Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding OpenID

25,323 views

Published on

Understanding OpenID

Published in: Technology, Design
  • Great !!!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thanks for this very good presentation!!! Helped me a lot!!!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very good work. Thanks
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Understanding OpenID

  1. 1. By Prabath Siriwardena, WSO2
  2. 2. <ul><li>Why OpenID??? </li></ul>
  3. 3. <ul><li>Too many passwords </li></ul>
  4. 4. <ul><li>Duplicated profiles everywhere </li></ul>
  5. 5. <ul><li>Oops..!!! My favorite user name…GONE…!!! </li></ul>
  6. 6. <ul><li>Why OpenID??? </li></ul>
  7. 7. <ul><li>OpenID solves them all…!!! </li></ul>
  8. 8. <ul><li>Single user name/password </li></ul>
  9. 9. <ul><li>Single user profile </li></ul>
  10. 10. <ul><li>Claim your URL as your user name </li></ul>
  11. 11. <ul><li>What is OpenID??? </li></ul>
  12. 12. <ul><li>OpenID is a URL or an XRI </li></ul>
  13. 13. <ul><li>http://prabath.myopenid.com </li></ul>
  14. 14. <ul><li>http://www.prabathsiriwardena.com </li></ul>
  15. 15. <ul><li>=prabath </li></ul>
  16. 16. <ul><li>Who gives me an OpenID??? </li></ul>
  17. 17. <ul><li>OpenID Providers [OP] issue OpenIDs and maintain user profiles </li></ul>
  18. 21. <ul><li>Who accepts my OpenID??? </li></ul>
  19. 22. <ul><li>Any web site can accept OpenIDs for sign in </li></ul>
  20. 23. <ul><li>13,196 unique web sites seen by myOpenID.com to accept OpenID, by May 2008 </li></ul>
  21. 27. <ul><li>With OpenID we simply maintain a single user name/password pair….. </li></ul>
  22. 35. <ul><li>With OpenID we authenticate once at the OP and sign in to rest of the OpenID relying party web sites…. </li></ul>
  23. 36. <ul><li>That is Single Sign On </li></ul>
  24. 37. <ul><li>OpenID facilitates decentralized single sign on </li></ul>
  25. 38. <ul><li>What is “decentralized”??? </li></ul>
  26. 39. <ul><li>NOT - centralized </li></ul>
  27. 40. <ul><li>No central server – or authority </li></ul>
  28. 41. <ul><li>Remember Microsoft Passport : That is centralized – there is a central server </li></ul>
  29. 42. <ul><li>With OpenID any body can be an OpenID Provider </li></ul>
  30. 43. <ul><li>Once again – What is OpenID??? </li></ul>
  31. 44. <ul><li>OpenID is a URL or an XRI which facilitates decentralized single sign on </li></ul>
  32. 45. <ul><li>I enter my OpenID at the RP – how come the RP knows who is my OpenID Provider??? </li></ul>
  33. 46. <ul><li>The process of getting to know about the corresponding OpenID Provider from a given OpenID is known as ‘Discovery’. </li></ul>
  34. 47. <ul><li>Just type your OpenID on the browser </li></ul><ul><li>http://prabath.myopenid.com </li></ul>
  35. 49. <ul><li>BUT… that is not what we wanted – just ‘view source’ </li></ul>
  36. 50. <ul><li><link rel=&quot;openid.server&quot; href=&quot;http://www.myopenid.com/server&quot; /> </li></ul><ul><li><link rel=&quot;openid2.provider&quot; href=&quot;http://www.myopenid.com/server&quot; /> </li></ul>
  37. 51. <ul><li>Why there are two tags pointing to the same OpenID Provider URL??? </li></ul>
  38. 52. <ul><li>openid.server  OpenID 1.1 </li></ul><ul><li>openid2.provider  OpenID 2.0 </li></ul>
  39. 53. <ul><li>This form of discovery is know as ‘HTML Based Discovery’ </li></ul>
  40. 54. <ul><li>What is ‘HTML Based Discovery’ ??? </li></ul>
  41. 55. <ul><li>Under HTML-Based discovery, an HTML document MUST be available at the URL of the Claimed Identifier and RP retrieves the document with an HTTP GET </li></ul>
  42. 56. <ul><li>Within the HEAD element of the document a LINK element MUST be included with attributes &quot;rel&quot; set to &quot;openid2.provider&quot; and &quot;href&quot; set to an OP Endpoint URL </li></ul>
  43. 57. <ul><li>That is what we noticed earlier. </li></ul>
  44. 58. <ul><li>Any other forms of Discovery other than HTML- Based ??? </li></ul>
  45. 59. <ul><li>XRDS-Based discovery </li></ul><ul><li>[will be covered later…] </li></ul>
  46. 60. <ul><li>My OpenID is http://prabath.myopenid.com . BUT… I do NOT own that URL… it’s under the control of myOpenID – not mine  </li></ul>
  47. 61. <ul><li>This type of Identifiers are known as OP-Local Identifiers </li></ul>
  48. 62. <ul><li>What is an OP-Local Identifier??? </li></ul>
  49. 63. <ul><li>An alternate Identifier for an end user that is local to a particular OP and thus not necessarily under the end user's control. </li></ul>
  50. 64. <ul><li>Can I use my own URL as my OpenID ??? </li></ul>
  51. 65. <ul><li>Of course you can – and that is known as the “Claimed Identifier” </li></ul>
  52. 66. <ul><li>What is a Claimed Identifier ??? </li></ul>
  53. 67. <ul><li>An Identifier that the end user claims to own </li></ul>
  54. 68. <ul><li>I own a URL – but I am not an OpenID Provider – can I still use my URL as my OpenID ??? </li></ul>
  55. 69. <ul><li>YES – you can </li></ul>
  56. 70. <ul><li>Say, the URL I own or my claimed identifier is http://www.prabathsiriwardena.com </li></ul>
  57. 71. <ul><li>I also have an account with myOpenID and my OP Local identifier is http://prabath.myopenid.com </li></ul>
  58. 72. <ul><li>I can use my claimed identifier as my OpenID – by delegating the OpenID Provider functionality to myOpenID </li></ul>
  59. 73. <ul><li><link href='http://www.myopenid.com/server' rel='openid2.provider openid.server'/> </li></ul><ul><li><link href='&quot;http://prabath.myopenid.com/' rel='openid2.local_id openid.delegate'/> </li></ul>
  60. 74. <ul><li>With this approach we never limited to a single OpenID Provider. </li></ul>
  61. 75. <ul><li>If we lost faith on the OpenID Provider we can move to another – but, still keeping the original OpenID </li></ul>
  62. 76. <ul><li>I have maintain a single user name/password pair for all my relying party web sites… will OpenID make a difference for me ??? </li></ul>
  63. 77. <ul><li>Of course in two ways. </li></ul>
  64. 78. <ul><li>Even you have the same user name/password for all the relying party web sites – still you need to maintain your profile data in different places. </li></ul>
  65. 79. <ul><li>Also, what if you lose your password ? You will lose access to all your relying party web sites. </li></ul>
  66. 80. <ul><li>But, isn’t it the case under OpenID as well. If you lose your password to the OpenID Provider you lose access to all relying party web sites depend on the OpenID. </li></ul>
  67. 81. <ul><li>No – it’s not. </li></ul>
  68. 82. <ul><li>With OpenID – if it is a claimed identifier - you never lose your password. </li></ul>
  69. 83. <ul><li>I own a URL – and I use it as my OpenID Claimed Identifier. What if I could not renew my domain name ???? </li></ul><ul><li>Now somebody else owns it….. </li></ul>
  70. 84. <ul><li>You own an OpenID until you can claim the ownership of the URL behind it </li></ul>
  71. 85. <ul><li>You lose the ownership of the URL – you lose your OpenID as well </li></ul>
  72. 86. <ul><li>BUT… </li></ul>
  73. 87. <ul><li>XRI based OpenIDs solve this issue </li></ul>
  74. 88. <ul><li>You never lose the ownership of the i-number behind an XRI – so, you never lose your XRI based OpenID </li></ul>
  75. 89. <ul><li>What is an XRI ??? What is an i-number ??? </li></ul>
  76. 90. <ul><li>eXtensible Resource Identifier </li></ul>
  77. 91. <ul><li>A Global Unique Identifier </li></ul><ul><li>[just as Domain Names] </li></ul>
  78. 92. <ul><li>URL, Phone Number, Email are concrete identifiers </li></ul>
  79. 93. <ul><li>XRI is an abstract identifier </li></ul>
  80. 94. <ul><li>Concrete identifiers represent actual resources in a network </li></ul>
  81. 95. <ul><li>Abstract identifiers are used to find concrete identifiers </li></ul>
  82. 96. <ul><li>XRI is an abstract identifier which can be mapped to concrete identifiers </li></ul><ul><li>[e.g.: URL, email] </li></ul>
  83. 97. <ul><li>XRI syntax defines two forms of XRIs </li></ul>
  84. 98. <ul><li>i-names and i-numbers </li></ul>
  85. 99. <ul><li>i-names are human-friendly identifiers </li></ul>
  86. 100. <ul><li>=prabath </li></ul>
  87. 101. <ul><li>i-numbers are typically machine-friendly identifiers </li></ul>
  88. 102. <ul><li>=!BFC9.75B7.9B2.11C4 </li></ul>
  89. 103. <ul><li>i-names, are intended to be re-assignable identifiers just like domain names </li></ul>
  90. 104. <ul><li>i-numbers are intended to be persistent </li></ul>
  91. 105. <ul><li>If your OpenID is your i-number – you never lose it </li></ul>
  92. 106. <ul><li>How an OpenID RP discovers an XRI based OpenID ??? </li></ul>
  93. 107. <ul><li>XRDS based discovery </li></ul><ul><li>[which we did not cover earlier] </li></ul>
  94. 108. <ul><li>HTML based discovery returns an HTML page [discussed earlier] </li></ul>
  95. 109. <ul><li>XRDS based discovery returns an XRDS document </li></ul>
  96. 110. <ul><li>eXtensible Resource Descriptor Sequence </li></ul>
  97. 111. <ul><li><?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> </li></ul><ul><li><xrds:XRDS xmlns:xrds=&quot;xri://$xrds&quot; xmlns=&quot;xri://$xrd*($v*2.0)” xmlns:openid=&quot;http://openid.net/xmlns/1.0&quot;> </li></ul><ul><li><XRD ref=&quot;xri://=example&quot;> </li></ul><ul><li><!-- service section --> </li></ul><ul><li><!-- XRI resolution service --> </li></ul><ul><li><Service> </li></ul><ul><li></Service> </li></ul><ul><li><!-- OpenID 2.0 login service --> </li></ul><ul><li><Service priority=&quot;10&quot;> </li></ul><ul><li></Service> </li></ul><ul><li><!-- OpenID 1.1 login service --> </li></ul><ul><li><Service priority=&quot;20&quot;> </li></ul><ul><li></Service> </li></ul><ul><li></XRD> </li></ul>
  98. 112. <ul><li>XRDS based discovery – NOT just for XRI based OpenIDs </li></ul>
  99. 113. <ul><li>XRDS based discovery – can also be used for URL based OpenID discovery </li></ul>
  100. 114. <ul><li>If an URL – XRDS based discovery will use Yadis protocol for discovery </li></ul>
  101. 115. <ul><li>If an XRI – XRDS based discovery will use XRI resolution </li></ul>
  102. 116. <ul><li>A given XRDS document can define multiple services </li></ul>
  103. 117. <ul><li><!-- XRI resolution service --> </li></ul><ul><li><Service> </li></ul><ul><li><ProviderID>xri://=!F83.62B1.44F.2813</ProviderID> </li></ul><ul><li><Type>xri://$res*auth*($v*2.0)</Type> </li></ul><ul><li><MediaType>application/xrds+xml</MediaType> </li></ul><ul><li><URI priority=”10”>http://resolve.example.com</URI> </li></ul><ul><li><URI priority=”15”>http://resolve2.example.com</URI> </li></ul><ul><li><URI>https://resolve.example.com</URI> </li></ul><ul><li></Service> </li></ul>
  104. 118. <ul><li><!-- OpenID 2.0 login service --> </li></ul><ul><li><Service priority=&quot;10&quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://example.myopenid.com/</LocalID> </li></ul><ul><li></Service> </li></ul>
  105. 119. <ul><li><!-- OpenID 1.0 login service --> </li></ul><ul><li><Service priority=&quot;20&quot;> <Type>http://openid.net/server/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate> </li></ul><ul><li>http://www.livejournal.com/users/example/ </li></ul><ul><li></openid:Delegate> </li></ul><ul><li></Service> </li></ul>
  106. 120. <ul><li>What attributes can my RP get from the OpenID Provider ??? </li></ul>
  107. 121. <ul><li>Under OpenID; attribute flow is defined under two main extensions </li></ul>
  108. 122. <ul><li>OpenID Simple Attribute Registration [SReg] </li></ul>
  109. 123. <ul><li>OpenID Attribute Exchange [Ax] </li></ul>
  110. 124. <ul><li>OpenID Simple Registration allows for very light-weight profile exchange </li></ul>
  111. 125. <ul><li>It is designed to pass nine commonly requested pieces of information when an End User goes to register a new account with a web service </li></ul>
  112. 126. <ul><li>RP can request the required/optional attributes from the OP with the Authentication request </li></ul>
  113. 127. <ul><li>nickname, email, fullname, dob, gender, postcode, country, language, timezone </li></ul>
  114. 128. <ul><li>OpenID Attribute Exchange is for exchanging identity information between endpoints </li></ul>
  115. 129. <ul><li>Not limited for a predefined set of attributes </li></ul>
  116. 130. <ul><li>With AX : not just fetch attributes from the OP – but also can store attributes at the OP </li></ul>
  117. 131. <ul><li>Ax defines messages for retrieval [fetch] and storage [store] of identity information </li></ul>
  118. 132. <ul><li>“fetch” : retrieves attribute information from an OpenID Provider </li></ul>
  119. 133. <ul><li>“store” : saves or updates attribute information on the OpenID Provider </li></ul>
  120. 134. <ul><li>Both messages are originated from the RP as an indirect message </li></ul>
  121. 135. <ul><li>Under Ax each attribute is identified by an URI </li></ul>
  122. 136. <ul><li>There are two popular schemas which define subject identifiers to attributes </li></ul>
  123. 137. <ul><li>http://schema.openid.net </li></ul><ul><li>& </li></ul><ul><li>http://www.axschema.org </li></ul>
  124. 138. <ul><li>Under http://schema.openid.net the attribute “email” is identified as “http://schema.openid.net/contact/email” </li></ul>
  125. 139. <ul><li>Under http://www.axschema.org </li></ul><ul><li>the attribute “email” is identified as “http://axschema.org/contact/email” </li></ul>
  126. 140. <ul><li>myOpenID.com supports http://schema.openid.net </li></ul>
  127. 141. <ul><li>RP can request the required/optional attributes from the OP with the Authentication request </li></ul>
  128. 142. <ul><li>[Demo]: Attribute flow with WSO2 OpenID Demo RP </li></ul><ul><li>https://is.test.wso2.org/javarp </li></ul>
  129. 143. <ul><li>Why Yahoo does NOT trust my RP – while all the other OpenID Providers ??? </li></ul>
  130. 144. <ul><li>“ This web site has not confirmed it’s identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you certain it is legitimate.” </li></ul>
  131. 145. <ul><li>Yahoo supports OpenID 2 and it does OpenID Relying Party Discovery </li></ul>
  132. 146. <ul><li>With OpenID RP Discovery, RPs should publish their valid return_to URLs in an XRDS document. </li></ul>
  133. 147. <ul><li>To get rid of Yahoo! warning the RP needs to publish this XRDS at the return_to URL. </li></ul>
  134. 148. <ul><li>RP discovery also allows any software agent to discover sites that support OpenID </li></ul>
  135. 149. <ul><li>Am I correct to say that OpenID is a phishing heaven ??? </li></ul>
  136. 150. <ul><li>Not really…!!! </li></ul>
  137. 151. <ul><li>OpenID does NOT address the problem of phishing </li></ul>
  138. 152. <ul><li>To the same extent any of the web sites are exposed to phishing – OpenID too exposed to phishing. </li></ul>
  139. 153. <ul><li>There are many approaches taken individually by OpenID Providers to protect their users against phishing. </li></ul>
  140. 154. <ul><li>Yahoo Sign In Seal </li></ul>
  141. 156. <ul><li>SeatBelt plugin for Firefox </li></ul>
  142. 159. <ul><li>Information Card based login </li></ul>
  143. 162. <ul><li>Login to OpenID Provider with a bookmark </li></ul>
  144. 164. <ul><li>Can OpenID RPs request OpenID Providers to authenticate users in a phishing resistant manner ??? </li></ul>
  145. 165. <ul><li>YES – they can </li></ul>
  146. 166. <ul><li>OpenID Provider Authentication Policy Extension </li></ul><ul><li>[PAPE] </li></ul>
  147. 167. <ul><li>[Demo]: PAPE demo with WSO2 OpenID Demo RP </li></ul><ul><li>https://is.test.wso2.org/javarp </li></ul>
  148. 168. <ul><li>How strong OpenID against Man-in-the-Middle attacks ??? </li></ul>
  149. 169. <ul><li>This requires explaining what ‘OpenID Association’ is… </li></ul>
  150. 170. <ul><li>A given OpenID relying party can be either Dumb or Smart </li></ul>
  151. 171. <ul><li>Smart relying parties maintain a shared secret key with the OpenID Provider – while Dumb relying parties maintain no state </li></ul>
  152. 172. <ul><li>We talk about ‘OpenID Associations’ only for ‘Smart’ RPs </li></ul>
  153. 173. <ul><li>‘OpenID Association’ takes place just after ‘Discovery’ and establishes ‘Shared Secret Key” between OpenID Relying Party and the OpenID Provider </li></ul>
  154. 174. <ul><li>OpenID uses Diffie-Hellman key-exchange to establish the shared secret </li></ul>
  155. 175. <ul><li>Diffie-Hellman key-exchange allows two parties to jointly establish a shared secret key over an insecure communications channel </li></ul>
  156. 176. <ul><li>‘Shared Secret Key’ is used to sign subsequent messages exchanged in between OpenID Relying Party and the OpenID Provider </li></ul>
  157. 177. <ul><li>‘OpenID Association’ is a direct communication between OpenID Provider and the RP </li></ul>
  158. 178. <ul><li>Under OpenID, HTTP POST is used for all Direct Communications </li></ul>
  159. 179. <ul><li>Still we have NOT answered the original question… </li></ul>
  160. 180. <ul><li>How strong OpenID against Man-in-the-Middle attacks ??? </li></ul>
  161. 181. <ul><li>Associations prevent tampering of signed fields by a man in the middle except during discovery, association sessions </li></ul>
  162. 182. <ul><li>BUT… if DNS resolution or the transport layer is compromised; signatures on messages are not adequate </li></ul>
  163. 183. <ul><li>How do we handle Man-in-the-Middle attacks for discovery and association sessions ??? </li></ul>
  164. 184. <ul><li>One solution is to build a white-list of OpenID Providers and maintain their public key certificates at the RP end </li></ul>
  165. 185. <ul><li>RP performs an XRDS-based discovery and OP returns a digitally signed XRDS document </li></ul>
  166. 186. <ul><li>RP verifies the signature </li></ul>
  167. 187. <ul><li>ALSO… </li></ul>
  168. 188. <ul><li>During an ‘Association’ OP can sign the field ‘assoc_handle’ by it’s private key and RP verifies it once received </li></ul>
  169. 189. <ul><li>How good OpenID at handling DoS attacks ??? </li></ul>
  170. 190. <ul><li>Within the protocol there are places where a rogue RP could launch a denial of service attack against an OP </li></ul>
  171. 191. <ul><li>This can be done by the RP repeatedly requesting associations, authentication, or verification of a signature </li></ul>
  172. 192. <ul><li>There is nothing in OpenID protocol messages that allows the OP to quickly check that it is a genuine request </li></ul>
  173. 193. <ul><li>White-listing RPs is not a good solution </li></ul>
  174. 194. <ul><li>OpenID Providers can easily use generic IP based rate-limiting and banning techniques to help combat these sorts of attacks and black list RPs </li></ul>
  175. 195. <ul><li>It’s hard to remember a whole URL as an OpenID ??? </li></ul>
  176. 196. [ Source : http://www.ldap.com/1/commentary/wahl/20070220_01.shtml ]
  177. 199. <ul><li>Finally…. </li></ul>
  178. 200. <ul><li>The complete OpenID Protocol flow… </li></ul>
  179. 201. <ul><li>The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent </li></ul>http://subject.myopenid.com
  180. 202. <ul><li>The Relying Party performs discovery (Discovery) on the identifier and establishes the OP Endpoint URL that the end user uses for authentication </li></ul>
  181. 203. <ul><li>(optional) The Relying Party and the OP establish an association (Establishing Associations) </li></ul>Association request Association response
  182. 204. <ul><li>The OP uses an association to sign subsequent messages and the Relying Party to verify those messages </li></ul>
  183. 205. <ul><li>The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication) </li></ul>
  184. 206. <ul><li>End user authenticates to the OP </li></ul>authenticate
  185. 207. <ul><li>The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions). </li></ul>
  186. 208. <ul><li>The Relying Party verifies (Verifying Assertions) the information received from the OP </li></ul>
  187. 209. <ul><li>Useful Links </li></ul><ul><li>http://openid.net </li></ul><ul><li>http://www.openidbook.com/ </li></ul><ul><li>OpenID mailing list : http://openid.net/mailman/listinfo/general </li></ul><ul><li>AxShema mail group: http://groups.google.com/group/axschema </li></ul><ul><li>Blogs: http://www.blogged.com/tag/openid </li></ul><ul><li>My blog: http://facilelogin.com </li></ul><ul><li>WSO2 Identity Solution download page: http://wso2.org/projects/solutions/identity </li></ul><ul><li>WSO2 OpenID Demo OP : https://is.test.wso2.org </li></ul><ul><li>WSO2 OpenID Demo RP : https://is.test.wso2.org/javarp </li></ul>
  188. 210. <ul><li>Next Webinar…. On 17 th June </li></ul><ul><li>Introducing WSO2 ESB 1.7 </li></ul><ul><li>Now open for registration… </li></ul><ul><li>http://wso2.com/about/news/esb-webinar-june-17/ </li></ul>
  189. 211. <ul><li>Questions… </li></ul><ul><li> Thank you…! </li></ul>

×