OpenID in the Fedora Services

•Download as ODP, PDF•

0 likes•257 views

This document discusses OpenID, an open standard for federated digital identity. OpenID allows users to log into third-party websites using their existing identity, rather than needing separate usernames and passwords for each site. The document outlines how OpenID works, including the roles of providers, relying parties, and endpoints. It also describes extensions used by Fedora, such as Simple Registration, Teams, and CLA, which provide additional user information to relying parties. Finally, it notes that Fedora has rewritten its OpenID provider to fully comply with standards and has migrated many of its services, like Trac, to use centralized OpenID authentication.

Technology Business

In the Fedora services
Patrick Uiterwijk
Presented by
Intern, Red Hat, Inc.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
OpenID

Today's Topics
1. What isOpenID?
2. Howdoesitwork?
3. Extensionsweuse
4. Deploymentstatus

Federatedauthentication
URLisidentity
SayingWHOyouare,ratherthanWHATyouare
What is OpenID?

Provider
Theserverthatverifiedanidentity
RelyingParty(RP)
Thewebsitewheretheuseristryingtologin
Endpoint
TheURLoftheproviderwhichacceptsandhandlesOpenIDprotocolmessages
ClaimedIdentifier
TheidentityoftheuserverifiedbytheProvider
Some terminology

1. TheuserbrowsestoanOpenIDRelyingParty website(e.g.ask.fedoraproject.org)
2. TheuserclicksontheLogInbutton
3. Theuserenterhis/heridentityURL(puiterwijk.id.fedoraproject.org)
4. Theconsumerredirectstheusertotheprovider(id.fedoraproject.org)
5. Theuserauthenticatestotheprovider
6. Theuserisredirectedbacktotheoriginalwebsite,beingauthenticated
Simple process

But.....
It's not that simple
(though this is all the user sees)

Howdoestheconsumerknowwheretoredirecttheuserforauthentication?
Howdoestheconsumerknowforsurethattheuserdidn'tjustbrowsetoitsreturnpage,sayingit's
authenticated?
Some issues

ConsumerdoesarequesttotheURLtheuserprovided
ReturnedHTMLcontainseitherofthefollowing:
HTMLtagsayingwheretheendpointis
HTMLtagsayingwheretofindthediscoveryinfo
HTTPheadersayingwheretofindthediscoveryinfo
Nowwearereadytoredirecttheuser,right?
Well,maybe..
Discovery

Stateful
Afterdiscovery,theRelyingPartyexchangesacryptographickeywiththeproviderwhichisusedforverifyingthe
claimatreturn.
Stateless
Thekeyisgeneratedbytheproviderandreturnedintheresponse.
Whateverhappens,theresponseisvalidatedbyrequestingacheckagainsttheprovider.
Two operational modes

ProvidesomebasicinformationabouttheusertotheRelyingparty:
Nickname
Emailaddress
Timezone
Usedbylotsofrelyingpartiestopre-fillregistrationformsafterauthenticatingwithOpenID.
Simple Registration

Provideaccesstowhattypeofauthenticationwasusedtoverifytheuser:
Username/password
OTPtoken
Tamper-proofOTPtoken
Also,theRelyingPartycanrequireanyspecifictypetobeusedforauthenticationtobesuccessful,orhave
theauthenticationtimeout.
Provider Authentication

ProvidegroupmembershipinformationtotheRelyingParty
Relyingpartysendslistofgroupsitwouldliketoknowiftheuserisamemberof
Theserverreturnsalistofgroupstheuserisactuallyamemberof
NamedteamsbecausethespecwaswrittenbyLaunchpadteam
Teams

ProvideinformationtotheRelyingPartywhetherornottheuserhassignedaContributorLicenseAgreement
(oranyotherformoflicenseagreement)
DifferentURLbasesfordifferentOpenIDproviders
Extensionsdefinedbyus,Fedorateam
CLA

OpenID-providerwasrewrittenfromscratch
HadbeenpartoftheFedoraAccountSystemformanyyears,butwasnotfollowingthestandardscompletely,
sonotcompatiblewithsomeRelyingParties
Addedtheteams,CLAandPAPEextensions
Hasbeenliveforaboutayearnow,withoutmajorincidents
Current provider

FedoraHostedtraclogin
COPR
Tagger
Hyperkitty
Jenkins
Services migrated

Bodhi
Pkgdb
Elections
Wiki
Fedocal
Blockerbugs
.....
Services being migrated

OpenIDisbeingusedtocentralizeourauthentication
LesscustomcodebecauseFASbackendsarelesscommonthanOpenIDbackends
BusymovingallservicesovertousingOpenID
Lastbutnotleast:wesupportotherpeopleusinganyoftheextensions!
Summary

Questions?
ThisworkislicensedunderaCreativeCommonsAttribution-ShareAlike3.0UnportedLicense.
patrick@fedoraproject.org
Contact:

Similar to OpenID in the Fedora Services

OpenID Tutorials

Nao Haida

An Introduction to OpenID

Max Manders

Presented at OSCON 2018. Hyperledger Indy is a distributed ledger built for decentralized identity and is one of the open source frameworks hosted by Hyperledger. It provides tools, libraries, and reusable components for creating and using independent digital identities rooted on blockchains or other distributed ledgers. In this presentation, I introduce The Linux Foundation and Hyperledger. We look at Decentralized Identity Concepts -- identity models, decentralized identity, zero-knowledge proofs, and verifiable credentials. We look at a demo that utilizes Hyperledger Indy and these concepts. We then look at Hyperledger Indy's software stack and roadmap and touch on how you can get involved.

OSCON 2018 Getting Started with Hyperledger Indy

Tracy Kuhrt

Geneva Application Security Forum: Vers une authentification plus forte dans ...

Sylvain Maret

2010 - Fédération des identités et OpenID

Cyber Security Alliance

OpenID and OAuth

Andrea Chiodoni

Open id & OAuth

Paul Fryer

In Today's world, Social networking websites are more popular. There are many web applications or web sites available on the internet so users have multiple accounts to log on the websites to access web service. Most of websites are rely on username and password pair because this method is easy and small for users and administrators of those sites. But Using OpenID, we can easily access service through different provider's username and password like Gmail/Yahoo and many more. There is no procedure for registration. OpenID is Most Popular as an Open Source Identity Provider.

Review on OpenID Authentication Framework

ijsrd.com

How to get along with HATEOAS without letting the bad guys steal your lunch? It’s a cool idea - decouple the client from the server and let the application tell the client what it can do dynamically. This approach should allow much more flexibility and resilience as the client and server can evolve separately. Unfortunately, the HATEOAS approach can be a free lunch for cybercriminals unless you understand the simple steps needed to secure your design. The question is - how to achieve the balance of design flexibility and security in practice? This session will show you how to create a secure hypermedia-driven RESTful web service using HATEOAS principles. You’ll learn how HATEOAS works, understand how it can be exploited by the bad guys and discover why HATEOAS is still a really good approach . With code and examples this session will leave you more informed and possibly a little wiser.

How to get along with HATEOAS without letting the bad guys steal your lunch?

Graham Charters

Holt "Working with Scholarly APIs: A NISO Training Series, Session Two: ORCID"

National Information Standards Organization (NISO)

WAFFLE: Windows Authentication in Java

Daniel Doubrovkine

OpenId Connect Protocol

Michael Furman

Proxy log review and use cases

Mostafa Yahia

SWXG 2010.6.9 v2

Paul Trevithick

SSO with the WSO2 Identity Server

WSO2

Sso with the wso2 identity server

sureshattanayake

Lecture 20101124

Anderson Liang

Using OAuth with PHP

David Ingram

Practical Federated Identity

WSO2

OpenDDR is the ultimate open solution to the device fragmentation issues. Because of the wide diversity of devices available on the market, the developers dealing with web content optimization need to know hardware and software specs of each device. To face this situation the most effective solution is using a Device Description Repository, a database storing a huge amount of information concerning mobile phones, tablets, Interactive TVs, set top boxes and any device with a Web browser.

OpenDDR

Werner Keil

Similar to OpenID in the Fedora Services (20)

OpenID Tutorials

An Introduction to OpenID

OSCON 2018 Getting Started with Hyperledger Indy

Geneva Application Security Forum: Vers une authentification plus forte dans ...

2010 - Fédération des identités et OpenID

OpenID and OAuth

Open id & OAuth

Review on OpenID Authentication Framework

How to get along with HATEOAS without letting the bad guys steal your lunch?

Holt "Working with Scholarly APIs: A NISO Training Series, Session Two: ORCID"

WAFFLE: Windows Authentication in Java

OpenId Connect Protocol

Proxy log review and use cases

SWXG 2010.6.9 v2

SSO with the WSO2 Identity Server

Sso with the wso2 identity server

Lecture 20101124

Using OAuth with PHP

Practical Federated Identity

OpenDDR

Recently uploaded

Unlock the mysteries of successful Salesforce interviews in this insightful session hosted by Hugo Rosario (Salesforce Customer), a seasoned hiring manager that leads the Salesforce Department of multinational company with over 100 interviews under their belt. Step into the manager's chair and gain exclusive behind-the-scenes insights into what makes a Salesforce consultant stand out during the interview process. From deciphering the unspoken cues to mastering key strategies, we'll explore the intricacies of the interview process and provide practical tips for consultants looking to not only pass interviews but also thrive in their roles. Whether you're a seasoned professional or just starting your Salesforce journey, this session is your backstage pass to the secrets that hiring managers wish you knew.

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

CzechDreamin

Knowledge engineering: from people to machines and back

Elena Simperl

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

JMeter webinar - integration with InfluxDB and Grafana

RTTS

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

CzechDreamin

Speed Wins: From Kafka to APIs in Minutes

confluent

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

CzechDreamin

We're living the AI revolution and Salesforce is adapting and bring new value to their customers. Einstein products are evolving rapidly and navigating their limitations, language support, and use cases can be challenging. Let's make review of what Einstein product are available currently, what are the capabilities and what can be used for in CEE region and how Rossie.ai can help to learn Salesforce speak Czech. We will explore the Einstein roadmap and I will make a short live demo (based on your vote) of some Einstein feature.

AI revolution and Salesforce, Jiří Karpíšek

CzechDreamin

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

CzechDreamin

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

IESVE for Early Stage Design and Planning

IES VE

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

CzechDreamin

Recently uploaded (20)

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Knowledge engineering: from people to machines and back

Designing Great Products: The Power of Design and Leadership by Chief Designe...

JMeter webinar - integration with InfluxDB and Grafana

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Speed Wins: From Kafka to APIs in Minutes

Key Trends Shaping the Future of Infrastructure.pdf

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

AI revolution and Salesforce, Jiří Karpíšek

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

ODC, Data Fabric and Architecture User Group

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Mission to Decommission: Importance of Decommissioning Products to Increase E...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

IESVE for Early Stage Design and Planning

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

OpenID in the Fedora Services

1. In the Fedora services Patrick Uiterwijk Presented by Intern, Red Hat, Inc. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. OpenID

2. Today's Topics 1. What isOpenID? 2. Howdoesitwork? 3. Extensionsweuse 4. Deploymentstatus

3. What is OpenID?

4. Federatedauthentication URLisidentity SayingWHOyouare,ratherthanWHATyouare What is OpenID?

5. How does it work?

6. Provider Theserverthatverifiedanidentity RelyingParty(RP) Thewebsitewheretheuseristryingtologin Endpoint TheURLoftheproviderwhichacceptsandhandlesOpenIDprotocolmessages ClaimedIdentifier TheidentityoftheuserverifiedbytheProvider Some terminology

7. 1. TheuserbrowsestoanOpenIDRelyingParty website(e.g.ask.fedoraproject.org) 2. TheuserclicksontheLogInbutton 3. Theuserenterhis/heridentityURL(puiterwijk.id.fedoraproject.org) 4. Theconsumerredirectstheusertotheprovider(id.fedoraproject.org) 5. Theuserauthenticatestotheprovider 6. Theuserisredirectedbacktotheoriginalwebsite,beingauthenticated Simple process

8. But..... It's not that simple (though this is all the user sees)

9. Howdoestheconsumerknowwheretoredirecttheuserforauthentication? Howdoestheconsumerknowforsurethattheuserdidn'tjustbrowsetoitsreturnpage,sayingit's authenticated? Some issues

10. ConsumerdoesarequesttotheURLtheuserprovided ReturnedHTMLcontainseitherofthefollowing: HTMLtagsayingwheretheendpointis HTMLtagsayingwheretofindthediscoveryinfo HTTPheadersayingwheretofindthediscoveryinfo Nowwearereadytoredirecttheuser,right? Well,maybe.. Discovery

11. Stateful Afterdiscovery,theRelyingPartyexchangesacryptographickeywiththeproviderwhichisusedforverifyingthe claimatreturn. Stateless Thekeyisgeneratedbytheproviderandreturnedintheresponse. Whateverhappens,theresponseisvalidatedbyrequestingacheckagainsttheprovider. Two operational modes

12. Extensions we use

13. ProvidesomebasicinformationabouttheusertotheRelyingparty: Nickname Emailaddress Timezone Usedbylotsofrelyingpartiestopre-fillregistrationformsafterauthenticatingwithOpenID. Simple Registration

14. Provideaccesstowhattypeofauthenticationwasusedtoverifytheuser: Username/password OTPtoken Tamper-proofOTPtoken Also,theRelyingPartycanrequireanyspecifictypetobeusedforauthenticationtobesuccessful,orhave theauthenticationtimeout. Provider Authentication

15. ProvidegroupmembershipinformationtotheRelyingParty Relyingpartysendslistofgroupsitwouldliketoknowiftheuserisamemberof Theserverreturnsalistofgroupstheuserisactuallyamemberof NamedteamsbecausethespecwaswrittenbyLaunchpadteam Teams

16. ProvideinformationtotheRelyingPartywhetherornottheuserhassignedaContributorLicenseAgreement (oranyotherformoflicenseagreement) DifferentURLbasesfordifferentOpenIDproviders Extensionsdefinedbyus,Fedorateam CLA

17. Deployment status

18. OpenID-providerwasrewrittenfromscratch HadbeenpartoftheFedoraAccountSystemformanyyears,butwasnotfollowingthestandardscompletely, sonotcompatiblewithsomeRelyingParties Addedtheteams,CLAandPAPEextensions Hasbeenliveforaboutayearnow,withoutmajorincidents Current provider

19. FedoraHostedtraclogin COPR Tagger Hyperkitty Jenkins Services migrated