Os Recordontutorial

Bootcamp Simon Willison David Recordon simonwillison.net davidrecordon.com simon@simonwillison.net drecordon@verisign.com OSCON July 24th, 2007

Who are We? • David Recordon • VeriSign Employee since May of 2006 • OpenID Foundation Vice- Chair • Co-Author of various OpenID speciﬁcations • Past employee of Six Apart, where OpenID was created

Who are We? • Simon Willison • Ex-Yahoo!, now freelance • “Europe’s ﬁrst OpenID consultant” • Co-creator of the Django Web Framework

The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A

What is OpenID?

OpenID is a decentralised mechanism for Single Sign On

What problems does it solve?

“Too many passwords!”

“Someone else already grabbed my username”

“My online proﬁle is scattered across dozens of sites”

What is an OpenID?

An OpenID is a URI

http://swillison.livejournal.com/

http://simonw.myopenid.com/

http://openid.aol.com/simonwillison/

http://simonwillison.net/

What can you do with an OpenID?

You can claim that you own it

You can prove that claim

Why is that useful?

You can use it for authentication

“Who the heck are you?!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer

“I’m simonwillison.net”

“prove it!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer

(crypto happens)

“OK, you’re in!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer

So it’s a bit like Microsoft Passport, then?

Yes, at a high level

But you don’t need to ask Microsoft’s permission to implement it

One organisation doesn’t get to own everyone’s credentials

And the standard isn’t owned by any one company or group

Who does get to own them?

You, the user, decide.

You pick your own provider

(just like e-mail)

So I’m still giving someone the keys to my kingdom?

Yes, but it can be someone you trust

If you have the ability to run your own server software, you can do it for yourself

We'll show you how to do that a little later on

OK, how do I use it?

So my users don’t have to sign up for an account?

Not necessarily

An OpenID tells you very little about a user

You don’t know their name

You don’t know their e-mail address

You don’t know if they’re a person or a spambot

(or a dog)

Where do I get that information from?

You ask them!

OpenID augments your regular sign-up process; it doesn't replace it

The simple registration extension can help users ﬁll out your registration form

How can I tell if they’re an evil spambot?

Same as usual: challenge them with a CAPTCHA

botbouncer.com lets you outsource your CAPTCHAs

So how does OpenID actually work?

“I’m simonwillison.myopenid.com”

Site fetches HTML, discovers identity provider

Establishes shared secret with identity provider (Using Difﬁe-Hellman key exchange)

Redirects you to the identity provider

If you’re logged in there, you get redirected back

How does my identity provider know who I am?

OpenID deliberately doesn’t specify

username/password is common

But providers can use other methods if they want to

Client SSL certiﬁcates

Out of band authentication via SMS, e-mail or Jabber

IP based login restrictions

SecurID keyfobs

The provider’s business is authentication: they can invest much more effort than regular sites

It’s also possible for a provider to just say “yes” to every query

Just say “yes”?

http://www.jkg.in/openid/ does this

Users can give away their passwords today - this is the OpenID equivalent

It's similar to bugmenot.com

What if I decide I hate my provider?

Use your own domain name

Delegate to a provider you trust

This minimises lock in and ensures easy portability

So everyone will end up with one OpenID that they use for everything?

Probably not

(I have half a dozen OpenIDs already)

People like maintaining multiple online personas

professional social secret ...

OpenID makes it easier to manage multiple online personas

Three accounts is still better than three dozen

Some providers let you host multiple OpenIDs, or create a new one for every site you sign in to

Why is OpenID worth implementing over all the other identity standards?

It’s simple

Unix philosophy: It solves one, tiny problem

It’s a dumb network

Many of the competing standards are now on board

Isn’t putting all my eggs in one basket a really bad idea?

Bad news: chances are you already do

“I forgot my password” means your e-mail account is already an SSO mechanism

OpenID just makes this a bit more obvious

What about phishing?

Phishing is a problem

I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

Fake edition Your identity provider Username and password, please! Username: Password: Log in

Identity theft :(

An untrusted site redirects you to your trusted provider

Sound familiar?

PayPal Yahoo! BBAuth Google Auth Google Checkout

We'll talk about some potential solutions later

Doesn’t this outsource the security of my users to untrusted third parties?

Yes it does. But...

... so do “forgotten password” e-mails!

If e-mail is secure enough for your user’s authentication, so is OpenID

Password e-mails are essentially SSO with a bad user experience

What are the privacy implications?

Cross correlation of accounts

Don’t publish a user’s OpenID without making it clear that you’re going to do that

Allow users to opt-out of sharing their OpenID

The online equivalent of a credit reporting agency?

This could be built today by sites conspiring to share e-mail addresses

IANAL, but legal protections against this already exist

“Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site

Patents?

Sun,VeriSign and JanRain have both announced “patent covenants”

They won’t smack you down with their patents for using OpenID 1.1

They will smack down anyone else who asserts their own patents against OpenID

The OpenID Foundation is working on an IPR Policy

Who else is involved?

~120M OpenIDs

~4200 RPs

AOL - provider, full consumer very soon

Microsoft: Bill Gates expressed their interest at the RSA conference

(mainly as good PR for CardSpace?)

Sun: Patent Covenant, 33,000 employees

VeriSign

Symantec

37 Signals

Drupal

Plone

Rails

Six Apart

JanRain

...etc we'll talk about this more later

Creating an OpenID pip.VeriSignLabs.com MyOpenID.com ClaimID.com FreeYourID.com http://openid.net/wiki/index.php/OpenIDServers and you may already have one

Using Your OpenID Basecamp.com Plaxo.com Blinksale.com Toodledo.com Wikispaces.com WikiTravel.com Ma.gnolia.com Jyte.com HighRiseHQ.com WetPaint.com http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers

6 0 0 ~12 million OpenIDs 2 OpenID 1.1 - Estimated from various services

~120 million OpenIDs (including every AOL user) OpenID 1.1 - Estimated from various services

6 Total Relying Parties 0 (aka places you can login with OpenID) 0 y nt ou /B p i Sx 4,500 2 3,375 2,250 1,125 0 '05 ct ov ec '06 b ar r ay e ly g Ap Au n Fe Ju O M M D N Ju p Jan Se OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties (aka places you can login with OpenID) po L AO y Ex nt ou 0 & 2. /B T SF eb p M W i Sx 4,500 3,375 2,250 1,125 0 '05 ct ov ec '06 b ar r ay e ly g p ct ov ec '07 b ar r ay e 22 Ap Ap Au n n Fe Se Fe Ju O O M M M M D D N Ju N Ju ly p Jan Jan Ju Se OpenID 1.1 - As viewed by MyOpenID.com

6 0 0 2

History 2005 & 2006 Created by Brad Fitzpatrick (Summer 2005) Yadis Discovery protocol (Jan 2006) VeriSign launches OpenID Provider (May) Convergence with i-names (July) Convergence with Sxip (Aug.) $50,000 USD Developer Bounty (Aug.) Technorati adopts OpenID (Oct.) Tutorials by Simon Willison (Dec.)

History Q1 2007 Mozilla announces intent to support OpenID in FireFox 3 (Jan.) Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.) AOL add OpenID to every one of their ~60M accounts (Feb.) Symantec announces upcoming OpenID products (Feb.) Digg and NetVibes announce OpenID support (Feb.) Wordpress.com and 37Signals adopt OpenID (March) USA Today publishes OpenID article on the Money section front-page (March)

History Q2 2007 Plone 3.0 ships with OpenID support (May) Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May) livedoor adds OpenID support (May) OpenID wins Next Web Award (June) Leo Laporte and Steve Gibson discuss OpenID (June) OpenID wins CNET Webware 100 award (June) Atlassian (makers of enterprise wiki software) supports OpenID (June) Drupal 6 ships with OpenID support (June)

The OpenID Foundation

The purpose of the OpenID Foundation is to foster and promote the development and adoption of OpenID as a framework for user-centric identity on the Internet.

Founding board Scott Kveton David Recordon Chair Vice-Chair scott@kveton.com drecordon@verisign.com Dick Hardt Martin Atkins Treasurer Secretary dick@sxip.com mart@degeneration.co.uk Johannes Ernst Drummond Reed jernst@netmesh.us drummond.reed@cordance.net Bill Washburn Artur Bergman Executive Director sky@crucially.net bill@oidf.org

Current efforts Develop an IPR policy and process for OpenID speciﬁcations to keep OpenID free and patent unencumbered Develop a trademark policy that supports the extended OpenID community Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters Coordinate World-wide joint marketing and evangelism

OpenID Auth 2.0 • Implementors draft published earlier this year • Already seen multiple implementations in PHP, Java, Perl, and Python • Concerns raised from service providers the size of AOL, LiveDoor,Yahoo! around identifier recycling • Still really close to a final specification

Protocol Security • DNS Security • Man in the Middle Attacks • Eavesdropping Attacks • MAC Key Weakness • Replay Attacks Don't Panic

Phishing An untrusted site redirects you to your trusted provider Not just a problem for OpenID, but also for PayPal, Google Auth and Checkout, Yahoo! BBAuth, AOL OpenAuth

Passwords Can be Stolen • Browsers have poor support for other means • Users normally ignore browser chrome • What extent are they willing to go? • \"Gang Kidnaps Gamer to Get Password Using Fake Orkut Date\"

Trust \"Trust ﬁrst requires identity\" - Brad Fitzpatrick OpenID does not tell you if a user is good, bad, or even human • What if I've never seen the user before? • What if I know nothing about the OpenID Provider?

Decoupled Authentication • What if the user didn't authenticate at all? • How do I know if they met my policies? • I need strong authentication! • The user must authenticate within the past ﬁve minutes!

Protocol security • Use SSL correctly throughout the protocol • Protects against man-in-the-middle, eavesdropping attacks, and DNS attacks • Generate strong MAC keys and re-negotiate as needed • Used to verify data integrity and authenticity of OpenID responses • Verify NONCEs • Protects against replay attacks

Trust \"Trust ﬁrst requires identity\" - Brad Fitzpatrick • Challenge them via a CAPTCHA or email veriﬁcation • Even a distributed CAPTCHA • Use whitelists and blacklists • Ask someone else whom you trust

Decoupled authentication • OpenID Provider Authentication Policy Extension, draft published June 2006 • Relying Parties can ask for authentication policies such as \"phishing resistant\" or \"multi-factor\" • Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential (s) used per NIST guidelines • Still has the question of \"trust\"

Whitelisting Providers • OpenID doesn't dictate that a RP accept every OpenID • Certainly most do • Might make sense for a bank to whitelist • Others sites by whitelisting will only hurt themselves by cutting down the number of users who can sign in • With Yadis Discovery, a user can list multiple providers and a RP can choose which to use

Vidoop (changes the metaphor by removing passwords)

DEMO

Client Side SSL Certiﬁcates

DEMO

Microsoft CardSpace (anti-phishing authentication built into the OS)

DEMO

VeriSign's OpenID SeatBelt (an OpenID convenience and security add-on for Firefox) works with

SeatBelt • Provide contextual information • Am I currently logged in and if so as whom? • Is it safe to login? • Remove phishing opportunities • Login when my browser opens • Take me to my Provider if I'm not logged in • Protect against common attacks • Validate SSL certiﬁcates when interacting with my Provider

DEMO

Provide context

Remove opportunities

Protect

the best solutions will be in the browser

Mozilla has said FireFox 3 will include some sort of OpenID integration

IE Team has posted a job ad mentioning \"OpenID\" \"Does the idea of redeﬁning the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then this just might be the opportunity for you.\"

Simpliﬁed account creation • The classic OpenID use-case: allow users to create a regular account on your system tied to their OpenID • Use Simple Registration to pre-ﬁll the signup form • Let users associate one or more OpenIDs with an existing account

Lightweight accounts • Sometimes you just need persistent cookies • Personalisation • Preference saving • Anything where users can’t spam you • http://oscon07.icalico.org/ is a nice example

Simpliﬁed OpenID login • Millions of people have OpenIDs but don’t know what OpenID is • Offer them a sign-in form speciﬁc to their provider • Construct the OpenID behind the scenes

Internal SSO • Restrict your internal applications to only accept corporate assigned OpenIDs • Requires an internal OpenID server • Wikis, bug trackers, blog engines... • Applications need to be able to whitelist OpenIDs that match a certain pattern • http://(\\w+).internal.example.com/

Portable contact lists • Re-adding your friends on every social network completely sucks • The Facebook platform shows the importance of being able to build even trivial applications on top of an existing network • An OpenID is globally unique; it’s the ideal hook for building a reusable friend list

Contact list options • FOAF • RDF format, exported by LiveJournal • Currently adding a new “openid” ﬁeld • XFN • Microformat for listing relationships • Can be embedded directly in HTML

http://daveman692.livejournal.com/data/foaf ... <foaf:knows> <foaf:Person> <foaf:nick>bradfitz</foaf:nick> <foaf:member_name>Brad Fitzpatrick</foaf:member_name> <foaf:tagLine></foaf:tagLine> <foaf:image>http://userpic.livejournal.com/21628/1</foaf:image> <rdfs:seeAlso rdf:resource=\"http://bradfitz.livejournal.com/data/foaf\" /> <foaf:weblog rdf:resource=\"http://bradfitz.livejournal.com/\"/> </foaf:Person> </foaf:knows> ...

http://gmpg.org/xfn/intro <ul> <li><a href=\"http://jane-blog.example.org/\" rel=\"date met\">Jane</a></li> <li><a href=\"http://dave-blog.example.org/\" rel=\"friend met\">Dave</a></li> <li><a href=\"http://darryl-blog.example.org/\" rel=\"friend met\">Darryl</a></li> </ul>

Pre-approved accounts • Collaboration apps (private wikis, multi- author blogs, Google Docs etc) often let you “invite” new members to your project • With OpenID, you can pre-approve their ability to log in without needing to create them a username and password

Social whitelists • A potential mechanism for tackling blog comment spam • Create a list of OpenIDs that can skip your spam ﬁlter • Share that list with your friends • Allow people on their lists to skip your spam ﬁlters as well • http://simonwillison.net/2007/Jan/22/whitelisting/

Group syndication • A combination of social whitelisting and pre- approved accounts • Syndicate groups as a list of OpenIDs • www.jyte.com does this • Tell another application that “anyone who is a member of that group can sign in”

jyte.com/api/group/djangonauts/roster http://www.jacobian.org/ http://groovymother.com/ http://rodbegbie.sxipper.com/ http://cygnus.myopenid.com/ http://www.b-tree.org/ http://root.b-tree.org/ http://jlam.idproxy.net/ http://claimid.com/jlam http://openid.aol.com/jlameudaemon http://jlam.vox.com/ http://jlam.livejournal.com/ http://adamh.openid.pl/ http://robhudson.myopenid.com/ http://recombiant.com/public/yadis.xrdf http://bradpitcher.livejournal.com/ http://kristate.myopenid.com/ http://michele.campeotto.net/ http://mderk.livejournal.com/ http://meangrape.myopenid.com/ http://telenieko.com/ http://eas.myopenid.com/ http://geekfun.livejournal.com/ http://www.pauladamsmith.com/ http://teknico.myopenid.com/ http://adamendicott.com/ http://simonwillison.net/ http://azuer88.myopenid.com/ http://lightlan.myopenid.com/

Provider-speciﬁc services • OpenIDs from different providers can tell you different things about a user • An AOL OpenID “proves” their IM details • A LiveJournal OpenID lets you discover their RSS, FOAF and LJ Jabber account • A last.fm OpenID could indicate their taste in music • Another reason to allow multiple OpenIDs to be associated with a single account

Identity projection • A related concept • OpenID lets you project your identity from one service to another • If you can prove to site X that you are a user of site Y, what new things can you build? • Lots of opportunities for interesting mashups here

Build a decentralised reputation network • eBay users build up a trusted reputation over time • Imagine if reputation could be tied to an OpenID, and aggregated by crawlers • This wouldn’t punish the bad guys (who would just get a new OpenID), but it would reward the good guys • Jyte lets you vote on claims about OpenIDs

Being a consumer and a provider • Not as crazy as you might think • Letting users sign in with OpenID is a no- brainer • Providing OpenID as a way of proving ownership of a proﬁle page is also useful • You could even automatically delegate to the OpenID that they used to sign in

Proxies for proprietary authentication APIs • Google,Yahoo! and Facebook all provide proprietary authentication APIs • If they're supporting an authentication API, why don't they just support OpenID? • You can set yourself up as a proxy between their protocol and OpenID

Detailed protocol ﬂow

associate • Back-channel between RP and Provider • Used to establish a shared secret used for message signing • HMAC style key calculated with SHA1 or SHA256 • Can use Difﬁe-Hellman or be in the clear if using SSL

checkid_setup • Front-channel via browser redirects • Send the user to their Provider with an OpenID request • Provider authenticates and prompts user • Responds with a \"yes\" or \"cancel\"

checkid_immediate • Front-channel via browser redirects • Send the user to their Provider with an OpenID request • Provider immediately responds with a \"yes\" or \"no\" • Good for AJAX type setups or \"single logout\"

check_authentication • Back-channel between RP and Provider • Used to verify a signature if there was not an existing association • Also used to verify a signature if the Provider told the RP to invalidate the existing association

As a drawing http://leancode.com http://www.windley.com

Creating an OpenID with your own server

* *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ #$profile = array( # 'auth_username' => 'test', # 'auth_password' => '37fa04faebe5249023ed1f6cc867329b' #); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' => 'Joe', # 'email' => 'joe@example.com', # 'fullname' => 'Joe Example', # 'dob' => '1970-10-31', # 'gender' => 'M', # 'postcode' => '22000', # 'country' => 'US', # 'language' => 'en', # 'timezone' => 'America/New_York' #);

* *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ $profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' => 'Joe', # 'email' => 'joe@example.com', # 'fullname' => 'Joe Example', # 'dob' => '1970-10-31', # 'gender' => 'M', # 'postcode' => '22000', # 'country' => 'US', # 'language' => 'en', # 'timezone' => 'America/New_York' #);

Conﬁgure Proﬁle Data $profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ $sreg = array ( 'nickname' => 'daveman692', 'email' => 'recordond@gmail.com', 'fullname' => 'David Recordon', 'dob' => '1986-09-04', 'gender' => 'M', 'postcode' => '941458', 'country' => 'US', 'language' => 'en', 'timezone' => 'America/Los_Angeles' );

Conﬁgure Delegation (source of www.davidrecordon.com) <html xmlns=\"http://www.w3.org/1999/xhtml\"> <head> <title>David Recordon</title> <style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; } </style> <link rel=\"openid.server\" href=\"http://www.davidrecordon.com/myid.php\" /> <link rel=\"openid.delegate\" href=\"http://www.davidrecordon.com/myid.php\" /> </head>

Done! Time to conﬁgure and upload phpMyID: ~5 Min http://siege.org/projects/phpMyID/

Enabling a Rails app

OpenID enabling iCalico http://oscon.icalico.org/ Existing users: Sign in and click the the \"add OpenID\" link at the top right New users: Click \"login\" and sign in with your OpenID, skipping the signup process :) Thanks Brian Ellin of JanRain

Tools Used • iCalicio by Kellan Elliot-McCrea and Evan Henshaw-Plath • Ruby and Rails • gem install ruby-openid

iCalico User Model • Stores login name and hashed password • We need to add an optional OpenID column 1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 add_column :users, :openid, :string 4 add_index :users, [:openid], :name => :users_openid_index 5 end 6 7 def self.down 8 remove_column :users, :openid 9 end 10 end

Now for the best practice • Should allow multiple OpenIDs...though is slightly more complex 1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 create_table :openids do |t| 4 t.column :identifier, :string 5 t.column :user_id, :int 6 end 7 end 8 9 def self.down 10 drop_table :openids 11 end 12 end 1 class User < ActiveRecord::Base 2 has_many :openids 3 end

Using the OpenID Library 1 def consumer 2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store') 3 store = OpenID::FilesystemStore.new(store_dir) 4 return OpenID::Consumer.new(session, store) 5 end • FilesystemStore saved OpenID transaction state • OpenID::Consumer handles the protocol details

Add OpenID UI 1 <h2>Or, login with OpenID</h2> 2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %> 3 <p><label for=\"openid_identifier\">OpenID</label><br/> 4 <%= text_field_tag 'openid_identifier' %></p> 5 <%= submit_tag 'OpenID Login' %> 6 <%= end_form_tag %> <input name=\"openid_identifer\" />

Handle Login Form Submit 1 def openid_start 2 openid_request = consumer.begin(params[:openid_identifier]) 3 4 case openid_request.status 5 when OpenID::SUCCESS 6 return_to = url_for(:action => 'openid_finish') 7 trust_root = url_for(:controller => '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to) 9 redirect_to(server_redirect_url) 10 11 when OpenID::FAILURE 12 flash[:notice] = \"Could not find your OpenID server.\" 13 redirect_back_or_default(:controller => '/account', :action => 'index') 14 15 end 16 end 1. Discover 2. Associate 3. Redirect (we’ll handle the server response at the return_to URL)

Redirect to OpenID Provider

Handle Server Response 1 def openid_finish 2 openid_response = consumer.complete(params) 3 4 case openid_response.status 5 when OpenID::SUCCESS 6 openid = openid_response.identity_url 7 @user = User.find_by_openid(openid) 8 9 unless @user 10 @user = User.create(:openid => openid, :login => openid) 11 end 12 self.current_user = @user 13 flash[:notice] = \"Welcome #{@user.openid}\" 14 15 when OpenID::FAILURE 16 flash[:notice] = 'Verification failed.' 17 end 18 19 redirect_back_or_default(:controller => 'talk', :action => 'list') 20 end

Done! Time to implement OpenID in iCalico: 45 minutes http://oscon.icalico.org/

OpenID and Django

django-openid • http://code.google.com/p/django-openid • Convenient wrapper around JanRain library • Currently provides tools for consuming OpenID

def index(request): if request.openid: # User is signed in with OpenID ... else: # User is not signed in return HttpResponseRedirect('/openidlogin/') request.openid = most recently signed in OpenID request.openids = ALL signed in OpenIDs

Additional features • Simple registration support • request.openid.sreg['email'] • Coming soon... • Tie in with django.contrib.auth.User • Easy creation of an OpenID provider

Best practices for OpenID relying parties

• OpenID extends rather than replaces your existing user accounts system • Two key steps: • Allow existing users to associate one or more OpenIDs with their account • Allow new users to sign up using an OpenID to jump-start the process

Existing accounts • Provide an interface for adding and removing OpenIDs from an account • Don’t let users associate an OpenID without ﬁrst authenticating it • Don’t let users delete the last OpenID associated with their account without having a password set (or they’ll lock themselves out)

New accounts • Use Simple Registration, if available, to pre-fill fields in your registration form • Not all providers support Simple Registration • Don’t assume that e-mail addresses etc from Simple Registration are accurate - you may still want to send a verification e-mail • Don’t assume the user is a human being - challenge with a CAPTCHA or use botbouncer.com

Simple Registration • nickname • postcode • email • country • fullname • language • dob • timezone • gender Some providers (or users) may provide just a subset of this information

Thanks! http://openid.net/ http://planet.openid.net/ Simon Willison David Recordon simonwillison.net davidrecordon.com simon@simonwillison.net drecordon@verisign.com OSCON July 24th, 2007

Os Recordontutorial

0 comments

Notes on slide 1

4 Favorites