Your SlideShare is downloading. ×
0
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OpenID vs OAuth - Identity on the Web

26,701

Published on

Short comparation between OAuth & OpenID

Short comparation between OAuth & OpenID

Published in: Technology, Design
1 Comment
23 Likes
Statistics
Notes
No Downloads
Views
Total Views
26,701
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
985
Comments
1
Likes
23
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide



  • plus additional identity data: profile pic, friends,…


  • Live Journal (YADIS Protocol)
    OpenID Foundation: Yahoo!, Google, Facebook, PayPal, Verisign, IBM, Microsoft
    HIER: NO YADIS, NO XRI (Extensible Resource Identifier)



  • url owned by <openid2.delegate>
    verify at <openid2.server>

  • generator - g
    public prime - p
    xa = RP‘s private key
    xb = OP‘s private key



  • put in username / password credentials
  • User selects OpenId Identifier


  • url owned by <openid.delegate>
    verify at <openid.server>




  • Geschichte:
    -Flickr, Google AuthSub, -Yahoo!
    -Twitter
    -Facebook -> OAuth 2.0


  • Passiert VIEL früher
    Signierung, damit keine Replay Attacken ausgeführt werden können














  • OpenID komplizierter, Indirektion

  • activity streams: facebook, MySpace, Google Buzz (draft)

  • Transcript

    • 1. Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1
    • 2. Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2
    • 3. User Authentication 3
    • 4. User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4
    • 5. Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5
    • 6. OpenID 6
    • 7. OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7
    • 8. Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8
    • 9. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9
    • 10. Sign in with OpenID Identifier 10
    • 11. Discovery & Delegation obtain OP Endpoint 11
    • 12. Establish Association • shared secret between Relying Party & OpenID Provider • Diffie Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 12
    • 13. Redirect User Agent to OP Endpoint 13
    • 14. Redirect User Agent to OP Endpoint 14
    • 15. Return URL Verification • OpenId Provider checks: • do Realm and return_to URL match? 15
    • 16. User Authentification 16
    • 17. OpenID Provider presents Realm 17
    • 18. Redirect User Agent to OP Endpoint URL 18
    • 19. Redirect User Agent to OP Endpoint URL 19
    • 20. Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20
    • 21. Logged in 21
    • 22. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22
    • 23. OAuth 23
    • 24. OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24
    • 25. Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25
    • 26. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 26
    • 27. Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identified by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27
    • 28. Sign in with OAuth 28
    • 29. Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29
    • 30. HTTP Redirect to Service Provider 30
    • 31. HTTP Redirect to Service Provider 31
    • 32. Authenticate 32
    • 33. Grant Access 33
    • 34. HTTP Redirect to Consumer Callback 34
    • 35. HTTP Redirect to Consumer Callback 35
    • 36. Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user specific 36
    • 37. Logged in 37
    • 38. Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38
    • 39. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 39
    • 40. OpenId vs OAuth 40
    • 41. Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41
    • 42. Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42
    • 43. My Project 43
    • 44. My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • profile pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44
    • 45. Questions? 45

    ×