F. Questier, Authentication options for Open edX: focus on OAuth and OpenID, presentation for the Erasmus+ MarMOOC project, Universidade de Vigo, Spain, 04/04/2018

1. Federated identity: a technological overview (part II/II)
Authentication options for Open edX:
focus on OAuth and OpenID
Prof. dr. Frederik Questier
Vrije Universiteit Brussel
Presented at Universidade de Vigo, Spain, April 2018
Project No. 573583-EPP-1-2016-1-ES-EPPKA2-CBHE-SP (2016-2558/001-001)

2. Who needs access
to your Open edX server?

3. Who needs access
to your Open edX server?

4. Who do you need to
authenticate / identify?
➢ Authentication: could be self-registration
➢ Identification: real name

10. Open edX
➢ Supported Identity Providers
➢ OAuth2, OAuth1
➢ Google, Facebook, LinkedIn, Microsoft Azure AD (365),…
➢ SAML 2 / Shibboleth
➢ Learning Tools Interoperability (LTI)
➢ Provisionally Supported Identity Providers
➢ OpenID
➢ Apache-hosted Shibboleth
➢ SSL client certificates
➢ Central Authentication Service (CAS)

11. Open standards
Development history
2005 2007 2012 2014
OpenID OpenID2 OpenID Connect
Oauth OAuth2

12. is an authentication layer on top of

14. Use cases designed for?
➢ OpenID
➢ Federated authentication
➢ Login at site B with your credentials from site A (identity
provider) without giving B your password.
➢ E.g. login at edX by verifying at Google.
➢ Oauth
➢ Delegated authorization
➢ Authorize app/site B to access your data at site A without
giving B your password.
➢ E.g. allow mobile edX app access to your edX server data

15. In practice,
also by Open edX, ...
➢ OAuth is often abused for pseudo-authentication
➢ Possible
➢ But requires custom code for each authorization provider.
➢ Well known for the famous ones like Google and Facebook
➢ Provided by Open edX

16. Here is the Here you
go
Google –
The Identity Provider
Here is the Here you
go
Google –
The Identity Provider
OpenID Authentication
vs.
Pseudo-Authentication using OAuth
adapted from a drawing by @_nat_en
*valet key = limited scope
OAuth Token
& the API Provider
Who are YOU? Send me a
notarized referral letter.
Give me the valet key* to
your house (account) so
that I know you are the
owner of the house
Please issue me a
valet key* for the core APIs
valet key*
certificate
Please write a referral
stating that I'm user@gmail
name: Real Name
email: user@gmail
notary: Google
name: Real Name
email: user@gmail
notary: Google

17. OpenID = user-centric :)
➢ Dream: login everywhere with your preferred identity
provider or with your own URL
➢ e.g. login by writing “http://questier.com“
➢ = my server that runs openid identity server
➢ or that has rel-link to http://questier.myopenid.com

18. The user-centric dream killed :(
➢ 2014 MyOpenID shuts down
➢ Facebook OpenID connect → Facebook Connect
➢ 2018 Stackexchange OpenID support shuts down

21. Recommendation 1
Check which of these Open edX solutions
fit your institutional identity provider
➢ Supported Identity Providers
➢ OAuth2, OAuth1
➢ Google, Facebook, LinkedIn, Microsoft Azure AD (365),…
➢ SAML 2 / Shibboleth
➢ Learning Tools Interoperability (LTI)
➢ Provisionally Supported Identity Providers
➢ OpenID
➢ Apache-hosted Shibboleth
➢ SSL client certificates
➢ Central Authentication Service (CAS)

22. Recommendation 2
Check Open edX manual

23. Recommendation 3
Consider if you want to identify
MarMOOC members or others

24. Additional copyright credits
➢
https://commons.wikimedia.org/wiki/File:OpenIDvs.Pseudo-AuthenticationusingOAuth.svg CC0
➢ Social Icons by Iconshock http://www.iconshock.com/social-icons/

25. This presentation was made with 100% Free Software
No animals were harmed
Questier.com
Frederik AT Questier.com
www.linkedin.com/in/fquestie
www.diigo.com/user/frederikquestier
www.slideshare.net/Frederik_Questier
Q
uestions?
Merci!