Understanding OpenID

25,066 views

Published on

Understanding OpenID

Published in: Technology, Design
3 Comments
25 Likes
Statistics
Notes
  • Great !!!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thanks for this very good presentation!!! Helped me a lot!!!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very good work. Thanks
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
25,066
On SlideShare
0
From Embeds
0
Number of Embeds
2,111
Actions
Shares
0
Downloads
625
Comments
3
Likes
25
Embeds 0
No embeds

No notes for slide

Understanding OpenID

  1. 1. By Prabath Siriwardena, WSO2
  2. 2. <ul><li>Why OpenID??? </li></ul>
  3. 3. <ul><li>Too many passwords </li></ul>
  4. 4. <ul><li>Duplicated profiles everywhere </li></ul>
  5. 5. <ul><li>Oops..!!! My favorite user name…GONE…!!! </li></ul>
  6. 6. <ul><li>Why OpenID??? </li></ul>
  7. 7. <ul><li>OpenID solves them all…!!! </li></ul>
  8. 8. <ul><li>Single user name/password </li></ul>
  9. 9. <ul><li>Single user profile </li></ul>
  10. 10. <ul><li>Claim your URL as your user name </li></ul>
  11. 11. <ul><li>What is OpenID??? </li></ul>
  12. 12. <ul><li>OpenID is a URL or an XRI </li></ul>
  13. 13. <ul><li>http://prabath.myopenid.com </li></ul>
  14. 14. <ul><li>http://www.prabathsiriwardena.com </li></ul>
  15. 15. <ul><li>=prabath </li></ul>
  16. 16. <ul><li>Who gives me an OpenID??? </li></ul>
  17. 17. <ul><li>OpenID Providers [OP] issue OpenIDs and maintain user profiles </li></ul>
  18. 21. <ul><li>Who accepts my OpenID??? </li></ul>
  19. 22. <ul><li>Any web site can accept OpenIDs for sign in </li></ul>
  20. 23. <ul><li>13,196 unique web sites seen by myOpenID.com to accept OpenID, by May 2008 </li></ul>
  21. 27. <ul><li>With OpenID we simply maintain a single user name/password pair….. </li></ul>
  22. 35. <ul><li>With OpenID we authenticate once at the OP and sign in to rest of the OpenID relying party web sites…. </li></ul>
  23. 36. <ul><li>That is Single Sign On </li></ul>
  24. 37. <ul><li>OpenID facilitates decentralized single sign on </li></ul>
  25. 38. <ul><li>What is “decentralized”??? </li></ul>
  26. 39. <ul><li>NOT - centralized </li></ul>
  27. 40. <ul><li>No central server – or authority </li></ul>
  28. 41. <ul><li>Remember Microsoft Passport : That is centralized – there is a central server </li></ul>
  29. 42. <ul><li>With OpenID any body can be an OpenID Provider </li></ul>
  30. 43. <ul><li>Once again – What is OpenID??? </li></ul>
  31. 44. <ul><li>OpenID is a URL or an XRI which facilitates decentralized single sign on </li></ul>
  32. 45. <ul><li>I enter my OpenID at the RP – how come the RP knows who is my OpenID Provider??? </li></ul>
  33. 46. <ul><li>The process of getting to know about the corresponding OpenID Provider from a given OpenID is known as ‘Discovery’. </li></ul>
  34. 47. <ul><li>Just type your OpenID on the browser </li></ul><ul><li>http://prabath.myopenid.com </li></ul>
  35. 49. <ul><li>BUT… that is not what we wanted – just ‘view source’ </li></ul>
  36. 50. <ul><li><link rel=&quot;openid.server&quot; href=&quot;http://www.myopenid.com/server&quot; /> </li></ul><ul><li><link rel=&quot;openid2.provider&quot; href=&quot;http://www.myopenid.com/server&quot; /> </li></ul>
  37. 51. <ul><li>Why there are two tags pointing to the same OpenID Provider URL??? </li></ul>
  38. 52. <ul><li>openid.server  OpenID 1.1 </li></ul><ul><li>openid2.provider  OpenID 2.0 </li></ul>
  39. 53. <ul><li>This form of discovery is know as ‘HTML Based Discovery’ </li></ul>
  40. 54. <ul><li>What is ‘HTML Based Discovery’ ??? </li></ul>
  41. 55. <ul><li>Under HTML-Based discovery, an HTML document MUST be available at the URL of the Claimed Identifier and RP retrieves the document with an HTTP GET </li></ul>
  42. 56. <ul><li>Within the HEAD element of the document a LINK element MUST be included with attributes &quot;rel&quot; set to &quot;openid2.provider&quot; and &quot;href&quot; set to an OP Endpoint URL </li></ul>
  43. 57. <ul><li>That is what we noticed earlier. </li></ul>
  44. 58. <ul><li>Any other forms of Discovery other than HTML- Based ??? </li></ul>
  45. 59. <ul><li>XRDS-Based discovery </li></ul><ul><li>[will be covered later…] </li></ul>
  46. 60. <ul><li>My OpenID is http://prabath.myopenid.com . BUT… I do NOT own that URL… it’s under the control of myOpenID – not mine  </li></ul>
  47. 61. <ul><li>This type of Identifiers are known as OP-Local Identifiers </li></ul>
  48. 62. <ul><li>What is an OP-Local Identifier??? </li></ul>
  49. 63. <ul><li>An alternate Identifier for an end user that is local to a particular OP and thus not necessarily under the end user's control. </li></ul>
  50. 64. <ul><li>Can I use my own URL as my OpenID ??? </li></ul>
  51. 65. <ul><li>Of course you can – and that is known as the “Claimed Identifier” </li></ul>
  52. 66. <ul><li>What is a Claimed Identifier ??? </li></ul>
  53. 67. <ul><li>An Identifier that the end user claims to own </li></ul>
  54. 68. <ul><li>I own a URL – but I am not an OpenID Provider – can I still use my URL as my OpenID ??? </li></ul>
  55. 69. <ul><li>YES – you can </li></ul>
  56. 70. <ul><li>Say, the URL I own or my claimed identifier is http://www.prabathsiriwardena.com </li></ul>
  57. 71. <ul><li>I also have an account with myOpenID and my OP Local identifier is http://prabath.myopenid.com </li></ul>
  58. 72. <ul><li>I can use my claimed identifier as my OpenID – by delegating the OpenID Provider functionality to myOpenID </li></ul>
  59. 73. <ul><li><link href='http://www.myopenid.com/server' rel='openid2.provider openid.server'/> </li></ul><ul><li><link href='&quot;http://prabath.myopenid.com/' rel='openid2.local_id openid.delegate'/> </li></ul>
  60. 74. <ul><li>With this approach we never limited to a single OpenID Provider. </li></ul>
  61. 75. <ul><li>If we lost faith on the OpenID Provider we can move to another – but, still keeping the original OpenID </li></ul>
  62. 76. <ul><li>I have maintain a single user name/password pair for all my relying party web sites… will OpenID make a difference for me ??? </li></ul>
  63. 77. <ul><li>Of course in two ways. </li></ul>
  64. 78. <ul><li>Even you have the same user name/password for all the relying party web sites – still you need to maintain your profile data in different places. </li></ul>
  65. 79. <ul><li>Also, what if you lose your password ? You will lose access to all your relying party web sites. </li></ul>
  66. 80. <ul><li>But, isn’t it the case under OpenID as well. If you lose your password to the OpenID Provider you lose access to all relying party web sites depend on the OpenID. </li></ul>
  67. 81. <ul><li>No – it’s not. </li></ul>
  68. 82. <ul><li>With OpenID – if it is a claimed identifier - you never lose your password. </li></ul>
  69. 83. <ul><li>I own a URL – and I use it as my OpenID Claimed Identifier. What if I could not renew my domain name ???? </li></ul><ul><li>Now somebody else owns it….. </li></ul>
  70. 84. <ul><li>You own an OpenID until you can claim the ownership of the URL behind it </li></ul>
  71. 85. <ul><li>You lose the ownership of the URL – you lose your OpenID as well </li></ul>
  72. 86. <ul><li>BUT… </li></ul>
  73. 87. <ul><li>XRI based OpenIDs solve this issue </li></ul>
  74. 88. <ul><li>You never lose the ownership of the i-number behind an XRI – so, you never lose your XRI based OpenID </li></ul>
  75. 89. <ul><li>What is an XRI ??? What is an i-number ??? </li></ul>
  76. 90. <ul><li>eXtensible Resource Identifier </li></ul>
  77. 91. <ul><li>A Global Unique Identifier </li></ul><ul><li>[just as Domain Names] </li></ul>
  78. 92. <ul><li>URL, Phone Number, Email are concrete identifiers </li></ul>
  79. 93. <ul><li>XRI is an abstract identifier </li></ul>
  80. 94. <ul><li>Concrete identifiers represent actual resources in a network </li></ul>
  81. 95. <ul><li>Abstract identifiers are used to find concrete identifiers </li></ul>
  82. 96. <ul><li>XRI is an abstract identifier which can be mapped to concrete identifiers </li></ul><ul><li>[e.g.: URL, email] </li></ul>
  83. 97. <ul><li>XRI syntax defines two forms of XRIs </li></ul>
  84. 98. <ul><li>i-names and i-numbers </li></ul>
  85. 99. <ul><li>i-names are human-friendly identifiers </li></ul>
  86. 100. <ul><li>=prabath </li></ul>
  87. 101. <ul><li>i-numbers are typically machine-friendly identifiers </li></ul>
  88. 102. <ul><li>=!BFC9.75B7.9B2.11C4 </li></ul>
  89. 103. <ul><li>i-names, are intended to be re-assignable identifiers just like domain names </li></ul>
  90. 104. <ul><li>i-numbers are intended to be persistent </li></ul>
  91. 105. <ul><li>If your OpenID is your i-number – you never lose it </li></ul>
  92. 106. <ul><li>How an OpenID RP discovers an XRI based OpenID ??? </li></ul>
  93. 107. <ul><li>XRDS based discovery </li></ul><ul><li>[which we did not cover earlier] </li></ul>
  94. 108. <ul><li>HTML based discovery returns an HTML page [discussed earlier] </li></ul>
  95. 109. <ul><li>XRDS based discovery returns an XRDS document </li></ul>
  96. 110. <ul><li>eXtensible Resource Descriptor Sequence </li></ul>
  97. 111. <ul><li><?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> </li></ul><ul><li><xrds:XRDS xmlns:xrds=&quot;xri://$xrds&quot; xmlns=&quot;xri://$xrd*($v*2.0)” xmlns:openid=&quot;http://openid.net/xmlns/1.0&quot;> </li></ul><ul><li><XRD ref=&quot;xri://=example&quot;> </li></ul><ul><li><!-- service section --> </li></ul><ul><li><!-- XRI resolution service --> </li></ul><ul><li><Service> </li></ul><ul><li></Service> </li></ul><ul><li><!-- OpenID 2.0 login service --> </li></ul><ul><li><Service priority=&quot;10&quot;> </li></ul><ul><li></Service> </li></ul><ul><li><!-- OpenID 1.1 login service --> </li></ul><ul><li><Service priority=&quot;20&quot;> </li></ul><ul><li></Service> </li></ul><ul><li></XRD> </li></ul>
  98. 112. <ul><li>XRDS based discovery – NOT just for XRI based OpenIDs </li></ul>
  99. 113. <ul><li>XRDS based discovery – can also be used for URL based OpenID discovery </li></ul>
  100. 114. <ul><li>If an URL – XRDS based discovery will use Yadis protocol for discovery </li></ul>
  101. 115. <ul><li>If an XRI – XRDS based discovery will use XRI resolution </li></ul>
  102. 116. <ul><li>A given XRDS document can define multiple services </li></ul>
  103. 117. <ul><li><!-- XRI resolution service --> </li></ul><ul><li><Service> </li></ul><ul><li><ProviderID>xri://=!F83.62B1.44F.2813</ProviderID> </li></ul><ul><li><Type>xri://$res*auth*($v*2.0)</Type> </li></ul><ul><li><MediaType>application/xrds+xml</MediaType> </li></ul><ul><li><URI priority=”10”>http://resolve.example.com</URI> </li></ul><ul><li><URI priority=”15”>http://resolve2.example.com</URI> </li></ul><ul><li><URI>https://resolve.example.com</URI> </li></ul><ul><li></Service> </li></ul>
  104. 118. <ul><li><!-- OpenID 2.0 login service --> </li></ul><ul><li><Service priority=&quot;10&quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://example.myopenid.com/</LocalID> </li></ul><ul><li></Service> </li></ul>
  105. 119. <ul><li><!-- OpenID 1.0 login service --> </li></ul><ul><li><Service priority=&quot;20&quot;> <Type>http://openid.net/server/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate> </li></ul><ul><li>http://www.livejournal.com/users/example/ </li></ul><ul><li></openid:Delegate> </li></ul><ul><li></Service> </li></ul>
  106. 120. <ul><li>What attributes can my RP get from the OpenID Provider ??? </li></ul>
  107. 121. <ul><li>Under OpenID; attribute flow is defined under two main extensions </li></ul>
  108. 122. <ul><li>OpenID Simple Attribute Registration [SReg] </li></ul>
  109. 123. <ul><li>OpenID Attribute Exchange [Ax] </li></ul>
  110. 124. <ul><li>OpenID Simple Registration allows for very light-weight profile exchange </li></ul>
  111. 125. <ul><li>It is designed to pass nine commonly requested pieces of information when an End User goes to register a new account with a web service </li></ul>
  112. 126. <ul><li>RP can request the required/optional attributes from the OP with the Authentication request </li></ul>
  113. 127. <ul><li>nickname, email, fullname, dob, gender, postcode, country, language, timezone </li></ul>
  114. 128. <ul><li>OpenID Attribute Exchange is for exchanging identity information between endpoints </li></ul>
  115. 129. <ul><li>Not limited for a predefined set of attributes </li></ul>
  116. 130. <ul><li>With AX : not just fetch attributes from the OP – but also can store attributes at the OP </li></ul>
  117. 131. <ul><li>Ax defines messages for retrieval [fetch] and storage [store] of identity information </li></ul>
  118. 132. <ul><li>“fetch” : retrieves attribute information from an OpenID Provider </li></ul>
  119. 133. <ul><li>“store” : saves or updates attribute information on the OpenID Provider </li></ul>
  120. 134. <ul><li>Both messages are originated from the RP as an indirect message </li></ul>
  121. 135. <ul><li>Under Ax each attribute is identified by an URI </li></ul>
  122. 136. <ul><li>There are two popular schemas which define subject identifiers to attributes </li></ul>
  123. 137. <ul><li>http://schema.openid.net </li></ul><ul><li>& </li></ul><ul><li>http://www.axschema.org </li></ul>
  124. 138. <ul><li>Under http://schema.openid.net the attribute “email” is identified as “http://schema.openid.net/contact/email” </li></ul>
  125. 139. <ul><li>Under http://www.axschema.org </li></ul><ul><li>the attribute “email” is identified as “http://axschema.org/contact/email” </li></ul>
  126. 140. <ul><li>myOpenID.com supports http://schema.openid.net </li></ul>
  127. 141. <ul><li>RP can request the required/optional attributes from the OP with the Authentication request </li></ul>
  128. 142. <ul><li>[Demo]: Attribute flow with WSO2 OpenID Demo RP </li></ul><ul><li>https://is.test.wso2.org/javarp </li></ul>
  129. 143. <ul><li>Why Yahoo does NOT trust my RP – while all the other OpenID Providers ??? </li></ul>
  130. 144. <ul><li>“ This web site has not confirmed it’s identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you certain it is legitimate.” </li></ul>
  131. 145. <ul><li>Yahoo supports OpenID 2 and it does OpenID Relying Party Discovery </li></ul>
  132. 146. <ul><li>With OpenID RP Discovery, RPs should publish their valid return_to URLs in an XRDS document. </li></ul>
  133. 147. <ul><li>To get rid of Yahoo! warning the RP needs to publish this XRDS at the return_to URL. </li></ul>
  134. 148. <ul><li>RP discovery also allows any software agent to discover sites that support OpenID </li></ul>
  135. 149. <ul><li>Am I correct to say that OpenID is a phishing heaven ??? </li></ul>
  136. 150. <ul><li>Not really…!!! </li></ul>
  137. 151. <ul><li>OpenID does NOT address the problem of phishing </li></ul>
  138. 152. <ul><li>To the same extent any of the web sites are exposed to phishing – OpenID too exposed to phishing. </li></ul>
  139. 153. <ul><li>There are many approaches taken individually by OpenID Providers to protect their users against phishing. </li></ul>
  140. 154. <ul><li>Yahoo Sign In Seal </li></ul>
  141. 156. <ul><li>SeatBelt plugin for Firefox </li></ul>
  142. 159. <ul><li>Information Card based login </li></ul>
  143. 162. <ul><li>Login to OpenID Provider with a bookmark </li></ul>
  144. 164. <ul><li>Can OpenID RPs request OpenID Providers to authenticate users in a phishing resistant manner ??? </li></ul>
  145. 165. <ul><li>YES – they can </li></ul>
  146. 166. <ul><li>OpenID Provider Authentication Policy Extension </li></ul><ul><li>[PAPE] </li></ul>
  147. 167. <ul><li>[Demo]: PAPE demo with WSO2 OpenID Demo RP </li></ul><ul><li>https://is.test.wso2.org/javarp </li></ul>
  148. 168. <ul><li>How strong OpenID against Man-in-the-Middle attacks ??? </li></ul>
  149. 169. <ul><li>This requires explaining what ‘OpenID Association’ is… </li></ul>
  150. 170. <ul><li>A given OpenID relying party can be either Dumb or Smart </li></ul>
  151. 171. <ul><li>Smart relying parties maintain a shared secret key with the OpenID Provider – while Dumb relying parties maintain no state </li></ul>
  152. 172. <ul><li>We talk about ‘OpenID Associations’ only for ‘Smart’ RPs </li></ul>
  153. 173. <ul><li>‘OpenID Association’ takes place just after ‘Discovery’ and establishes ‘Shared Secret Key” between OpenID Relying Party and the OpenID Provider </li></ul>
  154. 174. <ul><li>OpenID uses Diffie-Hellman key-exchange to establish the shared secret </li></ul>
  155. 175. <ul><li>Diffie-Hellman key-exchange allows two parties to jointly establish a shared secret key over an insecure communications channel </li></ul>
  156. 176. <ul><li>‘Shared Secret Key’ is used to sign subsequent messages exchanged in between OpenID Relying Party and the OpenID Provider </li></ul>
  157. 177. <ul><li>‘OpenID Association’ is a direct communication between OpenID Provider and the RP </li></ul>
  158. 178. <ul><li>Under OpenID, HTTP POST is used for all Direct Communications </li></ul>
  159. 179. <ul><li>Still we have NOT answered the original question… </li></ul>
  160. 180. <ul><li>How strong OpenID against Man-in-the-Middle attacks ??? </li></ul>
  161. 181. <ul><li>Associations prevent tampering of signed fields by a man in the middle except during discovery, association sessions </li></ul>
  162. 182. <ul><li>BUT… if DNS resolution or the transport layer is compromised; signatures on messages are not adequate </li></ul>
  163. 183. <ul><li>How do we handle Man-in-the-Middle attacks for discovery and association sessions ??? </li></ul>
  164. 184. <ul><li>One solution is to build a white-list of OpenID Providers and maintain their public key certificates at the RP end </li></ul>
  165. 185. <ul><li>RP performs an XRDS-based discovery and OP returns a digitally signed XRDS document </li></ul>
  166. 186. <ul><li>RP verifies the signature </li></ul>
  167. 187. <ul><li>ALSO… </li></ul>
  168. 188. <ul><li>During an ‘Association’ OP can sign the field ‘assoc_handle’ by it’s private key and RP verifies it once received </li></ul>
  169. 189. <ul><li>How good OpenID at handling DoS attacks ??? </li></ul>
  170. 190. <ul><li>Within the protocol there are places where a rogue RP could launch a denial of service attack against an OP </li></ul>
  171. 191. <ul><li>This can be done by the RP repeatedly requesting associations, authentication, or verification of a signature </li></ul>
  172. 192. <ul><li>There is nothing in OpenID protocol messages that allows the OP to quickly check that it is a genuine request </li></ul>
  173. 193. <ul><li>White-listing RPs is not a good solution </li></ul>
  174. 194. <ul><li>OpenID Providers can easily use generic IP based rate-limiting and banning techniques to help combat these sorts of attacks and black list RPs </li></ul>
  175. 195. <ul><li>It’s hard to remember a whole URL as an OpenID ??? </li></ul>
  176. 196. [ Source : http://www.ldap.com/1/commentary/wahl/20070220_01.shtml ]
  177. 199. <ul><li>Finally…. </li></ul>
  178. 200. <ul><li>The complete OpenID Protocol flow… </li></ul>
  179. 201. <ul><li>The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent </li></ul>http://subject.myopenid.com
  180. 202. <ul><li>The Relying Party performs discovery (Discovery) on the identifier and establishes the OP Endpoint URL that the end user uses for authentication </li></ul>
  181. 203. <ul><li>(optional) The Relying Party and the OP establish an association (Establishing Associations) </li></ul>Association request Association response
  182. 204. <ul><li>The OP uses an association to sign subsequent messages and the Relying Party to verify those messages </li></ul>
  183. 205. <ul><li>The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication) </li></ul>
  184. 206. <ul><li>End user authenticates to the OP </li></ul>authenticate
  185. 207. <ul><li>The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions). </li></ul>
  186. 208. <ul><li>The Relying Party verifies (Verifying Assertions) the information received from the OP </li></ul>
  187. 209. <ul><li>Useful Links </li></ul><ul><li>http://openid.net </li></ul><ul><li>http://www.openidbook.com/ </li></ul><ul><li>OpenID mailing list : http://openid.net/mailman/listinfo/general </li></ul><ul><li>AxShema mail group: http://groups.google.com/group/axschema </li></ul><ul><li>Blogs: http://www.blogged.com/tag/openid </li></ul><ul><li>My blog: http://facilelogin.com </li></ul><ul><li>WSO2 Identity Solution download page: http://wso2.org/projects/solutions/identity </li></ul><ul><li>WSO2 OpenID Demo OP : https://is.test.wso2.org </li></ul><ul><li>WSO2 OpenID Demo RP : https://is.test.wso2.org/javarp </li></ul>
  188. 210. <ul><li>Next Webinar…. On 17 th June </li></ul><ul><li>Introducing WSO2 ESB 1.7 </li></ul><ul><li>Now open for registration… </li></ul><ul><li>http://wso2.com/about/news/esb-webinar-june-17/ </li></ul>
  189. 211. <ul><li>Questions… </li></ul><ul><li> Thank you…! </li></ul>

×