OpenID vs OAuth - Identity on the Web
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OpenID vs OAuth - Identity on the Web

on

  • 27,866 views

Short comparation between OAuth & OpenID

Short comparation between OAuth & OpenID

Statistics

Views

Total Views
27,866
Views on SlideShare
27,364
Embed Views
502

Actions

Likes
24
Downloads
933
Comments
1

14 Embeds 502

http://www.dormantroot.com 344
http://richardmetzler.posterous.com 70
http://www.otherbit.com 27
http://www.slideshare.net 24
http://7718700703181812980_4fdd6b98474aadcdf93403e9573ef722129f71a5.blogspot.com 13
http://rmetzler.tumblr.com 8
https://twitter.com 5
http://www.tipsoff.com 4
http://static.slidesharecdn.com 2
http://posterous.com 1
https://twimg0-a.akamaihd.net 1
http://djshan45.appspot.com 1
http://www.linkedin.com 1
http://twitter.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • What is OAUTH and How can i use my ASP.NET website
    pls tell me one simple example
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • <br />
  • <br />
  • <br />
  • plus additional identity data: profile pic, friends,&#x2026; <br />
  • <br />
  • <br />
  • Live Journal (YADIS Protocol) <br /> OpenID Foundation: Yahoo!, Google, Facebook, PayPal, Verisign, IBM, Microsoft <br /> HIER: NO YADIS, NO XRI (Extensible Resource Identifier) <br />
  • <br />
  • <br />
  • <br />
  • url owned by <br /> verify at <br /> <br />
  • generator - g <br /> public prime - p <br /> xa = RP&#x2018;s private key <br /> xb = OP&#x2018;s private key <br />
  • <br />
  • <br />
  • <br />
  • put in username / password credentials <br />
  • User selects OpenId Identifier <br />
  • <br />
  • <br />
  • url owned by <br /> verify at <br /> <br />
  • <br />
  • <br />
  • <br />
  • Geschichte: <br /> -Flickr, Google AuthSub, -Yahoo! <br /> -Twitter <br /> -Facebook -> OAuth 2.0 <br />
  • <br />
  • <br />
  • Passiert VIEL fr&#xFC;her <br /> Signierung, damit keine Replay Attacken ausgef&#xFC;hrt werden k&#xF6;nnen <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • OpenID komplizierter, Indirektion <br />
  • <br />
  • activity streams: facebook, MySpace, Google Buzz (draft) <br />
  • <br />

OpenID vs OAuth - Identity on the Web Presentation Transcript

  • 1. Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1
  • 2. Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2
  • 3. User Authentication 3
  • 4. User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4
  • 5. Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5
  • 6. OpenID 6
  • 7. OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7
  • 8. Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8
  • 9. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9
  • 10. Sign in with OpenID Identifier 10
  • 11. Discovery & Delegation obtain OP Endpoint 11
  • 12. Establish Association • shared secret between Relying Party & OpenID Provider • Diffie Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 12
  • 13. Redirect User Agent to OP Endpoint 13
  • 14. Redirect User Agent to OP Endpoint 14
  • 15. Return URL Verification • OpenId Provider checks: • do Realm and return_to URL match? 15
  • 16. User Authentification 16
  • 17. OpenID Provider presents Realm 17
  • 18. Redirect User Agent to OP Endpoint URL 18
  • 19. Redirect User Agent to OP Endpoint URL 19
  • 20. Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20
  • 21. Logged in 21
  • 22. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22
  • 23. OAuth 23
  • 24. OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24
  • 25. Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25
  • 26. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 26
  • 27. Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identified by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27
  • 28. Sign in with OAuth 28
  • 29. Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29
  • 30. HTTP Redirect to Service Provider 30
  • 31. HTTP Redirect to Service Provider 31
  • 32. Authenticate 32
  • 33. Grant Access 33
  • 34. HTTP Redirect to Consumer Callback 34
  • 35. HTTP Redirect to Consumer Callback 35
  • 36. Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user specific 36
  • 37. Logged in 37
  • 38. Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38
  • 39. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 39
  • 40. OpenId vs OAuth 40
  • 41. Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41
  • 42. Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42
  • 43. My Project 43
  • 44. My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • profile pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44
  • 45. Questions? 45