OpenID & Oauth Open Standards for Authentication and Authorization (An introduction)

The Open Web Unencumbered, Cross-Platform Standards Open Source / Free Software Implementations No Single-Vendor "Lock-In” Distributed Extensibility http://developer.mozilla.org/presentations/sxsw2007/the_open_web/

Unencumbered, Cross-Platform Standards

Open Source / Free Software Implementations

No Single-Vendor "Lock-In”

Distributed Extensibility

OpenID is… Lightweight Distributed User-Centric (not Site-Centric)

Lightweight

Distributed

User-Centric (not Site-Centric)

OpenID is also… Built on web standards DNS/HTTP/SSL Diffie-Hellman (PKI)

Built on web standards

DNS/HTTP/SSL

Diffie-Hellman (PKI)

History 2005: Developed by Brad Fitzpatrick, Creator of LiveJournal 2006: Delegation, XRI support, extensions: OpenID 2.0 2007: OpenID Foundation 2008: More than 13,000 Consuming Sites http://en.wikipedia.org/wiki/OpenID#History

2005: Developed by Brad Fitzpatrick, Creator of LiveJournal

2006: Delegation, XRI support, extensions: OpenID 2.0

2007: OpenID Foundation

2008: More than 13,000 Consuming Sites

OpenID In The Wild

A Solution For… Maintaining Usernames Password Overload (insecurity) Site-centric Identity

Maintaining Usernames

Password Overload (insecurity)

Site-centric Identity

Basics An OpenID is a URL http://redmonk.net Provider http://myopenid.com Relying Parties Delegation http://redmonk.myopenid.com

An OpenID is a URL

http://redmonk.net

Provider

http://myopenid.com

Relying Parties

Delegation

http://redmonk.myopenid.com

The Dance (Conversation)

DEMO LiveJournal User Ma.gnolia One-Time Authentication Persistent Authentication

LiveJournal User

Ma.gnolia

One-Time Authentication

Persistent Authentication

The “Open” in OpenID Delegation support is required <link rel=“openid.delegate” /> Multiple accounts, multiple Providers No Lock-in

Delegation support is required

<link rel=“openid.delegate” />

Multiple accounts, multiple Providers

No Lock-in

Q & A

Oauth is… “ OAuth is like a valet key for all your web services . A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile. In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.” http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550

“ OAuth is like a valet key for all your web services . A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile. In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.”

http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550

Authentication Similar to: AuthSub (Google) BBAuth (Yahoo) Flickr Auth OpenAuth (AOL)

Similar to:

AuthSub (Google)

BBAuth (Yahoo)

Flickr Auth

OpenAuth (AOL)

API Level Application To Application “ Agency”

Application To Application

“ Agency”

Basics User Service Provider Consumer Protected Resources Tokens http://oauth.net/documentation/getting-started

User

Service Provider

Consumer

Protected Resources

Tokens

The Dance (Conversation) (Developed from: http:// oauth.net/core/diagram.png )

(Developed from: http:// oauth.net/core/diagram.png )

Who’s Supporting Oauth? Google FireEagle (Yahoo) Ma.gnolia Amazon Flickr Digg And more…

Google

FireEagle (Yahoo)

Ma.gnolia

Amazon

Flickr

Digg

And more…

Q & A

Sources http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007 http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange http://en.wikipedia.org/wiki/OpenID#History http://wiki.openid.net/ http://openid.net http://oauth.net http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550 http://oauth.net/core/diagram.png http://www.slideshare.net/leahculver/oauth-open-api-authentication http://www.slideshare.net/daveman692/open-platforms-in-web-20

http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007

http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

http://en.wikipedia.org/wiki/OpenID#History

http://wiki.openid.net/

http://openid.net

http://oauth.net

http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550

http://oauth.net/core/diagram.png

http://www.slideshare.net/leahculver/oauth-open-api-authentication

http://www.slideshare.net/daveman692/open-platforms-in-web-20

Your Host Steve Ivy [email_address] Open Standards, Open Source Agitator http://redmonk.net/

Steve Ivy

[email_address]

Open Standards, Open Source Agitator

http://redmonk.net/