OpenID Tutorials

OpenID Tutorial. Naofumi HAIDA from Cirius Technologies.

Table of Contents. • Self-Introduction. • What is OpenID? • OpenID 2.0 quick look. • Security Issues. • Other related OpenAPIs.

Self-introduction. • Working @Cirius Technologies, Inc. • Architect @Cirius Lab. • Ruby Programmer. • GeoAPIs, Twitwi Twitter, Twittalk etc... • OpenAPIS & Beyond LT • http://docs.google.com/Presentation? id=dgp485h4_561dwgpsrcd

Questions. • OpenID ? • RP OpenID ? • OpenID 2.0 ? • XRI ?

Authentication ( ) ID Authorization ( ) ID

Backgrounds.

• Internet Identity Workshop Six Apart Brad Fitzpatrick OpenID (2005.10) • Web OpenID (2007.02) • Blogger OpenID (2007.11) • OpenID Authentication 2.0 & OpenID Attribute Exchange 1.0 (2007.12)

• Blogger OpenID IdP (2008.01) • Yahoo OpenID 2.0 IdP (2008.01) • OpenID Foundation Google IBM MS Yahoo! (2008.02) • Six Apart Verisign NRI OpenID Japan Foundation (2008.02)

Many Internet users are “End User” of OpenID Now!

~ 360 million OpenIDs.

Total Relying Parties Borrowed from David Recordon

There are over 11,000 OpenID enable sites!

What’s for OpenID?

We use more and more sites!

OpenID solves...

Too many passwords!

My Online Proﬁle scattered across many sites!

What is an OpenID??

http://www.hatena.ne.jp/haida/

http://proﬁle.livedoor.com/haida

http://haida.livejurnal.com/

Is an OpenID a URI? It has changed in OpenID ver 2.0.

yahoo.com

coderepos.org

xri://=haida

OpenID: Identity URI Web Authority http://www.slideshare.net/zigorou/ openid-20-quick-note/

These are not OpenID.

Authorization Authentication Delegation Privacy Identity Maneger Trust Control Single-Sign-On Distributed SSO

Login with OpenID.

Input Claimed Identiﬁer @ RP.

Authenticate @ OP.

Merits & Demerits of OpenID.

End User URI

Relying Party - - Sun OpenID Sun Sun

2. OpenID 2.0 Quick look.

User-Supplied Identiﬁer

URL ID ID

https://me.yahoo.co.jp/a/ X4F0sewBfO6V5S31BLZsyz4BnEx0# fdf84 yahoo.com

XRI

Identity URI XRI

xri://=haida

xri xri ID i-name

= @

xri://@yahoo

※ XRI xri://=haida 12 $/year xri://@mixi 55 $/year

Terms around OpenID.

identiﬁer http, https URI URI 2.0 URI XRI

OpenID Provider: OP Ver 1.1 IdP OpenID

OP Identiﬁer OP Identiﬁer

Relying Party: RP Consumer OpenID Identiﬁer OP Web Web

Claimed Identiﬁer URI OP

User-Supplied Identifier RP Claimed Identifier OP Identifier

OP-Local Identifier OP Identifier OP Identifier

How does authentication work with OpenID ?

1. RP Claimed Identiﬁer HTML 2. openid.server link 3. RP 4. OP 5. OP RP 6. RP

How does this work?

Discovery with XRDS.

OP delegate Identiﬁer OpenID 1.1 HTML OpenID 2.0 XRDS XML

Claimed Identiﬁer XRI - XRDS Claimed Identiﬁer URL - HTML x-xrds-location URL - meta http-equiv x-xrds-location URL - Content-type application/xrds+xml XRDS

<?xml version=\"1.0\" encoding=\"UTF-8\"?> <xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\"> <XRD> <Service priority=\"0\"> <Type>http://specs.openid.net/auth/2.0/server</Type> <URI>http://openid.example.com/auth</URI> </Service> </XRD> </xrds:XRDS>

Service Type

Security Risks.

Phishing.

1. Malicious Consumer OpenID 2. Identiﬁer URI 3. Malicious Consumer OP OP 4. OP OP ID, Password 5. 6. OP

Firefox OpenID SeatBelt (by VeriSign) -- OpenID -- Malicious Consumer Malicious Consumer OP -- OP

OP nonce trust_root, return_to return_to malicious consumer OP robots.txt OpenID “Identity Page for\" site:*.myopenid.com” OP

RP for Mobile OP RP for Mobile OpenID ?

orz..

OpenID Security ! http://wiki.openid.net/Security

Reputation Problem OP

OP RP AOL OP http://dev.aol.com/node/578

OP https Attribute Exchange Provider Authentication Policy Extension

OP Reputation OP !

Summary • OpenID • OpenID 2.0 User Friendly! • IdP

Thank you!

OpenID Tutorials

0 comments

Notes on slide 1

Favorites, Groups & Events