Identity on the Web
 OpenID vs OAuth
   Identity Management in SOA

        Richard Metzler

           May 2010


       ...
Outline
I.    User Authentication
II.   OpenID
III. OAuth
IV. Compare OpenID & OAuth
V. My Project


                     ...
User Authentication



         3
User Authentication
• every single website needs my credentials
 • username / e-mail
 • password
   • should be secure
   ...
Resulting Problems

• identity is scattered
• passwords
 • millions to remember vs recycling
 • how to authorize third par...
OpenID



  6
OpenID

• sharing a single identity with different
  consumers
• decentralized
• OpenID 2.0 (without XRI)
                ...
Roles in OpenID

•   User owns account at
    OpenID Provider

• User proves Identity
    to Relying Party




           ...
OpenID Flow




         http://www.openaselect.org/trac/openaselect/wiki/OpenID


     9
Sign in with
OpenID Identifier




       10
Discovery & Delegation
 obtain OP Endpoint




          11
Establish Association

• shared secret between Relying Party &
   OpenID Provider
• Diffie Hellman Key Exchange
• (g^xa)^xb...
Redirect User Agent to
     OP Endpoint




          13
Redirect User Agent to
     OP Endpoint




          14
Return URL Verification


• OpenId Provider checks:
 • do Realm and return_to URL match?


                  15
User Authentification




         16
OpenID Provider
 presents Realm




       17
Redirect User Agent to
  OP Endpoint URL




          18
Redirect User Agent to
  OP Endpoint URL




          19
Verification

• Relying Party checks:
 • return_to URL
 • OpenID Identifier
 • was Nonce never used before?
 • fields signed,...
Logged in




    21
OpenID Flow




          http://www.openaselect.org/trac/openaselect/wiki/OpenID


     22
OAuth



  23
OAuth

• sharing your data without sharing your
  password
• centralized
• OAuth 1.0a (current version)
 • Draft for OAuth...
Roles


•   User owns Resource at
    Service Provider

•   User grants
    Consumer access to
    Resource




          ...
OAuth Dance




          http://fireeagle.yahoo.net/developer/documentation/web_auth

     26
Register Consumer,
  get Consumer Key
• manually register Consumer at Service
  Provider
 • identified by Token / Secret
 •...
Sign in with OAuth




        28
Get Request Token
• Consumer asks Service Provider for
  Request Token
• Request Token identifies authorization
  workflow
•...
HTTP Redirect to
Service Provider




       30
HTTP Redirect to
Service Provider




       31
Authenticate




     32
Grant Access




     33
HTTP Redirect to
Consumer Callback




        34
HTTP Redirect to
Consumer Callback




        35
Get Access Token

• Consumer trades Request Token for Access
  Token
• Access Token grants access to Service
  Provider in...
Logged in




    37
Access Resource
• authenticated access on Resource
 • must be signed
   • Consumer Key
   • OAuth Token
   • Timestamp
   ...
OAuth Dance




          http://fireeagle.yahoo.net/developer/documentation/web_auth

     39
OpenId vs OAuth



       40
Commonalities

• involves 3 parties
• open protocols - community driven
• HTTP based
• not mutual exclusive

             ...
Differences

• sharing: identity vs data resources
• decentralized vs centralized
• Consumer-Provider-Relationship:
 • unk...
My Project



    43
My Project
• Implement OAuth Service Provider &
  OAuth Consumer example
• API for manageable resources (ideas)
 • profile ...
Questions?



    45
Upcoming SlideShare
Loading in...5
×

OpenID vs OAuth - Identity on the Web

26,985

Published on

Short comparation between OAuth & OpenID

Published in: Technology, Design
1 Comment
23 Likes
Statistics
Notes
No Downloads
Views
Total Views
26,985
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
993
Comments
1
Likes
23
Embeds 0
No embeds

No notes for slide



  • plus additional identity data: profile pic, friends,…


  • Live Journal (YADIS Protocol)
    OpenID Foundation: Yahoo!, Google, Facebook, PayPal, Verisign, IBM, Microsoft
    HIER: NO YADIS, NO XRI (Extensible Resource Identifier)



  • url owned by <openid2.delegate>
    verify at <openid2.server>

  • generator - g
    public prime - p
    xa = RP‘s private key
    xb = OP‘s private key



  • put in username / password credentials
  • User selects OpenId Identifier


  • url owned by <openid.delegate>
    verify at <openid.server>




  • Geschichte:
    -Flickr, Google AuthSub, -Yahoo!
    -Twitter
    -Facebook -> OAuth 2.0


  • Passiert VIEL früher
    Signierung, damit keine Replay Attacken ausgeführt werden können














  • OpenID komplizierter, Indirektion

  • activity streams: facebook, MySpace, Google Buzz (draft)

  • OpenID vs OAuth - Identity on the Web

    1. 1. Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1
    2. 2. Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2
    3. 3. User Authentication 3
    4. 4. User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4
    5. 5. Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5
    6. 6. OpenID 6
    7. 7. OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7
    8. 8. Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8
    9. 9. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9
    10. 10. Sign in with OpenID Identifier 10
    11. 11. Discovery & Delegation obtain OP Endpoint 11
    12. 12. Establish Association • shared secret between Relying Party & OpenID Provider • Diffie Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 12
    13. 13. Redirect User Agent to OP Endpoint 13
    14. 14. Redirect User Agent to OP Endpoint 14
    15. 15. Return URL Verification • OpenId Provider checks: • do Realm and return_to URL match? 15
    16. 16. User Authentification 16
    17. 17. OpenID Provider presents Realm 17
    18. 18. Redirect User Agent to OP Endpoint URL 18
    19. 19. Redirect User Agent to OP Endpoint URL 19
    20. 20. Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20
    21. 21. Logged in 21
    22. 22. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22
    23. 23. OAuth 23
    24. 24. OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24
    25. 25. Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25
    26. 26. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 26
    27. 27. Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identified by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27
    28. 28. Sign in with OAuth 28
    29. 29. Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29
    30. 30. HTTP Redirect to Service Provider 30
    31. 31. HTTP Redirect to Service Provider 31
    32. 32. Authenticate 32
    33. 33. Grant Access 33
    34. 34. HTTP Redirect to Consumer Callback 34
    35. 35. HTTP Redirect to Consumer Callback 35
    36. 36. Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user specific 36
    37. 37. Logged in 37
    38. 38. Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38
    39. 39. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 39
    40. 40. OpenId vs OAuth 40
    41. 41. Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41
    42. 42. Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42
    43. 43. My Project 43
    44. 44. My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • profile pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44
    45. 45. Questions? 45
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×