Distributed Identities with OpenID

1,427 views

Published on

Slides of my Devlink talk about OpenID, why it fails, how it can be fixed and how browser vendors could help to fix the identity problem of the web.

Published in: Technology, Design
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,427
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
14
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Distributed Identities with OpenID

  1. 1. Distributed Identitieswith OpenIDBastian HofmannVZnet Netzwerke Ltd.
  2. 2. OpenID is dead
  3. 3. „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
  4. 4. „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
  5. 5. Facebook Connect250,000,000 monthly users
  6. 6. So why are you here?
  7. 7. • Why identity management is still a problem• OpenID how it works, and why it fails• OpenID Connect & OAuth2: OpenIDs future?• What can browser vendors do?
  8. 8. Questions? Ask!
  9. 9. http://slideshare.net/bashofmann
  10. 10. Only one identity?
  11. 11. Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
  12. 12. Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
  13. 13. Sign up again and again
  14. 14. Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  15. 15. Single Sign On
  16. 16. Microsoft Live IDLaunched 1999 as .net Passport
  17. 17. Facebook Connect
  18. 18. And there are much more
  19. 19. Nascar problem
  20. 20. Aggregationhttp://www.janrain.com/
  21. 21. OpenIDhttp://openid.net/
  22. 22. The Client
  23. 23. Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" /> Delegation<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
  24. 24. Connection Flow
  25. 25. DEMO
  26. 26. Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  27. 27. But there are Spec Extensions
  28. 28. Simple Registration• Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
  29. 29. Attribute Exchange• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  30. 30. Attribute Exchange• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  31. 31. Attribute Exchange• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2• Store Responsopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
  32. 32. http://oauth.net/
  33. 33. OAuth 1.0a Flow+----------+ +---------------+| -+----(B)-- Request Token -------->| || End-user | | Authorization || at |<---(C)-- User authenticates --->| Server || Browser | | || -+----(D)-- Verifier -------------<| |+-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | |+---------+ | || |>---(A)-- Redirect URL ---------------| || Web |<---(A)-- Request Token + Secret -----| || Client |>---(E)-- Request Token, Verifier ---- || |<---(E)-- Access Token + Secret -------------+---------+ Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/
  34. 34. OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  35. 35. Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
  36. 36. How to fix it?
  37. 37. Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
  38. 38. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
  39. 39. http://oauth.net/
  40. 40. What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  41. 41. Web-Server Profile+----------+ Client Identifier +---------------+| -+----(A)--- & Redirect URI ------>| || End-user | | Authorization || at |<---(B)-- User authenticates --->| Server || Browser | | || -+----(C)-- Authorization Code ---<| |+-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | |+---------+ | || |>---(D)-- Client Credentials, -------- || Web | Authorization Code, || Client | & Redirect URI || | || |<---(E)----- Access Token -------------------+---------+ (w/ Optional Refresh Token)
  42. 42. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | |End <--+ - - - +----(B)-- User authenticates -->| Authorization |User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  43. 43. What happend to signatures? Ongoing controvers discussionBearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
  44. 44. Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
  45. 45. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
  46. 46. https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
  47. 47. DEMO
  48. 48. OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
  49. 49. Phishing
  50. 50. @ E-mail address equals identity?
  51. 51. Can the browser help?
  52. 52. FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
  53. 53. DEMO
  54. 54. Bad browser UISyncing between different computers? More than one user on the same computer?
  55. 55. Mozilla UX Mockups
  56. 56. https://browserid.org/
  57. 57. DEMO
  58. 58. Summing it up• We need a single sign on system for the web• OpenID is cool, but has some problems• Proprietary solutions are bad for users, site owners and developers• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
  59. 59. h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmannmail@bas2anhofmann.de

×