Open Id, O Auth And Webservices

4,733 views

Published on

This presentation was given at Web Directions South in 2008. It is a developers guide to building sites using OpenID, OAuth and webservices - no code, but enough to point you in the right direction

Published in: Technology
1 Comment
10 Likes
Statistics
Notes
No Downloads
Views
Total views
4,733
On SlideShare
0
From Embeds
0
Number of Embeds
197
Actions
Shares
0
Downloads
193
Comments
1
Likes
10
Embeds 0
No embeds

No notes for slide
  • Open Id, O Auth And Webservices

    1. 1. OpenID, OAuth and Webservices A developers guide Web Directions 2008 - Myles Eftos
    2. 2. Our lives in digits So many web apps - so many usernames, so many passwords How do we access our data? How can we do that safely ? How can we do it easily ?
    3. 3. Meet Jim Uses Twitter, Gmail, Digg, Newsgator, LinkedIn + many more His housemate finds his username and password Hilarity ensues
    4. 4. OpenID to the rescue! There are consumers, and there are providers Everyone gets a URL Magic happens…
    5. 5. Step 1 User enters their OpenID URL
    6. 6. Step 2 Consumer discovers link tags for delegation <link rel=&quot;openid.server&quot; href=&quot;http://my.openid.server&quot;> <link rel=&quot;openid.delegate&quot; href=&quot;http://madpilot.openid.server&quot;>
    7. 7. Step 3 Consumer redirects to the Provider login screen openid.mode = checkid_setup openid.identity = http://myid.openid.com openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.trustroot = http://www.consumer.com
    8. 8. Step 4 User enters credentials
    9. 9. Step 5 Provider redirects to Consumer with return_url parameters openid.mode = id_res openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.identity = http://madpilot.openid.com openid.signed = mode,identity,return_to openid.assoc_handle = [some hash] openid.sig = [Base64 encoded HMAC signature]
    10. 10. Step 6 Consumer POSTs back to validate what was returned openid.mode = check_authentication openid.signed = mode,identity,return_to openid.assoc_handle = [same hash as before] openid.sig = [Same Base64 encoded HMAC signature as before] openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] Openid.identity = http://madpilot.openid.com
    11. 11. Step 7 If the returned values look ok the Provider returns is_valid:true is_valid:true
    12. 12. And again with passion Dumb mode has lots of redirects Not-dumb mode asynchronously (AJAX) gets an immediate answer If the user is logged in, the user can continue If not, decide what to do (authenticate would be a good idea)
    13. 13. Simple Registration SREG to it’s friends Send your favourite parameters Pull nickname, email, date of birth, gender, country, language, time zone Consumer can request required and optional parameters
    14. 14. I want my data! Data in the cloud is cool Backups, hardware upgrades – someone else’s problem Vendor lock-in is the suck Web services are the awse
    15. 15. REST vs SOAP The world needs more religious wars Both lie on HTTP Both use XML* Remote Procedure Pattern vs. Resource Pattern * REST doesn’t really care…
    16. 16. SOAP : Why no one uses it In theory it rocks. Has a description language (WDSL) It is verbose Perhaps, something more Ideological?
    17. 17. REST : The web for computers The web is based on resources Type in a URL: GET that resource Submit a form: POST to that resource Forgotten verbs: PUT and DELETE
    18. 18. One end point to rule them all OK, maybe two Delete the company with id=1 DELETE /companies/1.xml Update the company with id=1 PUT /companies/1.xml Return the company with id=1 GET /companies/1.xml Creates a new company POST /companies.xml Returns all companies GET /companies.xml
    19. 19. HTTP/1.1 101 HTTP does a lot of stuff
    20. 20. HTTP/1.1 101 HTTP does a lot of stuff Status codes Authorization Required 401 Server Unavailable 503 Server Error 500 Invalid Entity 422 Gone 410 Not allowed 405 Not Found 404 Forbidden 403 Bad Request 400 Moved Permanently 301 Created 201 OK! 200
    21. 21. HTTP/1.1 101 HTTP does a lot of stuff Status codes Headers and modifiers If-Range If-None-Match If-Match If-Unmodified-Since If-Modified-Since
    22. 22. Communism doesn’t work You don’t want any old person changing stuff 401 Authorization Required Still needs a password though – a pure OpenID implementation is out Anti-password pattern alert!
    23. 23. Check up on Jim Signs up to a new Web 2.0 CRM Offers to copy contacts from Gmail Requires your Gmail username and password… Sounds phishy
    24. 24. Bloody OAuth it is… OAuth is a machine authorisation protocol Like a Valet Key Give permission for a system to access your account … or take away permission Again, there are Providers and there are Consumers
    25. 25. Step 1 User wants to access their photos from another service
    26. 26. Step 2 Consumer sends a POST request to the request token URL at the Provider. It identifies itself using a shared secret key that was prepared earlier
    27. 27. Step 3 The Provider returns a unauthorised request token. The token is good for one use
    28. 28. Step 4 The consumer redirects the user to the Authorisation URL of the provider
    29. 29. Step 5 If the user hasn’t logged in to the Provider service, they do so now on the Provider You could use OpenID for this bit
    30. 30. Step 6 The Provider asks the user if they really wants to let the Consumer have the photos
    31. 31. Step 7 The Provider redirects the user back to the Consumer and lets the Provider know that is can request a authorized token
    32. 32. Step 8 The Consumer requests an authorised token using the now authorised request token
    33. 33. Step 9 The Provider exchanges the request token for an access token. This token is good for a pre-determined period of time (Maybe forever)
    34. 34. Step 10 The Consumer can now access the data using it’s access token
    35. 35. Step 11 The Provider sends the data if the access token checks out
    36. 36. Look ma – no passwords! User never enters their password on the Consumer The Consumer actually has it’s own password (the token) The token can be revoked, stopping access
    37. 37. The Dark Side: OpenID Phishing DNS Spoofing Not an AUTHORISATION system Consumer has to trust the Provider Doesn’t really work without a browser
    38. 38. The Dark Side: REST No standard ! (Lather, rinse, repeat) No description language – requires more legwork
    39. 39. The Dark Side: OAuth Doesn’t work so well without a browser More complex/higher overhead than username/password Doesn’t work with cURL
    40. 40. Yadis with egg and cheese Service discovery protocol OpenID is the only open, distributed authentication system (Surprised?) XML RDF based Allows Providers and Consumers to negotiate protocols
    41. 41. Yadis with egg and cheese <?xml version=“1.0” encoding=“UTF-8”?> <xrds:XRDS xmlns:xrds=“xri://$xrds” xmlns=“xri://$xrd*($v*2.0)”> <XRD> <Service> <Type>http://lid.netmesh.org/sso/2.0</Type> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD> </xrds:XRDS>
    42. 42. You know what would be cool ? OpenID on your desktop OpenID on your mobile Webservice brokering system File system integration
    43. 43. Your local libraries OpenID: http://wiki.openid.net/Libraries OAuth: http://oauth.net/code
    44. 44. In conclusion, Thank You Question time starts… Now

    ×