Bastian HofmannResearchGate GmbHThe Identity Problem of the Weband how to solve it
Questions? Ask!
http://slideshare.net/bashofmann
Only one identity?
Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectation...
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
Sign up again and again
Passwords are brokenSame password for more than one service                       Saved unsecurely in the browser Names, b...
Single Sign On
Microsoft Live IDLaunched 1999 as .net Passport
Facebook Connect
And there are much more
Nascar problem
Aggregationhttp://www.janrain.com/
OpenID    http://openid.net/
The Client
http://bhofmann.myopenid.com
http://bhofmann.myopenid.com
HTTP POST       http://bhofmann.myopenid.comstackoverflow.com
bhofmann.myopenid.                                                 com      HTTP POST       http://bhofmann.myopenid.comst...
bhofmann.myopenid.                                                   com      HTTP POST       http://bhofmann.myopenid.com...
myopenid.com/                                                   server      HTTP POST       http://bhofmann.myopenid.comst...
HTTP Redirect       http://myopenid.com/server?       openid.identity=http://       bhofmann.myopenid.com&...stackoverflow....
HTTP GET        myopenid.com/           server?       openid.identity=            http://       bhofmann.myope         nid...
Login         myopenid.com/            server?        openid.identity=             http://        bhofmann.myope          ...
Grant permission          myopenid.com/             server?         openid.identity=              http://         bhofmann...
HTTP Redirecthttp://stackoverflow.com/?assertion...               myopenid.com/                  server?              openi...
HTTP GETstackoverflow.comVerify assertion
DEMO http://stackoverflow.com/https://www.myopenid.com/
Authentication vs AuthorizationWho is the user?             Is this really user X?                        VS              ...
But there are Spec Extensions
Additional parameters on the redirects
Simple Registration
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.genderopenid.sreg.fullname=Ba...
Attribute Exchange
penid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnam...
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fulln...
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullna...
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
http://oauth.net/
Pre Registration of Client atTwitter:                                twitter.com- Shared Consumer Key- Shared Consumer Sec...
HTTP POST   Connect with Twitterlanyrd.com
twitter.com   HTTP POST   Connect with Twitter                    HTTP GETlanyrd.com          Consumer Key                ...
twitter.com   HTTP POST   Connect with Twitterlanyrd.com                          Request Token                          R...
HTTP Redirect    http://twitter.com/authorize?    requestToken=...&consumerKey=...lanyrd.com
HTTP GET      twitter.com/      authorize
Login        twitter.com/        authorize
Grant permission        twitter.com/        authorize        Create verifier        and bind it to        User and Request ...
HTTP RedirectRedirect URI?verifier=...&requestToken=..            twitter.com/            authorize
HTTP GET lanyrd.com(RedirectURI? verifier=...)
twitter.com    HTTP GET               HTTP GETlanyrd.com     Consumer Key,               RequestToken               Verifie...
twitter.com    HTTP GETlanyrd.com               Access Token               Access Token Secret
twitter.com    HTTP GETlanyrd.com               API Request               Consumer Key, Access Token               Signatu...
OpenID + OAuth• Combines OpenID Authentication and  OAuth authorization    openid.ns.oauth=http://specs.openid.net/extensi...
OpenID is dead
„OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently usin...
„OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Y...
Failures of OpenID 2.0         Complex to implement                            No marketingDo you have an OpenID?         ...
Facebook Connect250,000,000 monthly users
So let‘s all use Facebook?
How to fix it?
Easier to implement                             Better user experienceBuilt on top of OAuth 2.0                           ...
What‘s wrong with OAuth?         Does not work well with non web or         JavaScript based clientsThe „Invalid Signature...
http://oauth.net/
What‘s new in OAuth2?                                        (Draft 10)                                    No signaturesCo...
Web-Server Profile
Pre Registration of Client atTwitter:                                twitter.com- Shared Client ID- Shared Client Secret- ...
HTTP(S) POST   Connect with Twitterlanyrd.com
HTTPS Redirect    http://twitter.com/authorize?&clientId=...lanyrd.com
HTTPS GET       twitter.com/       authorize
Login        twitter.com/        authorize
Grant permission        twitter.com/        authorize        Create        authorization code        and bind it to       ...
HTTPS RedirectRedirect URI?authorizationCode=...            twitter.com/            authorize
HTTPS GET    lanyrd.com   (RedirectURI?authorizationCode=         ...)
twitter.com   HTTPS GETlanyrd.com     HTTPS GET               Consumer Key               Authorization Code               ...
twitter.com   HTTPS GETlanyrd.com               Access Token               (Refresh Token)
twitter.com   HTTPS GETlanyrd.com               HTTPS API Request               Access Token
twitter.com   HTTPS GETlanyrd.com     HTTPS GET               Consumer Key               Refresh Token               Consu...
twitter.com   HTTPS GETlanyrd.com               Access Token               Refresh Token
User-Agent Profile
lanyrd.com             Open Popup             http://twitter.com/authorize?&clientId=...
lanyrd.com                    Open Popup                     http://twitter.com/authorize?&clientId=...twitter.com/authori...
lanyrd.com                         Open Popup                         http://twitter.com/authorize?&clientId=...twitter.co...
lanyrd.com                      Open Popup                      http://twitter.com/authorize?&clientId=...twitter.com/auth...
lanyrd.comtwitter.com/                               lanyrd.comauthorize              HTTPS Redirect     RedirectURI#     ...
lanyrd.comParse Access Token from Fragment    Send it to opening window           Close popup           lanyrd.com        ...
Same Origin Policy
lanyrd.com          HTTPS Ajax      twitter.com         Request to API          Access Token
Same Origin Policy
JSONP
Cross Origin Request  Sharing (CORS)
Client                             Backendlanyrd.                            api.twitter.comcom                     AJAX  ...
What happend to signatures? Bearer Tokens are fine over secure connection               Vulnerable if discovery is introduc...
Scopes           Optional parameter for provider           specific implementationsAdditional return values                ...
Scope: „openid“       With access token additional values are returned  UserID: URL to Portable Contacts endpoint         ...
https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
DEMO
OpenID Connect             DiscoveryGet Identifier of user            Call /.well-­‐known/host-­‐meta file at            the...
http://example.com/.well-    known/host-metahttp://tools.ietf.org/html/draft-nottingham-site-meta
http://code.google.com/p/webfinger/
http://www.oexchange.org/
Phishing
@    E-mail address    equals identity?
Can the browser help?
FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
DEMO      http://trunk.ontowiki.net/http://www.w3.org/wiki/Foaf%2Bssl/IDP
Bad browser UISyncing between different computers?       More than one user on the same computer?
Mozilla UX Mockups
https://browserid.org/
DEMO              http://myfavoritebeer.org/https://addons.mozilla.org/en-US/firefox/addon/browser-                        ...
Summing it up• We need a single sign on system for the  web• Proprietary solutions are bad for users, site  owners and dev...
Rate and Comment  http://spkr8.com/t/8738
h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.n...
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Upcoming SlideShare
Loading in …5
×

The Identity Problem of the Web and how to solve it

2,674 views

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,674
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Identity Problem of the Web and how to solve it

  1. 1. Bastian HofmannResearchGate GmbHThe Identity Problem of the Weband how to solve it
  2. 2. Questions? Ask!
  3. 3. http://slideshare.net/bashofmann
  4. 4. Only one identity?
  5. 5. Identity is conveyed by communicationIdentity is not fixed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
  6. 6. Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
  7. 7. Sign up again and again
  8. 8. Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  9. 9. Single Sign On
  10. 10. Microsoft Live IDLaunched 1999 as .net Passport
  11. 11. Facebook Connect
  12. 12. And there are much more
  13. 13. Nascar problem
  14. 14. Aggregationhttp://www.janrain.com/
  15. 15. OpenID http://openid.net/
  16. 16. The Client
  17. 17. http://bhofmann.myopenid.com
  18. 18. http://bhofmann.myopenid.com
  19. 19. HTTP POST http://bhofmann.myopenid.comstackoverflow.com
  20. 20. bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com HTTP GET
  21. 21. bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverflow.com <link rel="openid2.provider" href="http:// www.myopenid.com/server" />
  22. 22. myopenid.com/ server HTTP POST http://bhofmann.myopenid.comstackoverflow.com Establish shared secret (Diffie-Hellman)
  23. 23. HTTP Redirect http://myopenid.com/server? openid.identity=http:// bhofmann.myopenid.com&...stackoverflow.com
  24. 24. HTTP GET myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  25. 25. Login myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  26. 26. Grant permission myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  27. 27. HTTP Redirecthttp://stackoverflow.com/?assertion... myopenid.com/ server? openid.identity= http:// bhofmann.myope nid.com&...
  28. 28. HTTP GETstackoverflow.comVerify assertion
  29. 29. DEMO http://stackoverflow.com/https://www.myopenid.com/
  30. 30. Authentication vs AuthorizationWho is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  31. 31. But there are Spec Extensions
  32. 32. Additional parameters on the redirects
  33. 33. Simple Registration
  34. 34. openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.genderopenid.sreg.fullname=Bastian&openid.sreg.gender=male
  35. 35. Attribute Exchange
  36. 36. penid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  37. 37. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
  38. 38. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
  39. 39. openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
  40. 40. http://oauth.net/
  41. 41. Pre Registration of Client atTwitter: twitter.com- Shared Consumer Key- Shared Consumer Secret lanyrd.com
  42. 42. HTTP POST Connect with Twitterlanyrd.com
  43. 43. twitter.com HTTP POST Connect with Twitter HTTP GETlanyrd.com Consumer Key Redirect URI Signature (Consumer Secret)
  44. 44. twitter.com HTTP POST Connect with Twitterlanyrd.com Request Token Request Token Secret
  45. 45. HTTP Redirect http://twitter.com/authorize? requestToken=...&consumerKey=...lanyrd.com
  46. 46. HTTP GET twitter.com/ authorize
  47. 47. Login twitter.com/ authorize
  48. 48. Grant permission twitter.com/ authorize Create verifier and bind it to User and Request Token
  49. 49. HTTP RedirectRedirect URI?verifier=...&requestToken=.. twitter.com/ authorize
  50. 50. HTTP GET lanyrd.com(RedirectURI? verifier=...)
  51. 51. twitter.com HTTP GET HTTP GETlanyrd.com Consumer Key, RequestToken Verifier Signature (Consumer & Request Token Secret)
  52. 52. twitter.com HTTP GETlanyrd.com Access Token Access Token Secret
  53. 53. twitter.com HTTP GETlanyrd.com API Request Consumer Key, Access Token Signature (Consumer & Access Token Secret)
  54. 54. OpenID + OAuth• Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  55. 55. OpenID is dead
  56. 56. „OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
  57. 57. „OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
  58. 58. Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identifier => Bad User Experience
  59. 59. Facebook Connect250,000,000 monthly users
  60. 60. So let‘s all use Facebook?
  61. 61. How to fix it?
  62. 62. Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple specification wider adption
  63. 63. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clientsThe „Invalid Signature“ Problem Complicated Flow, many requests
  64. 64. http://oauth.net/
  65. 65. What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  66. 66. Web-Server Profile
  67. 67. Pre Registration of Client atTwitter: twitter.com- Shared Client ID- Shared Client Secret- Redirect URI lanyrd.com
  68. 68. HTTP(S) POST Connect with Twitterlanyrd.com
  69. 69. HTTPS Redirect http://twitter.com/authorize?&clientId=...lanyrd.com
  70. 70. HTTPS GET twitter.com/ authorize
  71. 71. Login twitter.com/ authorize
  72. 72. Grant permission twitter.com/ authorize Create authorization code and bind it to User and ClientID
  73. 73. HTTPS RedirectRedirect URI?authorizationCode=... twitter.com/ authorize
  74. 74. HTTPS GET lanyrd.com (RedirectURI?authorizationCode= ...)
  75. 75. twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Authorization Code Consumer Secret
  76. 76. twitter.com HTTPS GETlanyrd.com Access Token (Refresh Token)
  77. 77. twitter.com HTTPS GETlanyrd.com HTTPS API Request Access Token
  78. 78. twitter.com HTTPS GETlanyrd.com HTTPS GET Consumer Key Refresh Token Consumer Secret
  79. 79. twitter.com HTTPS GETlanyrd.com Access Token Refresh Token
  80. 80. User-Agent Profile
  81. 81. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...
  82. 82. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize HTTPS GET
  83. 83. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Login
  84. 84. lanyrd.com Open Popup http://twitter.com/authorize?&clientId=...twitter.com/authorize Grant Permission
  85. 85. lanyrd.comtwitter.com/ lanyrd.comauthorize HTTPS Redirect RedirectURI# RedirectURI#acces accessToken sToken
  86. 86. lanyrd.comParse Access Token from Fragment Send it to opening window Close popup lanyrd.com RedirectURI# accessToken
  87. 87. Same Origin Policy
  88. 88. lanyrd.com HTTPS Ajax twitter.com Request to API Access Token
  89. 89. Same Origin Policy
  90. 90. JSONP
  91. 91. Cross Origin Request Sharing (CORS)
  92. 92. Client Backendlanyrd. api.twitter.comcom AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/
  93. 93. What happend to signatures? Bearer Tokens are fine over secure connection Vulnerable if discovery is introducedOr if TSL/SSL is not possible So OAuth 1.0 signatures alternatively available
  94. 94. Scopes Optional parameter for provider specific implementationsAdditional return values Access Control
  95. 95. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signaturehttp://openidconnect.com/
  96. 96. https://github.com/vznet/vz_id_democlienthttp://opensocial-demo.vz-modules.net/vzid/index.php
  97. 97. DEMO
  98. 98. OpenID Connect DiscoveryGet Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s providerLook for a link pointing to the OpenIDConnect endpoints in the returnedLRDD
  99. 99. http://example.com/.well- known/host-metahttp://tools.ietf.org/html/draft-nottingham-site-meta
  100. 100. http://code.google.com/p/webfinger/
  101. 101. http://www.oexchange.org/
  102. 102. Phishing
  103. 103. @ E-mail address equals identity?
  104. 104. Can the browser help?
  105. 105. FOAF+SSL (WebID)http://esw.w3.org/Foaf%2Bssl
  106. 106. DEMO http://trunk.ontowiki.net/http://www.w3.org/wiki/Foaf%2Bssl/IDP
  107. 107. Bad browser UISyncing between different computers? More than one user on the same computer?
  108. 108. Mozilla UX Mockups
  109. 109. https://browserid.org/
  110. 110. DEMO http://myfavoritebeer.org/https://addons.mozilla.org/en-US/firefox/addon/browser- sign-in/
  111. 111. Summing it up• We need a single sign on system for the web• Proprietary solutions are bad for users, site owners and developers• OpenID is cool, but has some problems• A new more simple and flexible spec is coming up• Browser vendors are working to solve this problem in the browser
  112. 112. Rate and Comment http://spkr8.com/t/8738
  113. 113. h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmannmail@bas2anhofmann.de

×