OpenID Tutorials

•

3 likes•1,418 views

This document provides an overview of OpenID including: - What OpenID is and how it works by allowing users to log into multiple websites using a single digital identity. - An overview of OpenID 2.0 which introduced improvements like support for XRIs and easier discovery of OpenID providers. - Some security risks associated with OpenID like phishing and how protocols aim to mitigate those risks.

Technology

OpenID Tutorial.
Naofumi HAIDA
from Cirius Technologies.

Table of Contents.

• Self-Introduction.
• What is OpenID?
• OpenID 2.0 quick look.
• Security Issues.
• Other related OpenAPIs.

Self-introduction.
• Working @Cirius Technologies, Inc.
• Architect @Cirius Lab.
• Ruby Programmer.
• GeoAPIs, Twitwi Twitter, Twittalk etc...
• OpenAPIS & Beyond LT

• http://docs.google.com/Presentation?
id=dgp485h4_561dwgpsrcd

Questions.

• OpenID ?

• RP OpenID ?

• OpenID 2.0 ?

• XRI ?

Authentication ( )
ID

Authorization ( )
ID

• Internet Identity Workshop Six Apart Brad
Fitzpatrick OpenID (2005.10)

• Web OpenID
(2007.02)

• Blogger OpenID
(2007.11)

• OpenID Authentication 2.0 & OpenID Attribute Exchange
1.0 (2007.12)

• Blogger OpenID IdP (2008.01)

• Yahoo OpenID 2.0 IdP (2008.01)

• OpenID Foundation Google IBM MS Yahoo!
(2008.02)

• Six Apart Verisign NRI OpenID Japan Foundation
(2008.02)

Many Internet users are “End
User” of OpenID Now!

Total Relying Parties

Borrowed from David Recordon

There are over 11,000
OpenID enable sites!

My Online Proﬁle
scattered across many
sites!

Is an OpenID a URI?
It has changed in OpenID ver 2.0.

OpenID:
Identity URI Web
Authority

http://www.slideshare.net/zigorou/
openid-20-quick-note/

Authorization Authentication Delegation
Privacy Identity Maneger
Trust Control
Single-Sign-On Distributed SSO

https://me.yahoo.co.jp/a/
X4F0sewBfO6V5S31BLZsyz4BnEx0#
fdf84

yahoo.com

※ XRI
xri://=haida 12 $/year
xri://@mixi 55 $/year

identiﬁer

http, https URI
URI
2.0 URI
XRI

Relying Party: RP

Consumer
OpenID Identiﬁer
OP Web
Web

User-Supplied Identiﬁer

RP
Claimed Identiﬁer
OP
Identiﬁer

OP-Local Identiﬁer

OP
Identiﬁer
OP Identiﬁer

How does authentication work
with OpenID ?

1. RP Claimed Identiﬁer HTML
2. openid.server link
3. RP
4. OP
5. OP RP
6. RP

OP delegate Identiﬁer
OpenID 1.1
HTML

OpenID 2.0
XRDS XML

Claimed Identiﬁer XRI
- XRDS

Claimed Identiﬁer URL
- HTML x-xrds-location
URL
- meta http-equiv x-xrds-location
URL
- Content-type application/xrds+xml
XRDS

<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<xrds:XRDS
xmlns:xrds=quot;xri://$xrdsquot;
xmlns:openid=quot;http://openid.net/xmlns/1.0quot;
xmlns=quot;xri://$xrd*($v*2.0)quot;>
<XRD>
<Service priority=quot;0quot;>
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>http://openid.example.com/auth</URI>
</Service>
</XRD>
</xrds:XRDS>

1. Malicious Consumer OpenID

2. Identiﬁer URI
3. Malicious Consumer OP
OP
4. OP OP ID, Password
5.
6. OP

Firefox OpenID SeatBelt (by VeriSign)
-- OpenID
-- Malicious Consumer

Malicious Consumer OP
-- OP

OP nonce

trust_root, return_to
return_to malicious consumer

OP robots.txt OpenID
“Identity Page forquot; site:*.myopenid.com”

OP

OpenID Security !
http://wiki.openid.net/Security

OP RP
AOL OP
http://dev.aol.com/node/578

OP

https

Attribute Exchange
Provider Authentication Policy Extension

Summary

• OpenID
• OpenID 2.0 User Friendly!

• IdP

What's hot

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Nick Maludy

The OpenID Connect or OAuth frameworks can be used to achieve a range of security levels. Properly used, it mitigates many risks. However, OpenID Connect’s flexibility, combined with its shared ontogeny with OAuth 2.0, creates opportunities for error--developers may not use (or even know about ) certain features necessary to achieve the transaction integrity they desire. The good news is that client software and middleware services can do some of the heavy lifting. You can have the best of both worlds--maximizing security and developer joy. Whether you’re a developer or security architect, what should you look for in an application that acts as an OpenID Connect client?

The Client is not always right! How to secure OAuth authentication from your...

Mike Schwartz

Authentication: Cookies vs JWTs and why you’re doing it wrong

Derek Perkins

Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)

Scott Brady

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

OpenID Connect 1.0 Explained

Eugene Siow

API Security : Patterns and Practices

Prabath Siriwardena

SAML and Other Types of Federation for Your Enterprise

Denis Gundarev

NIST SP 800-63C #idcon vol.22

Nov Matake

Introduction to SAML 2.0

Mika Koivisto

Internet of Things Security & Privacy

Chris Adriaensen

The Future is Now: What’s New in ForgeRock Directory Services

ForgeRock

IdP, SAML, OAuth

Dan Brinkmann

Openid & Oauth: An Introduction

Steve Ivy

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

SAML and Liferay

Mika Koivisto

To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.

Alfresco DevCon 2019: Encryption at-rest and in-transit

Toni de la Fuente

OAuth has become a central security component with respect to a modern REST-based architecture - and several extensions have since been developed, like JWT, OpenID Connect and UMA, to provide a broader coverage. Both server and client development need a good understanding of these concepts to guarantee end-to-end security. In this talk Chris will guide us through the current landscape of OAuth and zoom in on mature (like JWT and OpenID Connect) and uprising extensions (like UMA and Proof of Possession) - but also how to interface with a SOAP-based architecture (like SAML). Don’t forget to bring a towel - but what about silver shoes?

The Hitchhiker's Guide to the Land of OAuth

Chris Adriaensen

Software security is hard. Software security in Microservice Systems is even harder. Microservice-style software architectures have steadily been gaining popularity in recent years. They offer many benefits over traditional monolithic software products, however they also introduce new challenges - one of these being security. In recent years David has worked on this problem in several independent projects, and this talk will draw on his learnings within the topic of authenticating end-users. David will describe, compare and evaluate several authentication options from the perspective of how secure they are and how well they comply with the qualities of a well-designed microservice system. You will leave the talk with suggested evaluation criteria and guidance for implementation based on their use cases.

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

ASP.NET 13 - Security

Randy Connolly

What's hot (20)

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

The Client is not always right! How to secure OAuth authentication from your...

Authentication: Cookies vs JWTs and why you’re doing it wrong

Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)

LASCON 2017: SAML v. OpenID v. Oauth

OpenID Connect 1.0 Explained

API Security : Patterns and Practices

SAML and Other Types of Federation for Your Enterprise

NIST SP 800-63C #idcon vol.22

Introduction to SAML 2.0

Internet of Things Security & Privacy

The Future is Now: What’s New in ForgeRock Directory Services

IdP, SAML, OAuth

Openid & Oauth: An Introduction

CIS 2015 OpenID Connect and Mobile Applications - David Chase

SAML and Liferay

Alfresco DevCon 2019: Encryption at-rest and in-transit

The Hitchhiker's Guide to the Land of OAuth

muCon 2016: Authentication in Microservice Systems By David Borsos

ASP.NET 13 - Security

Welcome to UiPath Test Automation using UiPath Test Suite series part 2. In this session, we will cover API test automation along with a web automation demo. Topics covered: Test Automation introduction API Example of API automation Web automation demonstration Speaker Pathrudu Chintakayala, Associate Technical Architect @Yash and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 2

DianaGray10

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Knowledge engineering: from people to machines and back

Elena Simperl

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Zilliz

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

Bits & Pixels using AI for Good.........

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

UiPath Test Automation using UiPath Test Suite series, part 3

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

When stars align: studies in data quality, knowledge graphs, and machine lear...

Connector Corner: Automate dynamic content and events by pushing a button

In-Depth Performance Testing Guide for IT Professionals

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

UiPath Test Automation using UiPath Test Suite series, part 2

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Knowledge engineering: from people to machines and back

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Introduction to Open Source RAG and RAG Evaluation

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

OpenID Tutorials

1. OpenID Tutorial. Naofumi HAIDA from Cirius Technologies.

2. Table of Contents. • Self-Introduction. • What is OpenID? • OpenID 2.0 quick look. • Security Issues. • Other related OpenAPIs.

3. Self-introduction. • Working @Cirius Technologies, Inc. • Architect @Cirius Lab. • Ruby Programmer. • GeoAPIs, Twitwi Twitter, Twittalk etc... • OpenAPIS & Beyond LT • http://docs.google.com/Presentation? id=dgp485h4_561dwgpsrcd

4. Questions. • OpenID ? • RP OpenID ? • OpenID 2.0 ? • XRI ?

5. Authentication ( ) ID Authorization ( ) ID

6. Backgrounds.

7. • Internet Identity Workshop Six Apart Brad Fitzpatrick OpenID (2005.10) • Web OpenID (2007.02) • Blogger OpenID (2007.11) • OpenID Authentication 2.0 & OpenID Attribute Exchange 1.0 (2007.12)

8. • Blogger OpenID IdP (2008.01) • Yahoo OpenID 2.0 IdP (2008.01) • OpenID Foundation Google IBM MS Yahoo! (2008.02) • Six Apart Verisign NRI OpenID Japan Foundation (2008.02)

9. Many Internet users are “End User” of OpenID Now!

10. ~ 360 million OpenIDs.

11. Total Relying Parties Borrowed from David Recordon

12. There are over 11,000 OpenID enable sites!

13. What’s for OpenID?

14. We use more and more sites!

15.

16. OpenID solves...

17. Too many passwords!

18. My Online Proﬁle scattered across many sites!

19. What is an OpenID??

20. http://www.hatena.ne.jp/haida/

21. http://proﬁle.livedoor.com/haida

22. http://haida.livejurnal.com/

23. Is an OpenID a URI? It has changed in OpenID ver 2.0.

24. yahoo.com

25. coderepos.org

26. xri://=haida

27. OpenID: Identity URI Web Authority http://www.slideshare.net/zigorou/ openid-20-quick-note/

28. These are not OpenID.

29. Authorization Authentication Delegation Privacy Identity Maneger Trust Control Single-Sign-On Distributed SSO

30. Login with OpenID.

31. Input Claimed Identiﬁer @ RP.

32. Authenticate @ OP.

33. Merits & Demerits of OpenID.

34. End User URI

35. Relying Party - - Sun OpenID Sun Sun

36.

37.

38. 2. OpenID 2.0 Quick look.

39. User-Supplied Identiﬁer

40. URL ID ID

41. https://me.yahoo.co.jp/a/ X4F0sewBfO6V5S31BLZsyz4BnEx0# fdf84 yahoo.com

42. XRI

43. Identity URI XRI

44. xri://=haida

45. xri xri ID i-name

46. = @

47. xri://@yahoo

48. ※ XRI xri://=haida 12 $/year xri://@mixi 55 $/year

49. Terms around OpenID.

50. identiﬁer http, https URI URI 2.0 URI XRI

51. OpenID Provider: OP Ver 1.1 IdP OpenID

52. OP Identiﬁer OP Identiﬁer

53. Relying Party: RP Consumer OpenID Identiﬁer OP Web Web

54. Claimed Identiﬁer URI OP

55. User-Supplied Identifier RP Claimed Identifier OP Identifier

56. OP-Local Identifier OP Identifier OP Identifier

57. How does authentication work with OpenID ?

58.

59.

60. 1. RP Claimed Identiﬁer HTML 2. openid.server link 3. RP 4. OP 5. OP RP 6. RP

61. How does this work?

62.

63.

64. Discovery with XRDS.

65. OP delegate Identiﬁer OpenID 1.1 HTML OpenID 2.0 XRDS XML

66. Claimed Identiﬁer XRI - XRDS Claimed Identiﬁer URL - HTML x-xrds-location URL - meta http-equiv x-xrds-location URL - Content-type application/xrds+xml XRDS

67. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/server</Type> <URI>http://openid.example.com/auth</URI> </Service> </XRD> </xrds:XRDS>

68. Service Type

69. Security Risks.

70. Phishing.

71.

72. 1. Malicious Consumer OpenID 2. Identiﬁer URI 3. Malicious Consumer OP OP 4. OP OP ID, Password 5. 6. OP

73. Firefox OpenID SeatBelt (by VeriSign) -- OpenID -- Malicious Consumer Malicious Consumer OP -- OP

74. OP nonce trust_root, return_to return_to malicious consumer OP robots.txt OpenID “Identity Page forquot; site:*.myopenid.com” OP

75. RP for Mobile OP RP for Mobile OpenID ?

76. orz..

77. OpenID Security ! http://wiki.openid.net/Security

78. Reputation Problem OP

79. OP RP AOL OP http://dev.aol.com/node/578