Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Technical Background of VZ-ID

4,083 views

Published on

Published in: Technology
  • Be the first to comment

Technical Background of VZ-ID

  1. 1. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 VZ-ID The technical background Bastian Hofmann VZnet Netzwerke Ltd.
  2. 2. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Agenda – Sharing • OExchange • OpenGraph – Login • OpenID • OAuth  &  OAuth  2 • OpenID  Connect – VZ-­‐JavaScript  Library
  3. 3. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Sharing
  4. 4. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OExchange• Common  API  for  publishing  sth.  into  social   networks http://www.example.com/share.php?url={URI}&title={title for the content}&description={short description of the content}&ctype=flash&swfurl={SWF URI}&height={preferred SWF height}&width={preferred swf width}&screenshot= {screenshot URI} hQp://www.oexchange.org/
  5. 5. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Discovery  over  XRD <?xml version=1.0 encoding=UTF-8?> <XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">     <Subject>http://www.example.com/linkeater</Subject>     <Property        type="http://www.oexchange.org/spec/0.8/prop/vendor">         Examples Inc.</Property>     <Property        type="http://www.oexchange.org/spec/0.8/prop/title">         A Link-Accepting Service</Property>     <Link        rel= "icon" href="http://www.example.com/favicon.ico"        type="image/vnd.microsoft.icon" />     <Link        rel= "http://www.oexchange.org/spec/0.8/rel/offer"        href="http://www.example.com/linkeater/offer.php"        type="text/html" /> </XRD>
  6. 6. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenGraphRetrieves  meta  data  through  meta  tags  in  shared  page<meta property="og:title" content="title" /><meta property="og:description" content="description" /><meta property="og:site_name" content="your site name" /><meta property="og:image" content="http://example.com/thumbnail.jpg" /> hQp://opengraphprotocol.org/
  7. 7. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Sharing  examples  @VZhttp://platform-redirect.vz-modules.net/r/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=titlehttp://www.studivz.net/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=title hQp://developer.studivz.net/wiki/index.php/Sharing
  8. 8. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Login
  9. 9. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Iden@@es  in  real  life
  10. 10. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Do  you  have  really  only  one  iden@ty?Lothar  Krappmann:-­‐  IdenVty  is  conveyed  by  communicaVon-­‐  IdenVty  is  not  fixed  but  recreated  by  every    communicaVon  with  your  fellows-­‐  ExpectaVons  of  different  people  result  in    different  idenVVes
  11. 11. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Example:Paul  AdamshQp://www.slideshare.net/padday/the-­‐real-­‐life-­‐social-­‐network-­‐v2
  12. 12. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Iden@@es  in  the  Web
  13. 13. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Register,  Register,  Register,  ...
  14. 14. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Single  Sign  on ul_Marga
  15. 15. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010MicrosoK  Passport  /  Live  ID• Windows  Live  ID• Launched  1999  as  .net  Passport• Used  mainly  for  Microso]   Services  but  not  much  outside• OpenID  Provider  since  2008
  16. 16. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Facebook  Connect
  17. 17. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010TwiSer  @Anywhere
  18. 18. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010And  there  are  much,  much  more
  19. 19. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Nascar  problem Vaguely Artistic
  20. 20. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010How  to  fix  it? Moff
  21. 21. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Aggrega@on:  Janrain hQp://www.janrain.com/
  22. 22. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID• Open  decentralized  user  authenVcaVon hQp://openid.net/
  23. 23. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010
  24. 24. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Connec@on  Flow
  25. 25. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Authen@ca@on  vs  Authoriza@on Who  is  the  user? Is  this  really  user  X? VS Is  X  allowed  to  do  something? Does  X  have  the  permission? Client sites want more than just a unique identifier (Social Graph)
  26. 26. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010But  there  are  Spec  Extensions decafinata
  27. 27. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  +  OAuth• Combines  OpenID  AuthenVcaVon  and  OAuth   authorizaVon openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  28. 28. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 OAuth  1.0a  Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ---- | | |<---(E)-- Access Token + Secret ------------- +---------+                    Every Request: Client Credentials, Nonce, Timestamp, Signature hQp://oauth.net/
  29. 29. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Failures  of  OpenID  2.0• Complex  to  implement• No  markeVng – Do  you  have  an  OpenID? – What  is  it?• URL  as  idenVfier  =>  Bad  User  Experience
  30. 30. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect• Goals: – Easier  to  implement – More  simple  specificaVon – BeQer  user  experience• =>  wider  adpVon• Built  on  top  of  OAuth  2.0
  31. 31. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What‘s  wrong  with  OAuth?• Does  not  work  well  with  non  web  or  JavaScript   based  clients• The  „Invalid  Signature“  Problem• Complicated  Flow,  many  requests
  32. 32. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What‘s  new  in  OAuth2?   (DraK  10)• Different  client  profiles• No  signatures• No  Token  Secrets• Cookie-­‐like  Bearer  Token• Mandatory  TSL/SSL• No  Request  Tokens• Much  more  flexible  regarding  extensions hQp://tools.iej.org/html/dra]-­‐iej-­‐oauth-­‐v2
  33. 33. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Web-­‐Server  Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, -------- | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token ------------------- +---------+ (w/ Optional Refresh Token)
  34. 34. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 User-­‐Agent  Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | |End <--+ - - - +----(B)-- User authenticates -->| Authorization |User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  35. 35. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010What  happend  to  signatures?• Ongoing  controvers  discussion• Bearer  Tokens  are  fine  over  secure  connecVon• Vulnerable  if  discovery  is  introduced• Or  TSL/SSL  is  not  possible
  36. 36. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Scopes• OpVonal  parameter  for  provider  specific   implementaVons• For  example – AddiVonal  return  values – Access  Control
  37. 37. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect?• Scope:  „openid“• With  access  token  addiVonal  values  are  returned – UserID:  URL  to  Portable  Contacts  endpoint – Signature – Timestamp hQp://openidconnect.com/
  38. 38. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect  Discovery• Get  IdenVfier  of  user• Call  /.well-­‐know/host-­‐meta  file  at  the  domain  of   the  user‘s  provider• Look  for  a  link  poinVng  to  the  OpenID  Connect   endpoints  in  the  returned  LRDD
  39. 39. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010OpenID  Connect  @VZ• Available  now• But  without  the  discovery  part – No  discovering  clients – No  discoverable  enVVes
  40. 40. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010VZ-­‐JavaScript  Library<script src="http://static.pe.studivz.net/Js/id/v3/library.js"data-authority="platform-redirect.vz-modules.net/r"data-authorityssl="platform-redirect.vz-modules.net/r"type="text/javascript"></script><script type="vz/share">   id: shareButton   title: title of your site   description : a description</script> hQp://developer.studivz.net/wiki/index.php/JS-­‐Library
  41. 41. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Login  widget<script type="text/javascript">function callbackMethod(c) {  if (c.error) {    return;  }  var url = c.user_id;  vz.id.login.callApi(url, function(data) {    console.log(data.entry.displayName);  });}</script><script type="vz/login">   client_id : 1234567890abcdef   redirect_uri : http://example.com/callback.html   callback : callbackMethod   fields : name,emails</script> hQp://developer.studivz.net/wiki/index.php/JS-­‐Library
  42. 42. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010Callback.html<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>  <head>    <title></title>    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">  </head>  <body>      <script type="text/javascript">        opener.vz.id.authStorage.setAuthParameterHash(location.hash.substr(1));        window.close();      </script>  </body></html>
  43. 43. VZnet  Netzwerke  Ltd.  -­‐  Tuesday,  December  7,  2010 Thank  youhQp://twiQer.com/BasVanHofmannhQp://studivz.net/basVanhQp://slideshare.net/bashofmannbhofmann@vz.nethQp://developer.studivz.net

×