OpenID vs OAuth - Identity on the Web

Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1

Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2

User Authentication 3

User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4

Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5

OpenID 6

OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7

Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8

OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9

Sign in with OpenID Identiﬁer 10

Discovery & Delegation obtain OP Endpoint 11

Establish Association • shared secret between Relying Party & OpenID Provider • Difﬁe Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Difﬁe%E2%80%93Hellman_key_exchange 12

Redirect User Agent to OP Endpoint 13

Redirect User Agent to OP Endpoint 14

Return URL Veriﬁcation • OpenId Provider checks: • do Realm and return_to URL match? 15

User Authentiﬁcation 16

OpenID Provider presents Realm 17

Redirect User Agent to OP Endpoint URL 18

Redirect User Agent to OP Endpoint URL 19

Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20

Logged in 21

OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22

OAuth 23

OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24

Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25

OAuth Dance http://ﬁreeagle.yahoo.net/developer/documentation/web_auth 26

Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identiﬁed by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27

Sign in with OAuth 28

Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29

HTTP Redirect to Service Provider 30

HTTP Redirect to Service Provider 31

Authenticate 32

Grant Access 33

HTTP Redirect to Consumer Callback 34

HTTP Redirect to Consumer Callback 35

Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user speciﬁc 36

Logged in 37

Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38

OAuth Dance http://ﬁreeagle.yahoo.net/developer/documentation/web_auth 39

OpenId vs OAuth 40

Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41

Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42

My Project 43

My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • proﬁle pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44

Questions? 45

http://www.dormantroot.com	292
http://richardmetzler.posterous.com	70
http://www.otherbit.com	27
http://www.slideshare.net	24
http://7718700703181812980_4fdd6b98474aadcdf93403e9573ef722129f71a5.blogspot.com	13
http://rmetzler.tumblr.com	6
http://static.slidesharecdn.com	2
http://posterous.com	1
http://twitter.com	1
http://djshan45.appspot.com	1
https://twimg0-a.akamaihd.net	1

OpenID vs OAuth - Identity on the Web

by Richard Metzler

Accessibility

Categories

Upload Details

Usage Rights

11 Embeds 438

Statistics

OpenID vs OAuth - Identity on the Web Presentation Transcript