SlideShare a Scribd company logo

Distributed Identities with OpenID

Bastian Hofmann
Bastian Hofmann

Slides of my Devlink talk about OpenID, why it fails, how it can be fixed and how browser vendors could help to fix the identity problem of the web.

TechnologyDesign
1 of 66
Download to read offline
Distributed Identities with OpenID Bastian Hofmann VZnet Netzwerke Ltd.
OpenID is dead
„OpenID has been a burden on support since the day it was launched.“ „Fewer than 1% of all 37signals users are currently using OpenID.“ http://productblog.37signals.com/products/2011/01/well-be-retiring-our- support-of-openid-on-may-1.html
„OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“ Yishan Wong (Facebook) http://www.quora.com/What-s-wrong-with-OpenID
Facebook Connect 250,000,000 monthly users
So why are you here?
• Why identity management is still a problem • OpenID how it works, and why it fails • OpenID Connect & OAuth2: OpenIDs future? • What can browser vendors do?
Questions? Ask!
http://slideshare.net/bashofmann
Only one identity?
Identity is conveyed by communication Identity is not fixed but recreated by every communication with your fellows Expectations of different people result in different identities Lothar Krappmann
Paul Adams http://www.slideshare.net/padday/the-real-life-social-network-v2
Sign up again and again
Passwords are broken Same password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
Single Sign On
Microsoft Live ID Launched 1999 as .net Passport
Facebook Connect
And there are much more
Nascar problem
Aggregation http://www.janrain.com/
OpenID http://openid.net/
The Client
Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" />
Connection Flow
DEMO
Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
But there are Spec Extensions
Simple Registration • Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
Attribute Exchange • Fetch Request penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
Attribute Exchange • Fetch Response openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
Attribute Exchange • Store Request openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 • Store Respons openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success
http://oauth.net/
OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/
OpenID + OAuth • Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
Failures of OpenID 2.0 Complex to implement No marketing Do you have an OpenID? What is it? URL as identifier => Bad User Experience
How to fix it?
Easier to implement Better user experience Built on top of OAuth 2.0 More simple specification wider adption
What‘s wrong with OAuth? Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests
http://oauth.net/
What‘s new in OAuth2? (Draft 10) No signatures Cookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
What happend to signatures? Ongoing controvers discussion Bearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
Scopes Optional parameter for provider specific implementations Additional return values Access Control
Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature http://openidconnect.com/
https://github.com/vznet/vz_id_democlient http://opensocial-demo.vz-modules.net/vzid/index.php
DEMO
OpenID Connect Discovery Get Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s provider Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Phishing
@ E-mail address equals identity?
Can the browser help?
FOAF+SSL (WebID) http://esw.w3.org/Foaf%2Bssl
DEMO
Bad browser UI Syncing between different computers? More than one user on the same computer?
Mozilla UX Mockups
https://browserid.org/
DEMO
Summing it up • We need a single sign on system for the web • OpenID is cool, but has some problems • Proprietary solutions are bad for users, site owners and developers • A new more simple and flexible spec is coming up • Browser vendors are working to solve this problem in the browser
h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://slideshare.net/bashofmann mail@bas2anhofmann.de

Recommended

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124Anderson Liang
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 

Recommended

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124Anderson Liang
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
Squid安装配置
Squid安装配置Squid安装配置
Squid安装配置Yiwei Ma
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
How to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesHow to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesBastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Introduction to rg\injection
Introduction to rg\injectionIntroduction to rg\injection
Introduction to rg\injectionBastian Hofmann
 
Oauth
OauthOauth
Oauth立晨 代
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users Bastian Hofmann
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...Maarten Balliauw
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightDaisuke Fuke
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0iratao
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-IDBastian Hofmann
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScriptBastian Hofmann
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptsmueller_sandsmedia
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMAForgeRock Identity Tech Talks
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsAlexandre Verkinderen
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWSAmazon Web Services
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureBastian Hofmann
 

More Related Content

Viewers also liked

Squid安装配置
Squid安装配置Squid安装配置
Squid安装配置Yiwei Ma
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
How to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesHow to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesBastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Introduction to rg\injection
Introduction to rg\injectionIntroduction to rg\injection
Introduction to rg\injectionBastian Hofmann
 

Viewers also liked (6)

Squid安装配置
Squid安装配置Squid安装配置
Squid安装配置
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
How to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesHow to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutes
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Introduction to rg\injection
Introduction to rg\injectionIntroduction to rg\injection
Introduction to rg\injection
 

Similar to Distributed Identities with OpenID

How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users Bastian Hofmann
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...Maarten Balliauw
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightDaisuke Fuke
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0iratao
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-IDBastian Hofmann
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptsmueller_sandsmedia
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsAlexandre Verkinderen
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureBastian Hofmann
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authenticationSergei Sergeev
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 

Similar to Distributed Identities with OpenID (20)

Oauth
OauthOauth
Oauth
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech Night
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-ID
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScript
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java script
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMA
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your clouds
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserver
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, Future
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authentication
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 

More from Bastian Hofmann

IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! Bastian Hofmann
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsOpening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsBastian Hofmann
 
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsMashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsBastian Hofmann
 
Creating social games for millions of users
Creating social games for millions of usersCreating social games for millions of users
Creating social games for millions of usersBastian Hofmann
 
Distributed Social Networking
Distributed Social NetworkingDistributed Social Networking
Distributed Social NetworkingBastian Hofmann
 
Advanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsAdvanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsBastian Hofmann
 
Creating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersCreating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersBastian Hofmann
 
How to make your social games successfull
How to make your social games successfullHow to make your social games successfull
How to make your social games successfullBastian Hofmann
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Bastian Hofmann
 
Creating OpenSocial Apps
Creating OpenSocial AppsCreating OpenSocial Apps
Creating OpenSocial AppsBastian Hofmann
 
OpenSocial in der Praxis
OpenSocial in der PraxisOpenSocial in der Praxis
OpenSocial in der PraxisBastian Hofmann
 

More from Bastian Hofmann (14)

IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScript
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsOpening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands
 
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsMashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web Apps
 
Creating social games for millions of users
Creating social games for millions of usersCreating social games for millions of users
Creating social games for millions of users
 
Distributed Social Networking
Distributed Social NetworkingDistributed Social Networking
Distributed Social Networking
 
Advanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsAdvanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial Apps
 
Creating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersCreating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of users
 
How to make your social games successfull
How to make your social games successfullHow to make your social games successfull
How to make your social games successfull
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands
 
Creating OpenSocial Apps
Creating OpenSocial AppsCreating OpenSocial Apps
Creating OpenSocial Apps
 
OpenSocial in der Praxis
OpenSocial in der PraxisOpenSocial in der Praxis
OpenSocial in der Praxis
 
OpenSocial Done Right
OpenSocial Done RightOpenSocial Done Right
OpenSocial Done Right
 
Social apps done right
Social apps done rightSocial apps done right
Social apps done right
 

Recently uploaded

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Distributed Identities with OpenID

  • 1. Distributed Identities with OpenID Bastian Hofmann VZnet Netzwerke Ltd.
  • 3. „OpenID has been a burden on support since the day it was launched.“ „Fewer than 1% of all 37signals users are currently using OpenID.“ http://productblog.37signals.com/products/2011/01/well-be-retiring-our- support-of-openid-on-may-1.html
  • 4. „OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“ Yishan Wong (Facebook) http://www.quora.com/What-s-wrong-with-OpenID
  • 6. So why are you here?
  • 7. • Why identity management is still a problem • OpenID how it works, and why it fails • OpenID Connect & OAuth2: OpenIDs future? • What can browser vendors do?
  • 8.
  • 9.
  • 10.
  • 11.
  • 15. Identity is conveyed by communication Identity is not fixed but recreated by every communication with your fellows Expectations of different people result in different identities Lothar Krappmann
  • 17.
  • 18.
  • 19. Sign up again and again
  • 20. Passwords are broken Same password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  • 22. Microsoft Live ID Launched 1999 as .net Passport
  • 24.
  • 25. And there are much more
  • 30. Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" />
  • 32. DEMO
  • 33. Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  • 34. But there are Spec Extensions
  • 35. Simple Registration • Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
  • 36. Attribute Exchange • Fetch Request penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
  • 37. Attribute Exchange • Fetch Response openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
  • 38. Attribute Exchange • Store Request openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 • Store Respons openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success
  • 40. OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/
  • 41. OpenID + OAuth • Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  • 42. Failures of OpenID 2.0 Complex to implement No marketing Do you have an OpenID? What is it? URL as identifier => Bad User Experience
  • 43. How to fix it?
  • 44. Easier to implement Better user experience Built on top of OAuth 2.0 More simple specification wider adption
  • 45. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests
  • 47. What‘s new in OAuth2? (Draft 10) No signatures Cookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  • 48. Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
  • 49. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  • 50. What happend to signatures? Ongoing controvers discussion Bearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
  • 51. Scopes Optional parameter for provider specific implementations Additional return values Access Control
  • 52. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature http://openidconnect.com/
  • 54. DEMO
  • 55. OpenID Connect Discovery Get Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s provider Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
  • 57. @ E-mail address equals identity?
  • 60. DEMO
  • 61. Bad browser UI Syncing between different computers? More than one user on the same computer?
  • 64. DEMO
  • 65. Summing it up • We need a single sign on system for the web • OpenID is cool, but has some problems • Proprietary solutions are bad for users, site owners and developers • A new more simple and flexible spec is coming up • Browser vendors are working to solve this problem in the browser