The document discusses identity management solutions like OpenID and introduces OpenID Connect as an evolution of OpenID that aims to be easier to implement with a better user experience by building on OAuth 2.0. It outlines some of the failures of OpenID 2.0 like being complex to implement and having a URL-based identifier that provides a bad user experience. It then explains some of the improvements in OAuth 2.0 and OpenID Connect like removing signatures, introducing bearer tokens, and adding scopes to provide more flexibility and control over access.

1. Distributed Identities
with OpenID
Bastian Hofmann
VZnet Netzwerke Ltd.

2. About me

3. OpenID is dead

4. „OpenID has been a burden on support
since the day it was launched.“
„Fewer than 1% of all 37signals users are
currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-
support-of-openid-on-may-1.html

5. „OpenID is the worst possible "solution"
I have ever seen in my entire life to a
problem that most people don't really
have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID

6. Facebook Connect
250,000,000 monthly users

7. So why are you here?

8. • Why identity management is still a problem
• OpenID how it works, and why it fails
• OpenID Connect & OAuth2: OpenIDs
future?
• What can browser vendors do?

9. Questions? Ask!

10. Only one identity?

11. Identity is conveyed by communication
Identity is not fixed but recreated by every
communication with your fellows
Expectations of different people result in
different identities
Lothar Krappmann

12. Paul Adams
http://www.slideshare.net/padday/the-real-life-social-network-v2

14. Sign up again and again

15. Passwords are broken
Same password for more than one service
Saved unsecurely in the browser
Names, birthdays, car brand, ...
Disclosed to others
Too short, too simple
Sent over non encrypted connections

16. Single Sign On

17. Microsoft Live ID
Launched 1999 as .net Passport

18. Facebook Connect

20. And there are much more

21. Nascar problem

22. Aggregation: Janrain
http://www.janrain.com/

23. OpenID
http://openid.net/

24. The Client

25. Discovery
<link rel="openid.server" href="http://www.myopenid.com/
server" />
<link rel="openid2.provider" href="http://www.myopenid.com/
server" />
Delegation
<meta http-equiv="X-XRDS-Location" content="http://
bhofmann.myopenid.com/" />
<link rel="openid2.provider" href="http://
www.myopenid.com/server" />
<link rel="openid2.local_id" href="http://
bhofmann.myopenid.com/" />
<link rel="openid.server" href="http://www.myopenid.com/
server" />
<link rel="openid.delegate" href="http://
bhofmann.myopenid.com/" />

26. Connection Flow

27. DEMO

28. Authentication vs Authorization
Who is the user?
Is this really user X?
VS
Is X allowed to do something?
Does X have the permission?
Client sites want more than just a
unique identifier (Social Graph)

29. But there are Spec Extensions

30. Simple Registration
• Allows to specify certain fields in request that
must or should be returned by the Identity
Provider
openid.sreg.required=openid.sreg.fullname&
openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male

31. Attribute Exchange
• Fetch Request
penid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=fetch_request
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.type.gender=http://example.com/schema/gender
openid.ax.type.fav_dog=http://example.com/schema/favourite_dog
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.count.fav_movie=3
openid.ax.required=fname,gender
openid.ax.if_available=fav_dog,fav_movie
openid.ax.update_url=http://idconsumer.com/update?
transaction_id=a6b5c41

32. Attribute Exchange
• Fetch Response
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=fetch_response
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.type.gender=http://example.com/schema/gender
openid.ax.type.fav_dog=http://example.com/schema/favourite_dog
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.value.fname=John Smith
openid.ax.count.gender=0
openid.ax.value.fav_dog=Spot
openid.ax.count.fav_movie=2
openid.ax.value.fav_movie.1=Movie1
openid.ax.value.fav_movie.2=Movie2
openid.ax.update_url=http://idconsumer.com/update?
transaction_id=a6b5c41

33. Attribute Exchange
• Store Request
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=store_request
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.value.fname=Bob Smith
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.count.fav_movie=2
openid.ax.value.fav_movie.1=Movie1
openid.ax.value.fav_movie.2=Movie2
• Store Respons
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=store_response_success

34. OAuth 1.0a Flow
+----------+ +---------------+
| -+----(B)-- Request Token -------->| |
| End-user | | Authorization |
| at |<---(C)-- User authenticates --->| Server |
| Browser | | |
| -+----(D)-- Verifier -------------<| |
+-|----|---+ +---------------+
| | ^ v
(B) (D) | |
| | | |
^ v | |
+---------+ | |
| |>---(A)-- Redirect URL ---------------| |
| Web |<---(A)-- Request Token + Secret -----| |
| Client |>---(E)-- Request Token, Verifier ----' |
| |<---(E)-- Access Token + Secret -------------'
+---------+
Every Request: Client Credentials, Nonce, Timestamp, Signature
http://oauth.net/

35. OpenID + OAuth
• Combines OpenID Authentication and
OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.request_token=7890

36. Failures of OpenID 2.0
Complex to implement
No marketing
Do you have an OpenID?
What is it?
URL as identifier => Bad User Experience

37. How to fix it?

38. Easier to implement
Better user experience
Built on top of OAuth 2.0
More simple specification
wider adption

39. What‘s wrong with OAuth?
Does not work well with non web or
JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests

40. What‘s new in OAuth2? (Draft 10)
No signatures
Cookie-like Bearer Token
Different client profiles
No Token Secrets
No Request Tokens
Mandatory TSL/SSL
Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2

41. Web-Server Profile
+----------+ Client Identifier +---------------+
| -+----(A)--- & Redirect URI ------>| |
| End-user | | Authorization |
| at |<---(B)-- User authenticates --->| Server |
| Browser | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Client Credentials, --------' |
| Web | Authorization Code, |
| Client | & Redirect URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)

42. User-Agent Profile
+----------+ Client Identifier +----------------+
| |>---(A)-- & Redirection URI --->| |
| | | |
End <--+ - - - +----(B)-- User authenticates -->| Authorization |
User | | | Server |
| |<---(C)--- Redirect URI -------<| |
| Client | with Access Token | |
| in | in Fragment +----------------+
| Browser |
| | +----------------+
| |>---(D)--- Redirect URI ------->| |
| | without Fragment | Web Server |
| | | with Client |
| (F) |<---(E)--- Web Page with ------<| Resource |
| Access | Script | |
| Token | +----------------+
+----------+

43. What happend to signatures?
Ongoing controvers discussion
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible

44. Scopes
Optional parameter for provider
specific implementations
Additional return values
Access Control

45. Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
Timestamp
Signature
http://openidconnect.com/

46. DEMO

47. OpenID Connect
Discovery
Get Identifier of user
Call /.well-­‐known/host-­‐meta file at
the domain of the user‘s provider
Look for a link pointing to the OpenID
Connect endpoints in the returned
LRDD

48. Phishing

49. @ E-mail address
equals identity?

50. Can the browser help?

51. FOAF+SSL (WebID)
http://esw.w3.org/Foaf%2Bssl

52. DEMO

53. Bad browser UI
Syncing between different computers?
More than one user on the same computer?

54. UX Mockups Mozilla
Weave

55. Summing it up
• We need a single sign on system for the
web
• OpenID is cool, but has some problems
• Proprietary solutions are bad for users, site
owners and developers
• A new more simple and flexible spec is
coming up
• Browser vendors are working to solve this
problem in the browser

56. h"p://twi"er.com/Bas2anHofmann
h"p://joind.in/2874
h"p://studivz.net/bas2an
h"p://slideshare.net/bashofmann
bhofmann@vz.net
h"p://developer.studivz.net