OpenID and OAuth

An introduction to OpenID and OAuth

http://andrea-chiodoni.myopenid.com/

Lugano, 16 March 2011

martedì, 15 marzo 2011

Agenda
• Why OpenID and OAuth.

• What is OpenID for users, engineers and developers.

• What is OAuth for users, engineers and developers.

• Conclusions.


Why OpenID and OAuth
• Everyone is using more and more SaaS and social WEB.

• There is a vast amount of data (and functionalities) available.

• WEB based APIs are there to be used.

• It’s a great time to be a developer: you can take advantage of
data and functionalities available “in the cloud”.


... great but:
• too many identities!
• how to deal with authorization?


<OpenID terminology="OpenID">
<![CDATA[

OpenID for users
• Sign-in to multiple websites with one OpenID identity, from
http://openid.net:

• Identities are URI: http://andrea-chiodoni.myopenid.com/

• So, how can I get an OpenID?
• google.com, yahoo.com, ﬂicker.com, ....

• myopenid.com, claimid.com, clavid.com, ...

• http://en.wikipedia.org/wiki/List_of_OpenID_providers

• Just use it!


OpenID for engineers
• OpenID is an identity technology (mainly a protocol).

• I’ll cover (mainly) OpenID 2.0 (December 2007).

• Authentication as a Service (AaaS) enabling Single Sign-on.

• Free and open:

•A foundation (http://openid.net/foundation/) promotes,
protects and nurtures OpenID community and technologies.

• Swiss OpenID community http://www.openid.ch/en/



“Nobody should own this. Nobody’s planning on making
any money from this. The goal is to release every part of
this under the most liberal licenses possible, so there’s no
money or licensing or registering required to play. It beneﬁts
the community as a whole if something like this exists, and
we’re all a part of the community.”

Brad Fitzpatrick
(Founder of LiveJournal weblog community and father of OpenID)


• Decentralised. No central authority must approve or register
Relying Parties or OpenID Providers. An end user can freely
choose which OpenID Provider to use, and can preserve their
Identifier if they switch OpenID Providers.

• Attribute exchange: support for shorter registrations.

• No need of JavaScript (see SAML SSO Browser/POST
profile).

• User-Supplied, Claimed and OP-Local Identifiers.

• OpenID discovery protocol: XRI, XRDS and Yadis.


(2) Normalization,
Discovery of OP endpoint (5) Authentication

(7) Veriﬁcation
(3) Association OpenID
Relying Party
Provider
(4) Authentication request:
HTTP 302

(6) Authentication response:
HTTP 302 + Assertion
(1) Initiation: HTTP POST [positive, negative]
openid_identiﬁer
User-agent

OpenID Authentication protocol 2.0
(http://openid.net/developers/specs/)


OpenID for real engineers
(4) Authentication request: HTTP 302 (URL decoded)
http://www.myopenid.com/server?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://
andrea.chiodoni.myopenid.com/&openid.identity=http://andrea.chiodoni.myopenid.com/
&openid.return_to=http://localhost:7070/postcards/
j_spring_openid_security_check&openid.realm=http://localhost:8080/&openid.assoc_handle={HMAC-
SHA256}{4d63572b}{A2ZnQQ==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/
srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://axschema.org/contact/
email&openid.ext1.type.firstName=http://axschema.org/namePerson/
first&openid.ext1.type.lastName=http://axschema.org/namePerson/last&openid.ext1.type.email2=http://
schema.openid.net/namePerson&openid.ext1.type.fullName=http://schema.openid.net/contact/
email&openid.ext1.required=email,firstName,lastName,email2,fullName


OpenID for real engineers
(6) Authentication response: HTTP 302 + Assertion (URL decoded)
http://localhost:7070/postcards/j_spring_openid_security_check?openid.assoc_handle={HMAC-
SHA256}{4d63572b}{A2ZnQQ==}
&openid.ax.count.email=0&openid.ax.count.email2=1&openid.ax.count.firstName=0&openid.ax.count.f
ullName=1&openid.ax.count.lastName=0&openid.ax.mode=fetch_response&openid.ax.type.email=htt
p://axschema.org/contact/email&openid.ax.type.email2=http://schema.openid.net/
namePerson&openid.ax.type.firstName=http://axschema.org/namePerson/
first&openid.ax.type.fullName=http://schema.openid.net/contact/
email&openid.ax.type.lastName=http://axschema.org/namePerson/
last&openid.ax.value.email2.1=Andrea Chiodonia.Myopenid.Com&openid.ax.value.fullName.
1=andrea.chiodoni@gmail.com&openid.claimed_id=http://chiodonia.myopenid.com/
&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://
specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://
www.myopenid.com/
server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:
7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/
Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.f
ullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax
.type.lastName,ax.value.email2.1,ax.value.fullName.
1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed

See: http://en.wikipedia.org/wiki/Cryptographic_nonce

OpenID RP for developers
Easy for spring developers using spring security:
<input id="openid_identifier" name="openid_identifier" type="text"/>

<dependency>

<groupId>org.springframework.security</groupId>

<artifactId>spring-security-openid</artifactId>

<version>${spring.security.version}</version>
</dependency>

<http auto-config="true" ...> You may need a mapping
<openid-login/> between your existing user
identity and their OpenID!
</http>
For the rest of the Java community:
http://code.google.com/p/openid4java/


]]>
</OpenID>

<OAuth terminology="OAuth">
<![CDATA[

OAuth for users
User
<<Resource Owner>> Use-case: a user wants to send
postcards using the PostCards
SaaS. Addresses are taken from
a second service on the cloud
Browser call Contacts (see REST API).
<<User-agent>>

/contacts
/postcards
<<Authorization Server>>
<<Client>>
<<Resource Server>>

/contacts/mycontacts
<<REST/JSON API>>

OAuth for users
• Issues:
• Clients are required to store Resource owner creds for Resource Servers.
• Clients need to support Resource servers authentication protocols.
• Clients gain full access to Resource owner protected resources.
• Resource owner can't revoke access.
• OAuth is a security protocol that enables users to grant third-
party access to their web resources without sharing their
passwords, from http://oauth.net:

• Passwords are not nuts: don’t give them away!


OAuth for engineers
• OAuth is a security authorization protocol.

• OAuth 1.0 (IETF RFC5849), around since 2006.

• OAuth 2.0 (IETF draft, V2-13) will obsoletes RFC5849.

• OAuth 2.0 is incompatible with OAuth 1.0.

• OAuth 1.0 must used by OAuth 2.0 adoption is ramping-up
(Facebook, Google since 14.3.2011).

• OAuth 2.0 focus on client simplicity (less cryptographic).

• I’ll cover (mainly) OAuth 2.0, 3-Legged OAuth ﬂow.


OAuth for engineers
• While OAuth can be used with other transport protocols, it is
only deﬁned (bindings) for HTTP(s) resources.

• OAuth can be used on other use-cases, see grant types:
• Authorization code: the one we are going treat.
• Implicit grant: suited for applications residing in a user-agent.
• Resource Owner password credentials: resource owner has a
trust relationship with the client.
• Client credentials: when the client is requesting access to the
protected resources under its control.
• Additional grant types (extensions) like the OAuth-SAML
bridge

OAuth for engineers

<<Authorization Endpoint>>
User

(2.1) Obtaining
<<Resource Owner>>

Authorization
(2.2) Authentication
(2.3) Grant access

Browser
<<User-agent>> <<Authorization Server>>
<<Token Endpoint>> (2.5) Obtaining
(2.4)
<<Redirection URI>> Authorization
(1) Authentication /contacts
(2.6) Protected Resources
(3) Accessing

/postcards
<<Resource Server>>
<<Client>>
<<API>>

OAuth protocol 2.0: Authorization Code Flow
(http://oauth.net/2/)

OAuth for real engineers
(2) Obtaining Authorization: Authorization Code (URL decoded)
(2.1) Authorization Request: client redirects to authorization
endpoint
HTTP/1.1 302 Found
Location: http://localhost:8080/contacts/oauth/user/authorize?client_id=postcards&redirect_uri=http://
localhost:7070/postcards/contacts&response_type=code

(2.2) Authorization Response: authorization server issues an
authorization code and redirects back to the redirection URI
HTTP/1.1 302 Found
Location: http://localhost:7070/postcards/contacts?code=lrbwoF

OAuth protocol 2.0
(http://tools.ietf.org/html/rfc5849)


(2.5) Access Token Request: client POST to token endpoint
POST /contacts/oauth/authorize HTTP/1.1
Accept: application/json, application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&redirect_uri=http://localhost:7070/postcards/
contacts&code=lrbwoF&client_id=postcards

(2.6) Access Token Response (Issuing an Access Token): HTTP
response to (5.1)
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
{
"access_token": "4f919d60-5751-4860-8f3a-253c5700b9c1",
"expires_in": 43199,
"refresh_token": "611ef1d8-d7ed-4a02-9fcb-4dd36468d00c",
"token_type": "undeﬁned"
} OAuth protocol 2.0

(3) Accessing Protected Resources
GET /contacts/mycontacts HTTP/1.1
Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1
Accept: application/json

... even with curl...
curl -i -H Accept:application/json -H "Authorization: OAuth
4f919d60-5751-4860-8f3a-253c5700b9c1" http://localhost:8080/contacts/mycontacts

... and without a valid OAuth token!
curl -i -H Accept:application/json http://localhost:8080/contacts/mycontacts
HTTP/1.1 302 Found
WWW-Authenticate: OAuth2

OAuth protocol 2.0


OAuth for developers
Easy for spring developers using spring security and
OAuth extension:

On the both client and resource server:
<dependency>

<groupId>org.springframework.security.oauth</groupId>

<artifactId>spring-security-oauth</artifactId>

<version>${spring.security.oauth.version}</version>
</dependency>

For the rest of the Java community:
http://code.google.com/p/oauth/


On the client:
Modify your spring security context:

<oauth:client />
<oauth:resource id="contacts" type="authorization_code"

clientId="postcards"
accessTokenUri="http://localhost:8080/contacts/oauth/authorize"

userAuthorizationUri="http://localhost:8080/contacts/oauth/user/authorize" />

Use the OAuth REST template:

org.springframework.security.oauth2.consumer.OAuth2RestTemplate


... and the resource server:
Modify your spring security context:
<beans:bean id="tokenServices"

class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">

<beans:property name="supportRefreshToken" value="true" />
</beans:bean>

<oauth:provider client-details-service-ref="clientDetails"

token-services-ref="tokenServices">

<oauth:verification-code user-approval-page="/oauth/confirm_access" />
</oauth:provider>

<oauth:client-details-service id="clientDetails">

<oauth:client clientId="postcards" authorizedGrantTypes="authorization_code" />
</oauth:client-details-service>

Provide an approval page, see accessConfirmation.jsp


]]>
</OAuth>


Conclusions
• “Free” identities, make data portable!
• Today OpenID is the most successful way to AaaS, maybe not
free of issues (http://www.infoq.com/news/2011/01/OpenID).
OpenID 3.0 should ﬁx most of those issues.
• Initiatives
around DataPortability (http://en.wikipedia.org/wiki/
DataPortability):
• OData, http://www.odata.org/ (Microsoft)
• GData, http://code.google.com/intl/it-IT/apis/gdata/ (Google)
• You may be interested in http://www.springsource.org/spring-
social/


Thanks!
http://andrea-chiodoni.myopenid.com/


OpenID and OAuth

More Related Content

What's hot

Viewers also liked

Similar to OpenID and OAuth

Recently uploaded

OpenID and OAuth