Implementing



               David Recordon                                  Brian Ellin
            drecordon@verisign....
brief intro...and then
                    into the code


Realize not everyone is a developer, code won't scare you and w...
What is OpenID?
Single sign-on for the web
Simple and light-weight
(not going to replace your atm pin)

Easy to use and de...
Proves You Control a URI




  www.davidrecordon.com                                      brianellin.com
- OpenID comes fr...
the common things we hear



before we dig into techy stu
Been there, done that
Been there, done that

  Great for
                 Centralized   Centralized
the enterprise
...but do you really trust them?



In the enterprise you have little choice, if you want to keep your job
You might choos...
As Simon Willison said at FOWA - Would you really trust these men with your identity?
With OpenID, you get to
           choose who manages
               your identity.
                      (you can even ch...
This is a geek's toy,
nobody will ever have
    an OpenID!
~90 million OpenIDs
                             (including every AOL user)




                                          ...
Nobody will ever use this!
Total Relying Parties         (aka places you can use this stuff)




                                                    ...
So that's great there
are so many blogs, but
what about something
        real?
not just blogs, but also big open source projects
not just..., but also consumer services
not just..., but also large serv...
not just blogs, but also big open source projects
not just..., but also consumer services
not just..., but also large serv...
not just blogs, but also big open source projects
not just..., but also consumer services
not just..., but also large serv...
not just blogs, but also big open source projects
not just..., but also consumer services
not just..., but also large serv...
What's the big deal?
OpenID is another
                  important building
                       block.

Contact management sucks
 - which Jo...
Why should we add
OpenID to our feature
        list?
Simon Willison - FOWA 02/07

-   Startup fatigue
-   Light-weight accounts
-   Site specific hacks (AOL, LJ, Doxory)
-   Le...
TechCrunch and other blogs link to dozens of new
       startups each week...readers aren't going to make new
       accou...
TechCrunch and other blogs link to dozens of new
       startups each week...readers aren't going to make new
       accou...
TechCrunch and other blogs link to dozens of new
       startups each week...readers aren't going to make new
       accou...
TechCrunch and other blogs link to dozens of new
       startups each week...readers aren't going to make new
       accou...
How does it work?
    (protocol and flow)
Basic Terminology

                    OpenID Provider (OP) - Site that makes
                    assertions about an Open...
O
                                             M
           E
                         Using OpenID


          D
FireFox,...
O
                                             M
           E
OpenID Enabling Your Own URL


          D
FireFox, delegati...
O
           M
 E
Creating an OpenID with
    your own server


D
One file php script, configure, upload, and go!
* *************************************************************************** *
 * CONFIGURATION
 * **********************...
Hash My Password
* *************************************************************************** *
 * CONFIGURATION
 * **********************...
Configure Profile Data
$profile = array(
     'auth_username'   =    'david',
     'auth_password'   =    'e0fee9a99fa2fe004...
Upload
Configure Delegation
                           (source of www.davidrecordon.com)
html xmlns=http://www.w3.org/1999/xhtml
h...
Done!
Time to configure and upload phpMyID:

            5 minutes
    http://siege.org/projects/phpMyID/
OpenID Enabling ExpoCal

                              O
                            M
  E
               http://cal.web2e...
Tools Used

                     iCalicio by Kellan Elliot-McCrea and Evan
                     Henshaw-Plath
            ...
ExpoCal User Model
Stores login name and hashed password
We need to add an optional OpenID column

 1 class AddOpenId  Act...
Using the OpenID Library
          1 def consumer
          2   store_dir = Pathname.new(RAILS_ROOT).join('db').join('open...
Add OpenID UI

1 h2Or, login with OpenID/h2
2 %= start_form_tag(:controller='account', :action = 'openid_start') %
3   pla...
Handle Login Form Submit
        1 def openid_start
        2   openid_request = consumer.begin(params[:openid_identifier]...
Redirect to OpenID Provider
Handle Server Response
            1 def openid_finish
            2   openid_response = consumer.complete(params)
       ...
Done!
           Time to implement OpenID in iCalico:

                                 45 minutes
                       ...
So this all looks great,
   but what are the
     downsides?
Kitten Overload!


                   More kittens!




                          Simon Willison - FOWA 02/07
Kitten Overload!



                   FAKE   More kittens!




                                 Simon Willison - FOWA 02/07
Kitten Overload!


                          Identity theft!
                   FAKE         :'(




                     ...
You could just remove passwords



One possible solution
Client Side Certs




Brian: certs use cryptography to prove your identity to a website
without sharing any secrets like u...
Microsoft CardSpace




                                         (UI for certs)
Still to be seen if CS will be adopted, cu...
Vidoop




                              (changing the metaphor)
Removes the traditional password, very new technology (co...
...but passwords are still
       widely used
VeriSign's OpenID Seatbelt
         (demoing today)
Helps with simplifying the end user experience around OpenID login flows.
Checks SSL certs to let you know if you're at the right place before you type your shared
secret (password)
Helps user experience by letting you know who you're logged in as and automatically filling
in your OpenID (note delegation)
Protects you by looking at what is happening to your browser, not perfect but better than
what exists today.
Smart users w...
OpenID is great for innovation!
            (authentication method is up to the provider and user)




Jabber
Run your own...
I don't want just one
          identity...I mean I don't
          want my boss to know
                I'm a furry!

or ...
Well you don't wear your
          furry suit to work do you?


already solved in real life
So use multiple OpenIDs!
               (you already do this with email addresses today)




Solved problem, not a new one...
Go code!
(and join the conversation at OpenID.net)
Thanks!
                        (and don't forget to grab a CD)




               David Recordon                       Br...
Upcoming SlideShare
Loading in...5
×

Implementing OpenID

22,558

Published on

Short Background + Practical Tech Tutes (code) on how to implement OpenID.
by David Recordon and Brian Ellin

Published in: Technology
3 Comments
39 Likes
Statistics
Notes
No Downloads
Views
Total Views
22,558
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
852
Comments
3
Likes
39
Embeds 0
No embeds

No notes for slide

Implementing OpenID

  1. 1. Implementing David Recordon Brian Ellin drecordon@verisign.com brian@janrain.com Web 2.0 Expo April 15-18, 2007 More than just the two of us who are good resources, all about the community.
  2. 2. brief intro...and then into the code Realize not everyone is a developer, code won't scare you and will show just how easy OpenID is
  3. 3. What is OpenID? Single sign-on for the web Simple and light-weight (not going to replace your atm pin) Easy to use and deploy Open development process Decentralized (no single point of failure) Free!
  4. 4. Proves You Control a URI www.davidrecordon.com brianellin.com - OpenID comes from the blogosphere - Biggest problem with identity; namespace - OpenID solves this by using DNS, codifying a web address like email has already done - Your identity is a destination - You have a unique end-point on the Internet
  5. 5. the common things we hear before we dig into techy stu
  6. 6. Been there, done that
  7. 7. Been there, done that Great for Centralized Centralized the enterprise
  8. 8. ...but do you really trust them? In the enterprise you have little choice, if you want to keep your job You might choose to trust Six Apart, but then what if they are sold to someone you may not trust?
  9. 9. As Simon Willison said at FOWA - Would you really trust these men with your identity?
  10. 10. With OpenID, you get to choose who manages your identity. (you can even change your mind later) including no one but yourself
  11. 11. This is a geek's toy, nobody will ever have an OpenID!
  12. 12. ~90 million OpenIDs (including every AOL user) OpenID 1.1 - Estimated from various services certainly all don’t know they have one, but can even build UI custom to services you know provide them
  13. 13. Nobody will ever use this!
  14. 14. Total Relying Parties (aka places you can use this stuff) IIW L AO y nt s/ ou st /B ca T SF eb IIW IIW ip M W Sx 2,500 1,875 1,250 625 0 '05 ct ov ec '06 b ar r ay e ly g p ct ov ec '07 b ar h Ap Au n Fe Se Fe 7t Ju O O M M M D D N Ju N r1 p Jan Jan Se Ap OpenID 1.1 - As viewed by MyOpenID.com
  15. 15. So that's great there are so many blogs, but what about something real?
  16. 16. not just blogs, but also big open source projects not just..., but also consumer services not just..., but also large service providers and corporations Reebok - first large non-tech company to launch and OpenID enabled site
  17. 17. not just blogs, but also big open source projects not just..., but also consumer services not just..., but also large service providers and corporations Reebok - first large non-tech company to launch and OpenID enabled site
  18. 18. not just blogs, but also big open source projects not just..., but also consumer services not just..., but also large service providers and corporations Reebok - first large non-tech company to launch and OpenID enabled site
  19. 19. not just blogs, but also big open source projects not just..., but also consumer services not just..., but also large service providers and corporations Reebok - first large non-tech company to launch and OpenID enabled site
  20. 20. What's the big deal?
  21. 21. OpenID is another important building block. Contact management sucks - which John Doe - outdated information - no open way to share contact info in a privacy protecting manner Shared calendaring is hard Social networks are non-interoperable silos
  22. 22. Why should we add OpenID to our feature list?
  23. 23. Simon Willison - FOWA 02/07 - Startup fatigue - Light-weight accounts - Site specific hacks (AOL, LJ, Doxory) - Less overhead
  24. 24. TechCrunch and other blogs link to dozens of new startups each week...readers aren't going to make new accounts for every single one Simon Willison - FOWA 02/07 - Startup fatigue - Light-weight accounts - Site specific hacks (AOL, LJ, Doxory) - Less overhead
  25. 25. TechCrunch and other blogs link to dozens of new startups each week...readers aren't going to make new accounts for every single one Creates ability to email a friend saying, I've added you as an author to the blog I setup for our band Simon Willison - FOWA 02/07 - Startup fatigue - Light-weight accounts - Site specific hacks (AOL, LJ, Doxory) - Less overhead
  26. 26. TechCrunch and other blogs link to dozens of new startups each week...readers aren't going to make new accounts for every single one Creates ability to email a friend saying, I've added you as an author to the blog I setup for our band Site specific hacks...Login with your AOL OpenID and we'll send you updates over AIM Simon Willison - FOWA 02/07 - Startup fatigue - Light-weight accounts - Site specific hacks (AOL, LJ, Doxory) - Less overhead
  27. 27. TechCrunch and other blogs link to dozens of new startups each week...readers aren't going to make new accounts for every single one Creates ability to email a friend saying, I've added you as an author to the blog I setup for our band Site specific hacks...Login with your AOL OpenID and we'll send you updates over AIM If you're not managing passwords, you don't need to build as complex user management systems Simon Willison - FOWA 02/07 - Startup fatigue - Light-weight accounts - Site specific hacks (AOL, LJ, Doxory) - Less overhead
  28. 28. How does it work? (protocol and flow)
  29. 29. Basic Terminology OpenID Provider (OP) - Site that makes assertions about an OpenID Relying Party (RP) - Site that wants to verify ownership of an OpenID OP is often called server - myopenid.com, pip.verisignlabs.com, claimid, vidoop RP is often called a consumer - jyte, livejournal, ficlets, zooomr
  30. 30. O M E Using OpenID D FireFox, login to jyte.com using brian.myopenid.com
  31. 31. O M E OpenID Enabling Your Own URL D FireFox, delegating brianellin.com to brian.myopenid.com
  32. 32. O M E Creating an OpenID with your own server D
  33. 33. One file php script, configure, upload, and go!
  34. 34. * *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ #$profile = array( # 'auth_username' = 'test', # 'auth_password' = '37fa04faebe5249023ed1f6cc867329b' #); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' = 'Joe', # 'email' = 'joe@example.com', # 'fullname' = 'Joe Example', # 'dob' = '1970-10-31', # 'gender' = 'M', # 'postcode' = '22000', # 'country' = 'US', # 'language' = 'en', # 'timezone' = 'America/New_York' #);
  35. 35. Hash My Password
  36. 36. * *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ $profile = array( 'auth_username' = 'david', 'auth_password' = 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' = 'Joe', # 'email' = 'joe@example.com', # 'fullname' = 'Joe Example', # 'dob' = '1970-10-31', # 'gender' = 'M', # 'postcode' = '22000', # 'country' = 'US', # 'language' = 'en', # 'timezone' = 'America/New_York' #);
  37. 37. Configure Profile Data $profile = array( 'auth_username' = 'david', 'auth_password' = 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ $sreg = array ( 'nickname' = 'daveman692', 'email' = 'recordond@gmail.com', 'fullname' = 'David Recordon', 'dob' = '1986-09-04', 'gender' = 'M', 'postcode' = '941458', 'country' = 'US', 'language' = 'en', 'timezone' = 'America/Los_Angeles' ); while all personal info there, note I don't have to give it away every time
  38. 38. Upload
  39. 39. Configure Delegation (source of www.davidrecordon.com) html xmlns=http://www.w3.org/1999/xhtml head titleDavid Recordon/title style div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; } /style link rel=openid.server href=http://www.davidrecordon.com/myid.php / link rel=openid.delegate href=http://www.davidrecordon.com/myid.php / /head
  40. 40. Done! Time to configure and upload phpMyID: 5 minutes http://siege.org/projects/phpMyID/
  41. 41. OpenID Enabling ExpoCal O M E http://cal.web2expo.com/ Existing users: Sign in and click the the add OpenID D link at the top right New users: Click login and sign in with your OpenID, skipping the signup process :)
  42. 42. Tools Used iCalicio by Kellan Elliot-McCrea and Evan Henshaw-Plath Ruby and Rails gem install ruby-openid license of we wrote it in four hours so don't laugh at us!
  43. 43. ExpoCal User Model Stores login name and hashed password We need to add an optional OpenID column 1 class AddOpenId ActiveRecord::Migration 2 def self.up 3 add_column :users, :openid, :string 4 add_index :users, [:openid], :name = :users_openid_index 5 end 6 7 def self.down 8 remove_column :users, :openid 9 end 10 end
  44. 44. Using the OpenID Library 1 def consumer 2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store') 3 store = OpenID::FilesystemStore.new(store_dir) 4 return OpenID::Consumer.new(session, store) 5 end FilesystemStore saved OpenID transaction state OpenID::Consumer handles the protocol details Store - RP specific state Session - user specific state Consumer - handles protocol details
  45. 45. Add OpenID UI 1 h2Or, login with OpenID/h2 2 %= start_form_tag(:controller='account', :action = 'openid_start') % 3 plabel for=openid_identifierOpenID/labelbr/ 4 %= text_field_tag 'openid_identifier' %/p 5 %= submit_tag 'OpenID Login' % 6 %= end_form_tag % input name=openid_identifer /
  46. 46. Handle Login Form Submit 1 def openid_start 2 openid_request = consumer.begin(params[:openid_identifier]) 3 4 case openid_request.status 5 when OpenID::SUCCESS 6 return_to = url_for(:action = 'openid_finish') 7 trust_root = url_for(:controller = '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to) 9 redirect_to(server_redirect_url) 10 11 when OpenID::FAILURE 12 flash[:notice] = Could not find your OpenID server. 13 redirect_back_or_default(:controller = '/account', :action = 'index') 14 15 end 16 end 1. Discover 2.Associate 3. Redirect (we’ll handle the server response at the return_to URL) Highlighted numbers: 2 - consumer.begin 6 - build return_to 7 - build trust_root 8 - use the openid_response object to build the server_redirect_url 9 - send redirect!
  47. 47. Redirect to OpenID Provider
  48. 48. Handle Server Response 1 def openid_finish 2 openid_response = consumer.complete(params) 3 4 case openid_response.status 5 when OpenID::SUCCESS 6 openid = openid_response.identity_url 7 @user = User.find_by_openid(openid) 8 9 unless @user 10 @user = User.create(:openid = openid, :login = openid) 11 end 12 self.current_user = @user 13 flash[:notice] = Welcome #{@user.openid} 14 15 when OpenID::FAILURE 16 flash[:notice] = 'Verification failed.' 17 end 18 19 redirect_back_or_default(:controller = 'talk', :action = 'list') 20 end 2 - consumer.complete(params) 7 - success - find user by openid 10 - create new user if needed 12 - log user in
  49. 49. Done! Time to implement OpenID in iCalico: 45 minutes http://cal.web2expo.com/ Not a perfect implementation (yet), but quite good. Check out Ma.gnolia.com for a really great example of integration.
  50. 50. So this all looks great, but what are the downsides?
  51. 51. Kitten Overload! More kittens! Simon Willison - FOWA 02/07
  52. 52. Kitten Overload! FAKE More kittens! Simon Willison - FOWA 02/07
  53. 53. Kitten Overload! Identity theft! FAKE :'( Simon Willison - FOWA 02/07
  54. 54. You could just remove passwords One possible solution
  55. 55. Client Side Certs Brian: certs use cryptography to prove your identity to a website without sharing any secrets like username/password.
  56. 56. Microsoft CardSpace (UI for certs) Still to be seen if CS will be adopted, currently only IE 7 in Vista and if user downloads for XP.
  57. 57. Vidoop (changing the metaphor) Removes the traditional password, very new technology (consumer launch here)
  58. 58. ...but passwords are still widely used
  59. 59. VeriSign's OpenID Seatbelt (demoing today)
  60. 60. Helps with simplifying the end user experience around OpenID login flows.
  61. 61. Checks SSL certs to let you know if you're at the right place before you type your shared secret (password)
  62. 62. Helps user experience by letting you know who you're logged in as and automatically filling in your OpenID (note delegation)
  63. 63. Protects you by looking at what is happening to your browser, not perfect but better than what exists today. Smart users will combine warnings with login state indicator.
  64. 64. OpenID is great for innovation! (authentication method is up to the provider and user) Jabber Run your own on a hacked Linksys router looking at MAC address Tokens Kerberos Best solution is to let users combine methods for how they're using OpenID
  65. 65. I don't want just one identity...I mean I don't want my boss to know I'm a furry! or insert other example here
  66. 66. Well you don't wear your furry suit to work do you? already solved in real life
  67. 67. So use multiple OpenIDs! (you already do this with email addresses today) Solved problem, not a new one OpenID creates. Admit user education is important here.
  68. 68. Go code! (and join the conversation at OpenID.net)
  69. 69. Thanks! (and don't forget to grab a CD) David Recordon Brian Ellin drecordon@verisign.com brian@janrain.com IIW May 14-16 Mountain View CA
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×