Bastian Hofmann, VZnet Netzwerke Ltd.


               Distributed Identities with
               OpenID



Dienstag, 12. ...
Agenda

             •What are Identities?

             •The history of Identity Providers

             •Trying it the o...
Identities in real life




Dienstag, 12. Oktober 2010
Do you have really only one
             identity?
               Lothar Krappmann:

               - Identity is conveyed...
Example:




                Paul Adams
                http://www.slideshare.net/padday/the-real-life-social-network-v2
D...
Identities in the Web




Dienstag, 12. Oktober 2010
Register, Register, Register, ...




Dienstag, 12. Oktober 2010
Single Sign on




                              ul_Marga



Dienstag, 12. Oktober 2010
Microsoft Passport / Live ID

             •Windows Live ID
             •Launched 1999
              as .net Passport
   ...
OpenID

             •Open decentralized user
              authentication




               http://openid.net/

Dienstag...
The Client




Dienstag, 12. Oktober 2010
Discovery
               <link rel="openid.server" href="http://www.myopenid.com/
               server" />
              ...
Connection Flow




Dienstag, 12. Oktober 2010
DEMO




Dienstag, 12. Oktober 2010
Authentication vs Authorization
             Who is the user?
                             Is this really user X?

       ...
But there are Spec Extensions




                                             decafinata



Dienstag, 12. Oktober 2010
Simple Registration

             •Allows to specify certain fields in
              request that must or should be
       ...
Attribute Exchange

             •Two-Way exchange of data possible
                penid.ns.ax=http://openid.net/srv/ax/1...
Attribute Exchange

             •Two-Way exchange of data possible
                openid.ns.ax=http://openid.net/srv/ax/...
Attribute Exchange

             •Two-Way exchange of data possible
                openid.ns.ax=http://openid.net/srv/ax/...
OpenID + OAuth

             •Combines OpenID Authentication and
              OAuth authorization


                     ...
OAuth 1.0a Flow
             +----------+                                  +---------------+
             |          -+---...
Failures of OpenID 2.0

             •Complex to implement

             •No marketing
                   –Do you have an ...
Proprietary strikes back




Dienstag, 12. Oktober 2010
Facebook Connect




Dienstag, 12. Oktober 2010
Twitter @Anywhere




Dienstag, 12. Oktober 2010
And there are much, much more




Dienstag, 12. Oktober 2010
Nascar problem




                              Vaguely Artistic

Dienstag, 12. Oktober 2010
Phishing




Dienstag, 12. Oktober 2010
How to fix it?




                             Moff


Dienstag, 12. Oktober 2010
Aggregation: Janrain




                     http://www.janrain.com/


Dienstag, 12. Oktober 2010
OpenID Connect

             •Goals:
                   –Easier to implement
                   –More simple specification
...
What‘s wrong with OAuth?

             •Does not work well with non web or
              JavaScript based clients

       ...
What‘s new in OAuth2?          (Draft 10)




             •Different client profiles
             •No signatures
         ...
Web-Server Profile
             +----------+            Client Identifier       +---------------+
             |          -...
User-Agent Profile
       +----------+          Client Identifier     +----------------+
       |          |>---(A)-- & Red...
What happend to signatures?

             •Ongoing controvers discussion

             •Bearer Tokens are fine over secure
...
Scopes

             •Optional parameter for provider
              specific implementations

             •For example
   ...
OpenID Connect?

             •Scope: „openid“

             •With access token additional values
              are return...
DEMO




Dienstag, 12. Oktober 2010
OpenID Connect Discovery

             •Get Identifier of user

             •Call /.well-know/host-meta file at the
       ...
When will it be available at VZ?




                             NOW in BETA




                                  http:/...
FOAF+SSL (WebID)




               http://esw.w3.org/Foaf%2Bssl



Dienstag, 12. Oktober 2010
DEMO




Dienstag, 12. Oktober 2010
Problems

             •Bad browser UI

             •Syncing between different computers?

             •More than one us...
UX Mockups Mozilla Weave




Dienstag, 12. Oktober 2010
Summing it up

             •We need a single sign on system for
              the web
             •OpenID is cool, but h...
Thank you




               http://studivz.net/bastian
               http://twitter.com/BastianHofmann
               ht...
Upcoming SlideShare
Loading in …5
×

Distributed Identities with OpenID

4,041 views

Published on

Talk about distributed identities with OpenID and OpenID Connect for WebTech 2010

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,041
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
60
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Distributed Identities with OpenID

  1. 1. Bastian Hofmann, VZnet Netzwerke Ltd. Distributed Identities with OpenID Dienstag, 12. Oktober 2010
  2. 2. Agenda •What are Identities? •The history of Identity Providers •Trying it the open way: OpenID •The rise of Social •OpenIDs future Dienstag, 12. Oktober 2010
  3. 3. Identities in real life Dienstag, 12. Oktober 2010
  4. 4. Do you have really only one identity? Lothar Krappmann: - Identity is conveyed by communication - Identity is not fixed but recreated by every communication with your fellows - Expectations of different people result in different identities Dienstag, 12. Oktober 2010
  5. 5. Example: Paul Adams http://www.slideshare.net/padday/the-real-life-social-network-v2 Dienstag, 12. Oktober 2010
  6. 6. Identities in the Web Dienstag, 12. Oktober 2010
  7. 7. Register, Register, Register, ... Dienstag, 12. Oktober 2010
  8. 8. Single Sign on ul_Marga Dienstag, 12. Oktober 2010
  9. 9. Microsoft Passport / Live ID •Windows Live ID •Launched 1999 as .net Passport •Used mainly for Microsoft Services but not much outside •OpenID Provider since 2008 Dienstag, 12. Oktober 2010
  10. 10. OpenID •Open decentralized user authentication http://openid.net/ Dienstag, 12. Oktober 2010
  11. 11. The Client Dienstag, 12. Oktober 2010
  12. 12. Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" /> Dienstag, 12. Oktober 2010
  13. 13. Connection Flow Dienstag, 12. Oktober 2010
  14. 14. DEMO Dienstag, 12. Oktober 2010
  15. 15. Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph) Dienstag, 12. Oktober 2010
  16. 16. But there are Spec Extensions decafinata Dienstag, 12. Oktober 2010
  17. 17. Simple Registration •Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male Dienstag, 12. Oktober 2010
  18. 18. Attribute Exchange •Two-Way exchange of data possible penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41 Dienstag, 12. Oktober 2010
  19. 19. Attribute Exchange •Two-Way exchange of data possible openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41 Dienstag, 12. Oktober 2010
  20. 20. Attribute Exchange •Two-Way exchange of data possible openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success Dienstag, 12. Oktober 2010
  21. 21. OpenID + OAuth •Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890 Dienstag, 12. Oktober 2010
  22. 22. OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/ Dienstag, 12. Oktober 2010
  23. 23. Failures of OpenID 2.0 •Complex to implement •No marketing –Do you have an OpenID? –What is it? •URL as identifier => Bad User Experience Dienstag, 12. Oktober 2010
  24. 24. Proprietary strikes back Dienstag, 12. Oktober 2010
  25. 25. Facebook Connect Dienstag, 12. Oktober 2010
  26. 26. Twitter @Anywhere Dienstag, 12. Oktober 2010
  27. 27. And there are much, much more Dienstag, 12. Oktober 2010
  28. 28. Nascar problem Vaguely Artistic Dienstag, 12. Oktober 2010
  29. 29. Phishing Dienstag, 12. Oktober 2010
  30. 30. How to fix it? Moff Dienstag, 12. Oktober 2010
  31. 31. Aggregation: Janrain http://www.janrain.com/ Dienstag, 12. Oktober 2010
  32. 32. OpenID Connect •Goals: –Easier to implement –More simple specification –Better user experience •=> wider adption •Built on top of OAuth 2.0 Dienstag, 12. Oktober 2010
  33. 33. What‘s wrong with OAuth? •Does not work well with non web or JavaScript based clients •The „Invalid Signature“ Problem •Complicated Flow, many requests Dienstag, 12. Oktober 2010
  34. 34. What‘s new in OAuth2? (Draft 10) •Different client profiles •No signatures •No Token Secrets •Cookie-like Bearer Token •Mandatory TSL/SSL •No Request Tokens •Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2 Dienstag, 12. Oktober 2010
  35. 35. Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) Dienstag, 12. Oktober 2010
  36. 36. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+ Dienstag, 12. Oktober 2010
  37. 37. What happend to signatures? •Ongoing controvers discussion •Bearer Tokens are fine over secure connection •Vulnerable if discovery is introduced •Or TSL/SSL is not possible Dienstag, 12. Oktober 2010
  38. 38. Scopes •Optional parameter for provider specific implementations •For example –Additional return values –Access Control Dienstag, 12. Oktober 2010
  39. 39. OpenID Connect? •Scope: „openid“ •With access token additional values are returned –UserID: URL to Portable Contacts endpoint –Signature –Timestamp http://openidconnect.com/ Dienstag, 12. Oktober 2010
  40. 40. DEMO Dienstag, 12. Oktober 2010
  41. 41. OpenID Connect Discovery •Get Identifier of user •Call /.well-know/host-meta file at the domain of the user‘s provider •Look for a link pointing to the OpenID Connect endpoints in the returned LRDD Dienstag, 12. Oktober 2010
  42. 42. When will it be available at VZ? NOW in BETA http://developer.studivz.net/wiki/index.php/VZ-Login http://github.com/vznet/vz_os_clientlibrary_php Dienstag, 12. Oktober 2010
  43. 43. FOAF+SSL (WebID) http://esw.w3.org/Foaf%2Bssl Dienstag, 12. Oktober 2010
  44. 44. DEMO Dienstag, 12. Oktober 2010
  45. 45. Problems •Bad browser UI •Syncing between different computers? •More than one user on the same computer? Dienstag, 12. Oktober 2010
  46. 46. UX Mockups Mozilla Weave Dienstag, 12. Oktober 2010
  47. 47. Summing it up •We need a single sign on system for the web •OpenID is cool, but has some problems •Proprietary solutions are bad for users, site owners and developers •A new more simple and flexible spec is coming up •Browser vendors are working to solve this problem in the browser Dienstag, 12. Oktober 2010
  48. 48. Thank you http://studivz.net/bastian http://twitter.com/BastianHofmann http://slideshare.net/bashofmann http://github.com/vznet http://developer.studivz.net Dienstag, 12. Oktober 2010

×