuwtDbJyL3rUCsqzn55RVCcM6QmBnRBD8q/5hbcI6jiBC9Nc78NfQywGE7YG3BCZZiT3Vz1etJAcRgPgUxJ enc_mac_key:eljydY56tUILU75CjytBwNF3Ec4=
  • 14. HTTP Level - Part 3/3 User Agent < RP REDIRECT TO IdP openid.mode=checkid_setup& openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk& openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth& openid.assoc_handle=netmesh-u-1168177185-50172100 User Agent <> IdP DO THE LOGIN (not part of the OpenID spec) REDIRECT TO RP http://localhost:3000/auth/complete? nonce=Q5CG5Hfk& openid.mode=id_res& openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk& openid.assoc_handle=netmesh-u-1168177185-50172100& openid.signed=mode,identity,return_to,assoc_handle& openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
  • 15. Delegated Authentication My original OpenID: 1 Add these lines to the root HTML document of the domain “”: 2 <link rel=quot;openid.serverquot; href=quot;; /> <link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; /> <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;; /> Now I can use my domain as my OpenID: 3
  • 16. ... Immediate Mode - “AJAX” Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
  • 17. ...Stateless (Dump Mode) Not recommended due Security Issue - Replay Attack - use SSL!
  • 18. Extension: Simple Registration Make OpenID more useful - Extension of OpenID 1.1 - Part of OpenID 2.0 (Attribute Exchange) Manage personal profile centrally on the Identity Provider Control what profile properties are allowed to be share with the site you like to login Screenshots from
  • 19. Extension: E-Mail as OpenID PR PR O O PO PO SA SA L!! L Make OpenID easier: URL 0 vs. Email 1 Proposal for OpenID 2.0 Enter Email in OpenID field: 1 2 Read the transformation template from the XRDS document Converted to URL before authentication: 3 Spec:
  • 20. Integration: Browser Make OpenID easier to use! Prevent Phishing! Firefox Add-ons: - Appalachian Download: - VeriSign’s OpenID Seatbelt On the roadmap for Firefox 3.0
  • 21. Integration: ??? H H YP YP E? E? Blog URL is the OpenID Microsoft announced it will integrate OpenID in CardSpace (WS-*) AOL provide an OpenID for all its users Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon) CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
  • 22. Your action is required! READ The OpenID Case - in 4-pages by Kaliya Hamlin Specification at Open Source Libraries for PHP, Ruby, Java... PLAY OpenID Providers - - VeriSign PIP Y - (with Yahoo Auth) TR - List: A IT E IV G
  • 23. it? ot G That’s it Slides on: Links on: