SlideShare a Scribd company logo
Bootcamp

      Simon Willison                            David Recordon
    simonwillison.net                          davidrecordon.com
simon@simonwillison.net                     drecordon@verisign.com


                             OSCON
                          July 24th, 2007
Who are We?
•   David Recordon

•   VeriSign Employee since
    May of 2006

•   OpenID Foundation Vice-
    Chair

•   Co-Author of various
    OpenID specifications

•   Past employee of
    Six Apart, where OpenID
    was created
Who are We?
•   Simon Willison

•   Ex-Yahoo!, now freelance

•   “Europe’s first OpenID
    consultant”

•   Co-creator of the Django
    Web Framework
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
What is OpenID?
OpenID is a
decentralised mechanism
   for Single Sign On
What problems
does it solve?
“Too many passwords!”
“Someone else already
grabbed my username”
“My online profile is
 scattered across
  dozens of sites”
What is an OpenID?
An OpenID is a URI
http://swillison.livejournal.com/
http://simonw.myopenid.com/
http://openid.aol.com/simonwillison/
http://simonwillison.net/
What can you do
with an OpenID?
You can claim
that you own it
You can prove
  that claim
Why is that useful?
You can use it for
 authentication
“Who the heck are you?!”
                                                                                                                                                                                Login?
             Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo



                                                                                                                                                  Search
             Welcome to ExpoCal!
                                                                                                                                                                         Go
             Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends
             are going to see, or tag surf your way to serependity.

                                                                                                                                                  My Schedule
             By Day
                                                                                                                                                  You need to be logged in to keep a
               SUNDAY, APRIL 15,                 MONDAY, APRIL 16,                                              WEDNESDAY, APRIL 18,
                                                                                TUESDAY, APRIL 17, 2007                                           list of talks and sessions you are
                    2007                              2007                                                             2007
                                                                                                                                                  interested in attending.
              Popular Today                    Popular Today                    Popular Today                  Popular Today
                quot;Building Social                 quot;Conference Welcomequot; Tim        quot;Mobile 2.0quot; Ajit Jaokar Mike  quot;Welcomequot; Tim O'Reilly            login | sign up
                Applicationsquot; Stowe Boyd         O'Reilly                        McCue; Ilkka Raiskinen;        quot;Jeff Weiner in Conversation
                quot;High Performance                quot;A Conversation with Jeff       Paola Tonelli                  with John Battellequot; Jeff
                Webpagesquot; Steve                  Bezosquot; Jeffrey P. Bezos         quot;State of the Web 2.0:         Weiner John B...
                Souders Tenni Theurer            quot;Built to Last or Built to      Measuring the Participatory    quot;Web 2.0 for the Enterprise: Is
                quot;Ignitequot;                         Sell: Is There a Difference?    Webquot; Bill Tancer               It Soup Yet?quot; Dan Farber
                                                 quot; John Batt...                  quot;Eric Schmidt in Conversation  Satish Dha...
              Today: All                                                         with John Battellequot; Eric
                                               Today: All                                                      Today: All
                                                                                 Schmidt John...

                                                                                Today: All



             Popular: Tags                                                  Popular: Speaker

                    Community Design and User Ajit Jaokar Bill Tancer                              Brian Mulloy Charlene
             Ajax
                                                                            Li Dan Farber David Knight Dirk-Willem van
             Experience Keynotes Marketing
                                                                            Gulik Dmitry Dimov Eric Schmidt Ilkka
             and Community Strategy and
                                                                            Raiskinen James Baty Jay Adelson Jay
             Business Models Web 2.0
                                                                            Bhatti Jeff Weiner Jeffrey P. Bezos Joe
             Fundamentals Web 2.0 Services
                                                                                  John Battelle Kathy Sierra Kelly
                                                                            Kraus
             and Platforms Web Operations advertising
                                                                            Goto Kerry Fleming Kevin Lynch Luke Sontag
             business           design digitalid django experience
                                                                                               Mike McCue
                                                                            Mena Trott                                  Paola Tonelli
             flickr free google javascript marketing microformats
                            products and services                           Rich Skrenta Ross Mayfield Satish
             openid php

                                                                            Dharmaraj Subrah Iyar Tim O'Reilly
             rails search skypejournal social syndication
                       all tags
             yahoo                                                          everybody!
                                                                            Random People
                                                                            ChrisC1971 alexiskold atomsplitter billvision brady emccm
             Everything!                                                    gervasio goodsboy gustav heinika hienhuynh hotwheel
                                                                            http://jalanoly.pip.verisignlabs.com/
             Find: all talks, the all speakers, all tags, or users.         http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/
                                                                            jessie jggaines leeclw maisany markgoines nborwankar
                                                                            pbuder philip ron_topright shameer shua slevine timknight
                                                                            tomas wilsonminer
“I’m simonwillison.net”
“prove it!”
                                                                                                                                                                         Login?
      Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo



                                                                                                                                           Search
      Welcome to ExpoCal!
                                                                                                                                                                  Go
      Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends
      are going to see, or tag surf your way to serependity.

                                                                                                                                           My Schedule
      By Day
                                                                                                                                           You need to be logged in to keep a
        SUNDAY, APRIL 15,                 MONDAY, APRIL 16,                                              WEDNESDAY, APRIL 18,
                                                                         TUESDAY, APRIL 17, 2007                                           list of talks and sessions you are
             2007                              2007                                                             2007
                                                                                                                                           interested in attending.
       Popular Today                    Popular Today                    Popular Today                  Popular Today
         quot;Building Social                 quot;Conference Welcomequot; Tim        quot;Mobile 2.0quot; Ajit Jaokar Mike  quot;Welcomequot; Tim O'Reilly            login | sign up
         Applicationsquot; Stowe Boyd         O'Reilly                        McCue; Ilkka Raiskinen;        quot;Jeff Weiner in Conversation
         quot;High Performance                quot;A Conversation with Jeff       Paola Tonelli                  with John Battellequot; Jeff
         Webpagesquot; Steve                  Bezosquot; Jeffrey P. Bezos         quot;State of the Web 2.0:         Weiner John B...
         Souders Tenni Theurer            quot;Built to Last or Built to      Measuring the Participatory    quot;Web 2.0 for the Enterprise: Is
         quot;Ignitequot;                         Sell: Is There a Difference?    Webquot; Bill Tancer               It Soup Yet?quot; Dan Farber
                                          quot; John Batt...                  quot;Eric Schmidt in Conversation  Satish Dha...
       Today: All                                                         with John Battellequot; Eric
                                        Today: All                                                      Today: All
                                                                          Schmidt John...

                                                                         Today: All



      Popular: Tags                                                  Popular: Speaker

             Community Design and User Ajit Jaokar Bill Tancer                              Brian Mulloy Charlene
      Ajax
                                                                     Li Dan Farber David Knight Dirk-Willem van
      Experience Keynotes Marketing
                                                                     Gulik Dmitry Dimov Eric Schmidt Ilkka
      and Community Strategy and
                                                                     Raiskinen James Baty Jay Adelson Jay
      Business Models Web 2.0
                                                                     Bhatti Jeff Weiner Jeffrey P. Bezos Joe
      Fundamentals Web 2.0 Services
                                                                           John Battelle Kathy Sierra Kelly
                                                                     Kraus
      and Platforms Web Operations advertising
                                                                     Goto Kerry Fleming Kevin Lynch Luke Sontag
      business           design digitalid django experience
                                                                                        Mike McCue
                                                                     Mena Trott                                  Paola Tonelli
      flickr free google javascript marketing microformats
                     products and services                           Rich Skrenta Ross Mayfield Satish
      openid php

                                                                     Dharmaraj Subrah Iyar Tim O'Reilly
      rails search skypejournal social syndication
                all tags
      yahoo                                                          everybody!
                                                                     Random People
                                                                     ChrisC1971 alexiskold atomsplitter billvision brady emccm
      Everything!                                                    gervasio goodsboy gustav heinika hienhuynh hotwheel
                                                                     http://jalanoly.pip.verisignlabs.com/
      Find: all talks, the all speakers, all tags, or users.         http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/
                                                                     jessie jggaines leeclw maisany markgoines nborwankar
                                                                     pbuder philip ron_topright shameer shua slevine timknight
                                                                     tomas wilsonminer
(crypto happens)
“OK, you’re in!”
                                                                                                                                                                            Login?
         Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo



                                                                                                                                              Search
         Welcome to ExpoCal!
                                                                                                                                                                     Go
         Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends
         are going to see, or tag surf your way to serependity.

                                                                                                                                              My Schedule
         By Day
                                                                                                                                              You need to be logged in to keep a
           SUNDAY, APRIL 15,                 MONDAY, APRIL 16,                                              WEDNESDAY, APRIL 18,
                                                                            TUESDAY, APRIL 17, 2007                                           list of talks and sessions you are
                2007                              2007                                                             2007
                                                                                                                                              interested in attending.
          Popular Today                    Popular Today                    Popular Today                  Popular Today
            quot;Building Social                 quot;Conference Welcomequot; Tim        quot;Mobile 2.0quot; Ajit Jaokar Mike  quot;Welcomequot; Tim O'Reilly            login | sign up
            Applicationsquot; Stowe Boyd         O'Reilly                        McCue; Ilkka Raiskinen;        quot;Jeff Weiner in Conversation
            quot;High Performance                quot;A Conversation with Jeff       Paola Tonelli                  with John Battellequot; Jeff
            Webpagesquot; Steve                  Bezosquot; Jeffrey P. Bezos         quot;State of the Web 2.0:         Weiner John B...
            Souders Tenni Theurer            quot;Built to Last or Built to      Measuring the Participatory    quot;Web 2.0 for the Enterprise: Is
            quot;Ignitequot;                         Sell: Is There a Difference?    Webquot; Bill Tancer               It Soup Yet?quot; Dan Farber
                                             quot; John Batt...                  quot;Eric Schmidt in Conversation  Satish Dha...
          Today: All                                                         with John Battellequot; Eric
                                           Today: All                                                      Today: All
                                                                             Schmidt John...

                                                                            Today: All



         Popular: Tags                                                  Popular: Speaker

                Community Design and User Ajit Jaokar Bill Tancer                              Brian Mulloy Charlene
         Ajax
                                                                        Li Dan Farber David Knight Dirk-Willem van
         Experience Keynotes Marketing
                                                                        Gulik Dmitry Dimov Eric Schmidt Ilkka
         and Community Strategy and
                                                                        Raiskinen James Baty Jay Adelson Jay
         Business Models Web 2.0
                                                                        Bhatti Jeff Weiner Jeffrey P. Bezos Joe
         Fundamentals Web 2.0 Services
                                                                              John Battelle Kathy Sierra Kelly
                                                                        Kraus
         and Platforms Web Operations advertising
                                                                        Goto Kerry Fleming Kevin Lynch Luke Sontag
         business           design digitalid django experience
                                                                                           Mike McCue
                                                                        Mena Trott                                  Paola Tonelli
         flickr free google javascript marketing microformats
                        products and services                           Rich Skrenta Ross Mayfield Satish
         openid php

                                                                        Dharmaraj Subrah Iyar Tim O'Reilly
         rails search skypejournal social syndication
                   all tags
         yahoo                                                          everybody!
                                                                        Random People
                                                                        ChrisC1971 alexiskold atomsplitter billvision brady emccm
         Everything!                                                    gervasio goodsboy gustav heinika hienhuynh hotwheel
                                                                        http://jalanoly.pip.verisignlabs.com/
         Find: all talks, the all speakers, all tags, or users.         http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/
                                                                        jessie jggaines leeclw maisany markgoines nborwankar
                                                                        pbuder philip ron_topright shameer shua slevine timknight
                                                                        tomas wilsonminer
So it’s a bit like
Microsoft Passport,
        then?
Yes, at a high level
But you don’t need to ask
Microsoft’s permission to
      implement it
One organisation
 doesn’t get to own
everyone’s credentials
And the standard isn’t
 owned by any one
 company or group
Who does get to
  own them?
You, the user, decide.
You pick your own provider
(just like e-mail)
So I’m still giving
someone the keys
 to my kingdom?
Yes, but it can be
someone you trust
If you have the ability to
  run your own server
 software, you can do it
       for yourself
We'll show you how to
do that a little later on
OK, how do I use it?
So my users don’t
have to sign up for an
      account?
Not necessarily
An OpenID tells you
very little about a user
You don’t know
  their name
You don’t know
their e-mail address
You don’t know if they’re
 a person or a spambot
(or a dog)
Where do I get that
information from?
You ask them!
OpenID augments your
regular sign-up process;
  it doesn't replace it
The simple registration
  extension can help
  users fill out your
   registration form
How can I tell if they’re
  an evil spambot?
Same as usual: challenge
them with a CAPTCHA
botbouncer.com lets
you outsource your
    CAPTCHAs
So how does OpenID
    actually work?
<link rel=quot;openid.serverquot;
 href=quot;http://www.myopenid.com/serverquot; />
“I’m simonwillison.myopenid.com”
Site fetches HTML,
discovers identity provider
Establishes shared secret
 with identity provider
   (Using Diffie-Hellman key exchange)
Redirects you to the
 identity provider
If you’re logged in there,
you get redirected back
How does my identity
provider know who I am?
OpenID deliberately
  doesn’t specify
username/password
    is common
But providers can
use other methods if
    they want to
Client SSL certificates
Out of band
authentication via SMS,
   e-mail or Jabber
IP based login
 restrictions
SecurID keyfobs
The provider’s business
 is authentication: they
 can invest much more
effort than regular sites
It’s also possible for a
  provider to just say
“yes” to every query
Just say “yes”?
http://www.jkg.in/openid/
        does this
Users can give away their
passwords today - this is
 the OpenID equivalent
It's similar to
bugmenot.com
What if I decide I
hate my provider?
Use your own
domain name
Delegate to a
provider you trust
<link rel=quot;openid.serverquot;
 href=quot;http://www.livejournal.com/openid/server.bmlquot;>
<link rel=quot;openid.delegatequot;
 href=quot;http://swillison.livejournal.com/quot;>
This minimises lock in and
 ensures easy portability
So everyone will end up
 with one OpenID that
they use for everything?
Probably not
(I have half a dozen
 OpenIDs already)
People like maintaining
multiple online personas
professional
   social
   secret
     ...
OpenID makes it easier
 to manage multiple
   online personas
Three accounts is still
better than three dozen
Some providers let you
host multiple OpenIDs,
or create a new one for
every site you sign in to
Why is OpenID worth
implementing over all the
 other identity standards?
It’s simple
Unix philosophy:
 It solves one,
 tiny problem
It’s a dumb network
Many of the competing
standards are now on
        board
Isn’t putting all my
eggs in one basket
 a really bad idea?
Bad news: chances are
   you already do
“I forgot my password”
   means your e-mail
 account is already an
    SSO mechanism
OpenID just makes this
 a bit more obvious
What about phishing?
Phishing is a problem
I can has lolcats!?                          BETA


Make your own lolcats! lol
Sign in with your OpenID:
OpenID:                                  Sign in




                    http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
Fake edition
Your identity provider
Username and password, please!
 Username:
 Password:
                         Log in
Identity theft :(
An untrusted site
redirects you to your
  trusted provider
Sound familiar?
PayPal
 Yahoo! BBAuth
  Google Auth
Google Checkout
We'll talk about some
potential solutions later
Doesn’t this outsource the
 security of my users to
 untrusted third parties?
Yes it does. But...
... so do “forgotten
password” e-mails!
If e-mail is secure
enough for your user’s
 authentication, so is
       OpenID
Password e-mails are
essentially SSO with a
 bad user experience
What are the privacy
  implications?
Cross correlation of
     accounts
Don’t publish a user’s
OpenID without making
it clear that you’re going
        to do that
Allow users to opt-out
of sharing their OpenID
The online equivalent of a
 credit reporting agency?
This could be built today
  by sites conspiring to
 share e-mail addresses
IANAL, but legal
protections against this
     already exist
“Directed identity” in
 OpenID 2.0 makes it
easy to use a different
OpenID for every site
Patents?
Sun,VeriSign and JanRain
 have both announced
  “patent covenants”
They won’t smack you
down with their patents
 for using OpenID 1.1
They will smack down
 anyone else who asserts
their own patents against
        OpenID
The OpenID
Foundation is working
  on an IPR Policy
Who else is involved?
~120M OpenIDs
~4200 RPs
AOL - provider, full
consumer very soon
Microsoft: Bill Gates
expressed their interest
 at the RSA conference
(mainly as good PR
 for CardSpace?)
Sun: Patent Covenant,
  33,000 employees
VeriSign
Symantec
37 Signals
Drupal
Plone
Rails
Six Apart
JanRain
...etc
we'll talk about this more
            later
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Creating an OpenID
pip.VeriSignLabs.com           MyOpenID.com


   ClaimID.com                 FreeYourID.com

http://openid.net/wiki/index.php/OpenIDServers

         and you may already have one
Using Your OpenID
                                        Basecamp.com
            Plaxo.com
                          Blinksale.com
                                            Toodledo.com
      Wikispaces.com

                                           WikiTravel.com
              Ma.gnolia.com
                                    Jyte.com
     HighRiseHQ.com
                                                 WetPaint.com
http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
6
           0
 0
~12 million OpenIDs



2                OpenID 1.1 - Estimated from various services
~120 million OpenIDs
    (including every AOL user)




                                 OpenID 1.1 - Estimated from various services
6
                       Total Relying Parties



                                                                                   0
                                                     (aka places you can login with OpenID)




                         0                                                         y
                                                                                nt
                                                                                ou
                                                                              /B
                                                                          p i
                                                                         Sx
4,500




                        2
3,375


2,250


1,125


   0
        '05

              ct

                   ov

                        ec

                              '06

                                       b

                                           ar

                                                 r

                                                     ay

                                                            e

                                                                    ly

                                                                          g
                                                Ap




                                                                         Au
                                                             n
                                    Fe




                                                                 Ju
              O




                                           M




                                                     M
                        D
                   N




                                                          Ju
        p




                             Jan
    Se




                                                                                              OpenID 1.1 - As viewed by MyOpenID.com
Total Relying Parties         (aka places you can login with OpenID)




                                                                                                                                       po
                                                                                                                       L
                                                                                                                      AO
                                                                                    y




                                                                                                                                    Ex
                                                                                   nt
                                                                                ou




                                                                                                                                 0
                                                                                                                  &


                                                                                                                               2.
                                                                              /B




                                                                                                                  T
                                                                                                             SF


                                                                                                                        eb
                                                                          p




                                                                                                           M


                                                                                                                       W
                                                                            i
                                                                         Sx
4,500


3,375


2,250


1,125


   0
        '05

              ct

                   ov

                        ec

                              '06

                                       b

                                           ar

                                                 r

                                                     ay

                                                            e

                                                                    ly

                                                                          g

                                                                                p

                                                                                     ct

                                                                                          ov

                                                                                               ec

                                                                                                     '07

                                                                                                              b

                                                                                                                  ar

                                                                                                                          r

                                                                                                                                 ay

                                                                                                                                          e

                                                                                                                                                   22
                                                Ap




                                                                                                                       Ap
                                                                         Au
                                                             n




                                                                                                                                           n
                                    Fe




                                                                              Se




                                                                                                           Fe
                                                                 Ju
              O




                                                                                    O
                                           M




                                                                                                                  M
                                                     M




                                                                                                                               M
                        D




                                                                                               D
                   N




                                                          Ju




                                                                                          N




                                                                                                                                        Ju

                                                                                                                                                  ly
        p




                             Jan




                                                                                                    Jan




                                                                                                                                               Ju
    Se




                                                                                                                       OpenID 1.1 - As viewed by MyOpenID.com
6
  0
 0
2
History 2005 & 2006
Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID Provider (May)
Convergence with i-names (July)
Convergence with Sxip (Aug.)
$50,000 USD Developer Bounty (Aug.)
Technorati adopts OpenID (Oct.)
Tutorials by Simon Willison (Dec.)
History Q1 2007
Mozilla announces intent to support OpenID in FireFox 3 (Jan.)
Microsoft support expressed by Bill Gates and Craig Mundie at
RSA Conference keynote (Feb.)
AOL add OpenID to every one of their ~60M accounts (Feb.)
Symantec announces upcoming OpenID products (Feb.)
Digg and NetVibes announce OpenID support (Feb.)
Wordpress.com and 37Signals adopt OpenID (March)
USA Today publishes OpenID article on the Money section
front-page (March)
History Q2 2007
Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product and
provides employees with OpenID (May)
livedoor adds OpenID support (May)
OpenID wins Next Web Award (June)
Leo Laporte and Steve Gibson discuss OpenID (June)
OpenID wins CNET Webware 100 award (June)
Atlassian (makers of enterprise wiki software) supports OpenID (June)
Drupal 6 ships with OpenID support (June)
The OpenID Foundation
The purpose of the OpenID Foundation is to
 foster and promote the development and
  adoption of OpenID as a framework for
    user-centric identity on the Internet.
Founding board
Scott Kveton            David Recordon
Chair                   Vice-Chair
scott@kveton.com        drecordon@verisign.com


Dick Hardt              Martin Atkins
Treasurer               Secretary
dick@sxip.com           mart@degeneration.co.uk


Johannes Ernst          Drummond Reed
jernst@netmesh.us       drummond.reed@cordance.net


                        Bill Washburn
Artur Bergman
                        Executive Director
sky@crucially.net
                        bill@oidf.org
Current efforts
Develop an IPR policy and process for OpenID
specifications to keep OpenID free and patent
unencumbered
Develop a trademark policy that supports the
extended OpenID community
Develop core messaging for OpenID and
websites oriented toward developers, users,
and other potential adopters
Coordinate World-wide joint marketing and
evangelism
OpenID Auth 2.0

• Implementors draft published earlier this
  year
• Already seen multiple implementations in
  PHP, Java, Perl, and Python
• Concerns raised from service providers the
  size of AOL, LiveDoor,Yahoo! around
  identifier recycling
• Still really close to a final specification
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Protocol Security

• DNS Security
• Man in the Middle Attacks
• Eavesdropping Attacks
• MAC Key Weakness
• Replay Attacks
              Don't Panic
Phishing

An untrusted site redirects you to
     your trusted provider

    Not just a problem for OpenID, but
    also for PayPal, Google Auth and
     Checkout, Yahoo! BBAuth, AOL
                 OpenAuth
Passwords Can be Stolen

 • Browsers have poor support for other
   means
 • Users normally ignore browser chrome
 • What extent are they willing to go?
  • quot;Gang Kidnaps Gamer to Get Password
     Using Fake Orkut Datequot;
Trust
quot;Trust first requires identityquot; - Brad Fitzpatrick


OpenID does not tell you if a user is
    good, bad, or even human


•   What if I've never seen the user before?
•   What if I know nothing about the OpenID
    Provider?
Decoupled Authentication

 • What if the user didn't authenticate at all?
 • How do I know if they met my policies?
 • I need strong authentication!
 • The user must authenticate within the past
   five minutes!
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Protocol security
• Use SSL correctly throughout the protocol
 • Protects against man-in-the-middle,
    eavesdropping attacks, and DNS attacks
• Generate strong MAC keys and re-negotiate
  as needed
  • Used to verify data integrity and
    authenticity of OpenID responses
• Verify NONCEs
 • Protects against replay attacks
Trust
quot;Trust first requires identityquot; - Brad Fitzpatrick


• Challenge them via a CAPTCHA or email
   verification
  • Even a distributed CAPTCHA
• Use whitelists and blacklists
• Ask someone else whom you trust
Decoupled authentication
 • OpenID Provider Authentication Policy
   Extension, draft published June 2006
 • Relying Parties can ask for authentication
   policies such as quot;phishing resistantquot; or
   quot;multi-factorquot;
 • Providers can respond with policies the user
   complied with, time since they
   authenticated, and strength of the credential
   (s) used per NIST guidelines
 • Still has the question of quot;trustquot;
Whitelisting Providers
• OpenID doesn't dictate that a RP accept
  every OpenID
• Certainly most do
• Might make sense for a bank to whitelist
• Others sites by whitelisting will only hurt
  themselves by cutting down the number of
  users who can sign in
• With Yadis Discovery, a user can list multiple
  providers and a RP can choose which to use
Vidoop
(changes the metaphor by removing passwords)
DEMO
Client Side SSL Certificates
DEMO
Microsoft CardSpace
(anti-phishing authentication built into the OS)
DEMO
VeriSign's OpenID SeatBelt
(an OpenID convenience and security add-on for Firefox)




                      works with
SeatBelt
• Provide contextual information
 • Am I currently logged in and if so as whom?
 • Is it safe to login?
• Remove phishing opportunities
 • Login when my browser opens
 • Take me to my Provider if I'm not logged in
• Protect against common attacks
 • Validate SSL certificates when interacting with
    my Provider
DEMO
Provide context
Remove opportunities
Protect
the best solutions will
  be in the browser
Mozilla has said FireFox 3
will include some sort of
  OpenID integration
IE Team has posted a job
ad mentioning quot;OpenIDquot;
 quot;Does the idea of redefining the role of the Internet browser appeal to
you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If
          so, then this just might be the opportunity for you.quot;
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Simplified account creation
 • The classic OpenID use-case: allow users to
   create a regular account on your system tied
   to their OpenID
 • Use Simple Registration to pre-fill the signup
   form
 • Let users associate one or more OpenIDs
   with an existing account
Lightweight accounts

• Sometimes you just need persistent cookies
 • Personalisation
 • Preference saving
 • Anything where users can’t spam you
• http://oscon07.icalico.org/ is a nice example
Simplified OpenID login

• Millions of people have OpenIDs but don’t
  know what OpenID is
• Offer them a sign-in form specific to their
  provider
• Construct the OpenID behind the scenes
Internal SSO
• Restrict your internal applications to only
  accept corporate assigned OpenIDs
• Requires an internal OpenID server
• Wikis, bug trackers, blog engines...
• Applications need to be able to whitelist
  OpenIDs that match a certain pattern
  • http://(w+).internal.example.com/
Portable contact lists
• Re-adding your friends on every social
  network completely sucks
• The Facebook platform shows the
  importance of being able to build even trivial
  applications on top of an existing network
• An OpenID is globally unique; it’s the ideal
  hook for building a reusable friend list
Contact list options
• FOAF
 • RDF format, exported by LiveJournal
 • Currently adding a new “openid” field
• XFN
 • Microformat for listing relationships
 • Can be embedded directly in HTML
http://daveman692.livejournal.com/data/foaf


   ...
   <foaf:knows>
      <foaf:Person>
       <foaf:nick>bradfitz</foaf:nick>
       <foaf:member_name>Brad Fitzpatrick</foaf:member_name>
       <foaf:tagLine></foaf:tagLine>
       <foaf:image>http://userpic.livejournal.com/21628/1</foaf:image>
       <rdfs:seeAlso rdf:resource=quot;http://bradfitz.livejournal.com/data/foafquot; />
       <foaf:weblog rdf:resource=quot;http://bradfitz.livejournal.com/quot;/>
      </foaf:Person>
   </foaf:knows>
   ...
http://gmpg.org/xfn/intro




<ul>
 <li><a href=quot;http://jane-blog.example.org/quot; rel=quot;date metquot;>Jane</a></li>
 <li><a href=quot;http://dave-blog.example.org/quot; rel=quot;friend metquot;>Dave</a></li>
 <li><a href=quot;http://darryl-blog.example.org/quot; rel=quot;friend metquot;>Darryl</a></li>
</ul>
Pre-approved accounts

• Collaboration apps (private wikis, multi-
  author blogs, Google Docs etc) often let you
  “invite” new members to your project
• With OpenID, you can pre-approve their
  ability to log in without needing to create
  them a username and password
Social whitelists
• A potential mechanism for tackling blog
    comment spam
• Create a list of OpenIDs that can skip your
    spam filter
• Share that list with your friends
• Allow people on their lists to skip your
    spam filters as well
•   http://simonwillison.net/2007/Jan/22/whitelisting/
Group syndication

• A combination of social whitelisting and pre-
  approved accounts
• Syndicate groups as a list of OpenIDs
 • www.jyte.com does this
• Tell another application that “anyone who is
  a member of that group can sign in”
jyte.com/api/group/djangonauts/roster
           http://www.jacobian.org/
           http://groovymother.com/
           http://rodbegbie.sxipper.com/
           http://cygnus.myopenid.com/
           http://www.b-tree.org/
           http://root.b-tree.org/
           http://jlam.idproxy.net/
           http://claimid.com/jlam
           http://openid.aol.com/jlameudaemon
           http://jlam.vox.com/
           http://jlam.livejournal.com/
           http://adamh.openid.pl/
           http://robhudson.myopenid.com/
           http://recombiant.com/public/yadis.xrdf
           http://bradpitcher.livejournal.com/
           http://kristate.myopenid.com/
           http://michele.campeotto.net/
           http://mderk.livejournal.com/
           http://meangrape.myopenid.com/
           http://telenieko.com/
           http://eas.myopenid.com/
           http://geekfun.livejournal.com/
           http://www.pauladamsmith.com/
           http://teknico.myopenid.com/
           http://adamendicott.com/
           http://simonwillison.net/
           http://azuer88.myopenid.com/
           http://lightlan.myopenid.com/
Provider-specific services
 • OpenIDs from different providers can tell
   you different things about a user
   • An AOL OpenID “proves” their IM details
   • A LiveJournal OpenID lets you discover
     their RSS, FOAF and LJ Jabber account
   • A last.fm OpenID could indicate their
     taste in music
 • Another reason to allow multiple OpenIDs
   to be associated with a single account
Identity projection
• A related concept
• OpenID lets you project your identity from
  one service to another
• If you can prove to site X that you are a
  user of site Y, what new things can you build?
• Lots of opportunities for interesting
  mashups here
Build a decentralised
   reputation network
• eBay users build up a trusted reputation over
  time
• Imagine if reputation could be tied to an
  OpenID, and aggregated by crawlers
• This wouldn’t punish the bad guys (who would
  just get a new OpenID), but it would reward
  the good guys
• Jyte lets you vote on claims about OpenIDs
Being a consumer
      and a provider
• Not as crazy as you might think
• Letting users sign in with OpenID is a no-
  brainer
• Providing OpenID as a way of proving
  ownership of a profile page is also useful
• You could even automatically delegate to the
  OpenID that they used to sign in
Proxies for proprietary
  authentication APIs
• Google,Yahoo! and Facebook all provide
  proprietary authentication APIs
• If they're supporting an authentication API,
  why don't they just support OpenID?
• You can set yourself up as a proxy between
  their protocol and OpenID
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Detailed protocol flow
associate
• Back-channel between RP and Provider
• Used to establish a shared secret used for
  message signing
• HMAC style key calculated with SHA1 or
  SHA256
• Can use Diffie-Hellman or be in the clear if
  using SSL
checkid_setup

• Front-channel via browser redirects
• Send the user to their Provider with an
  OpenID request
• Provider authenticates and prompts user
• Responds with a quot;yesquot; or quot;cancelquot;
checkid_immediate
• Front-channel via browser redirects
• Send the user to their Provider with an
  OpenID request
• Provider immediately responds with a quot;yesquot;
  or quot;noquot;
• Good for AJAX type setups or quot;single
  logoutquot;
check_authentication

• Back-channel between RP and Provider
• Used to verify a signature if there was not an
  existing association
• Also used to verify a signature if the
  Provider told the RP to invalidate the
  existing association
As a drawing




http://leancode.com   http://www.windley.com
Creating an OpenID with
    your own server
* *************************************************************************** *
 * CONFIGURATION
 * *************************************************************************** *
 * You must change these values:
 *   auth_username = login name
 *   auth_password = md5(username:realm:password)
 *
 * Default username = 'test', password = 'test', realm = 'phpMyID'
 */

#$profile = array(
#    'auth_username'    =>    'test',
#    'auth_password'   =>     '37fa04faebe5249023ed1f6cc867329b'
#);

/*
 * Optional - Simple Registration Extension:
 *
 *   If you would like to add any of the following optional registration
 *   parameters to your login profile, simply uncomment the line, and enter the
 *   correct values.
 *
 *   Details on the exact allowed values for these paramters can be found at:
 *   http://openid.net/specs/openid-simple-registration-extension-1_0.html
 */

#$sreg = array (
#    'nickname'         =>   'Joe',
#    'email'            =>   'joe@example.com',
#    'fullname'         =>   'Joe Example',
#    'dob'              =>   '1970-10-31',
#    'gender'           =>   'M',
#    'postcode'         =>   '22000',
#    'country'          =>   'US',
#    'language'         =>   'en',
#    'timezone'         =>   'America/New_York'
#);
* *************************************************************************** *
 * CONFIGURATION
 * *************************************************************************** *
 * You must change these values:
 *   auth_username = login name
 *   auth_password = md5(username:realm:password)
 *
 * Default username = 'test', password = 'test', realm = 'phpMyID'
 */

$profile = array(
     'auth_username'    =>    'david',
     'auth_password'   =>     'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
 * Optional - Simple Registration Extension:
 *
 *   If you would like to add any of the following optional registration
 *   parameters to your login profile, simply uncomment the line, and enter the
 *   correct values.
 *
 *   Details on the exact allowed values for these paramters can be found at:
 *   http://openid.net/specs/openid-simple-registration-extension-1_0.html
 */

#$sreg = array (
#    'nickname'         =>   'Joe',
#    'email'            =>   'joe@example.com',
#    'fullname'         =>   'Joe Example',
#    'dob'              =>   '1970-10-31',
#    'gender'           =>   'M',
#    'postcode'         =>   '22000',
#    'country'          =>   'US',
#    'language'         =>   'en',
#    'timezone'         =>   'America/New_York'
#);
Configure Profile Data
$profile = array(
     'auth_username'    =>    'david',
     'auth_password'   =>     'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
 * Optional - Simple Registration Extension:
 *
 *   If you would like to add any of the following optional registration
 *   parameters to your login profile, simply uncomment the line, and enter the
 *   correct values.
 *
 *   Details on the exact allowed values for these paramters can be found at:
 *   http://openid.net/specs/openid-simple-registration-extension-1_0.html
 */

$sreg = array (
     'nickname'         =>   'daveman692',
     'email'            =>   'recordond@gmail.com',
     'fullname'         =>   'David Recordon',
     'dob'              =>   '1986-09-04',
     'gender'           =>   'M',
     'postcode'         =>   '941458',
     'country'          =>   'US',
     'language'         =>   'en',
     'timezone'         =>   'America/Los_Angeles'
);
Configure Delegation
                            (source of www.davidrecordon.com)

<html xmlns=quot;http://www.w3.org/1999/xhtmlquot;>
<head>
<title>David Recordon</title>
<style>
 div {
         text-align: center;
         color: #C0C0C0;
     }
 img {
         border: 0px;
     }
 a   {
         color: #C0C0C0;
     }
</style>


<link rel=quot;openid.serverquot; href=quot;http://www.davidrecordon.com/myid.phpquot; />
<link rel=quot;openid.delegatequot; href=quot;http://www.davidrecordon.com/myid.phpquot; />
</head>
Done!
Time to configure and upload phpMyID:

               ~5 Min

    http://siege.org/projects/phpMyID/
Enabling a Rails app
OpenID enabling iCalico
           http://oscon.icalico.org/

Existing users: Sign in and click the the quot;add
        OpenIDquot; link at the top right

New users: Click quot;loginquot; and sign in with your
   OpenID, skipping the signup process :)



              Thanks Brian Ellin of JanRain
Tools Used

•   iCalicio by Kellan Elliot-McCrea and Evan
    Henshaw-Plath
•   Ruby and Rails
•   gem install ruby-openid
iCalico User Model
•   Stores login name and hashed password
•   We need to add an optional OpenID column

     1 class AddOpenId < ActiveRecord::Migration
     2   def self.up
     3     add_column :users, :openid, :string
     4     add_index :users, [:openid], :name => :users_openid_index
     5   end
     6
     7   def self.down
     8     remove_column :users, :openid
     9   end
    10 end
Now for the best practice
•   Should allow multiple OpenIDs...though is slightly more
    complex
     1 class AddOpenId < ActiveRecord::Migration
     2   def self.up
     3     create_table :openids do |t|
     4       t.column :identifier, :string
     5       t.column :user_id, :int
     6     end
     7   end
     8
     9   def self.down
    10     drop_table :openids
    11   end
    12 end

     1 class User < ActiveRecord::Base
     2   has_many :openids
     3 end
Using the OpenID Library

    1 def consumer
    2   store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')
    3   store = OpenID::FilesystemStore.new(store_dir)
    4   return OpenID::Consumer.new(session, store)
    5 end




•    FilesystemStore saved OpenID transaction state
•    OpenID::Consumer handles the protocol details
Add OpenID UI

1 <h2>Or, login with OpenID</h2>
2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %>
3   <p><label for=quot;openid_identifierquot;>OpenID</label><br/>
4   <%= text_field_tag 'openid_identifier' %></p>
5   <%= submit_tag 'OpenID Login' %>
6 <%= end_form_tag %>




  <input name=quot;openid_identiferquot; />
Handle Login Form Submit
 1 def openid_start
 2   openid_request = consumer.begin(params[:openid_identifier])
 3
 4   case openid_request.status
 5   when OpenID::SUCCESS
 6     return_to = url_for(:action => 'openid_finish')
 7     trust_root = url_for(:controller => '')
 8     server_redirect_url = openid_request.redirect_url(trust_root, return_to)
 9     redirect_to(server_redirect_url)
10
11   when OpenID::FAILURE
12     flash[:notice] = quot;Could not find your OpenID server.quot;
13     redirect_back_or_default(:controller => '/account', :action => 'index')
14
15   end
16 end


                                1. Discover
                                2. Associate
                                3. Redirect
    (we’ll handle the server response at the return_to URL)
Redirect to OpenID Provider
Handle Server Response
 1 def openid_finish
 2   openid_response = consumer.complete(params)
 3
 4   case openid_response.status
 5   when OpenID::SUCCESS
 6     openid = openid_response.identity_url
 7     @user = User.find_by_openid(openid)
 8
 9     unless @user
10       @user = User.create(:openid => openid, :login => openid)
11     end
12     self.current_user = @user
13     flash[:notice] = quot;Welcome #{@user.openid}quot;
14
15   when OpenID::FAILURE
16     flash[:notice] = 'Verification failed.'
17   end
18
19   redirect_back_or_default(:controller => 'talk', :action => 'list')
20 end
Done!
Time to implement OpenID in iCalico:
           45 minutes

        http://oscon.icalico.org/
OpenID and Django
django-openid

• http://code.google.com/p/django-openid
• Convenient wrapper around JanRain library
• Currently provides tools for consuming
  OpenID
def index(request):
  if request.openid:
      # User is signed in with OpenID
      ...
  else:
      # User is not signed in
      return HttpResponseRedirect('/openidlogin/')


request.openid = most recently signed in OpenID
request.openids = ALL signed in OpenIDs
Additional features

• Simple registration support
 • request.openid.sreg['email']
• Coming soon...
 • Tie in with django.contrib.auth.User
 • Easy creation of an OpenID provider
Best practices for
OpenID relying parties
• OpenID extends rather than replaces your
  existing user accounts system

• Two key steps:
 • Allow existing users to associate one or
    more OpenIDs with their account

 • Allow new users to sign up using an
    OpenID to jump-start the process
Existing accounts
• Provide an interface for adding and removing
  OpenIDs from an account
• Don’t let users associate an OpenID without
  first authenticating it
• Don’t let users delete the last OpenID
  associated with their account without having
  a password set (or they’ll lock themselves
  out)
New accounts
•   Use Simple Registration, if available, to pre-fill fields
    in your registration form

    •   Not all providers support Simple Registration

•   Don’t assume that e-mail addresses etc from
    Simple Registration are accurate - you may still
    want to send a verification e-mail

•   Don’t assume the user is a human being - challenge
    with a CAPTCHA or use botbouncer.com
Simple Registration
• nickname              • postcode
• email                 • country
• fullname              • language
• dob                   • timezone
• gender
Some providers (or users) may provide just a
        subset of this information
The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Thanks!
                        http://openid.net/
                     http://planet.openid.net/




      Simon Willison                              David Recordon
    simonwillison.net                            davidrecordon.com
simon@simonwillison.net                       drecordon@verisign.com


                               OSCON
                            July 24th, 2007

More Related Content

Viewers also liked

OpenID Authentication by example
OpenID Authentication by exampleOpenID Authentication by example
OpenID Authentication by example
Chris Vertonghen
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)
Simon Willison
 
Implementing OpenID
Implementing OpenIDImplementing OpenID
Implementing OpenID
Uri Levanon
 
The Open, Social Web
The Open, Social WebThe Open, Social Web
The Open, Social Web
Chris Messina
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説  - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説  - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
OAuth 2.0 101
OAuth 2.0 101OAuth 2.0 101
OAuth 2.0 101
Anand Sharma
 
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
David Recordon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Alex Bilbie
 
JWT Agile Framework
JWT Agile FrameworkJWT Agile Framework
JWT Agile Framework
Emmanuel Flores Elías
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108
Morteza Ansari
 
Web access management using o auth2 and saml – wam 2.0
Web access management using o auth2 and saml – wam 2.0Web access management using o auth2 and saml – wam 2.0
Web access management using o auth2 and saml – wam 2.0
Gluu
 
A Quick Introduction to YQL
A Quick Introduction to YQLA Quick Introduction to YQL
A Quick Introduction to YQL
Max Manders
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
Max Manders
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OpenID Overview - Seoul July 2007
OpenID Overview - Seoul July 2007OpenID Overview - Seoul July 2007
OpenID Overview - Seoul July 2007
David Recordon
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 

Viewers also liked (20)

OpenID Authentication by example
OpenID Authentication by exampleOpenID Authentication by example
OpenID Authentication by example
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)
 
Implementing OpenID
Implementing OpenIDImplementing OpenID
Implementing OpenID
 
The Open, Social Web
The Open, Social WebThe Open, Social Web
The Open, Social Web
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説  - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説  - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
OAuth 2.0 101
OAuth 2.0 101OAuth 2.0 101
OAuth 2.0 101
 
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
JWT Agile Framework
JWT Agile FrameworkJWT Agile Framework
JWT Agile Framework
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108
 
Web access management using o auth2 and saml – wam 2.0
Web access management using o auth2 and saml – wam 2.0Web access management using o auth2 and saml – wam 2.0
Web access management using o auth2 and saml – wam 2.0
 
A Quick Introduction to YQL
A Quick Introduction to YQLA Quick Introduction to YQL
A Quick Introduction to YQL
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OpenID Overview - Seoul July 2007
OpenID Overview - Seoul July 2007OpenID Overview - Seoul July 2007
OpenID Overview - Seoul July 2007
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 

Similar to OpenID Bootcamp Tutorial

Michaelklemen2009
Michaelklemen2009Michaelklemen2009
Michaelklemen2009
Michael Klemen
 
7 Lessons from Mozilla
7 Lessons from Mozilla7 Lessons from Mozilla
7 Lessons from Mozilla
John Lilly
 
Investor Relations in the Age of MySpace
Investor Relations in the Age of MySpaceInvestor Relations in the Age of MySpace
Investor Relations in the Age of MySpace
University Technology Malaysia
 
20101116 deckers
20101116 deckers20101116 deckers
20101116 deckers
CIONET
 
GA_Intro to the NYC Startup Community
GA_Intro to the NYC Startup CommunityGA_Intro to the NYC Startup Community
GA_Intro to the NYC Startup Community
kshiiba
 
Startups, Volcanoes, and Texting Refrigerators
Startups, Volcanoes, and Texting RefrigeratorsStartups, Volcanoes, and Texting Refrigerators
Startups, Volcanoes, and Texting Refrigerators
One Mighty Roar
 
MCS presentatie de toekomst van mobile in b2b
MCS presentatie de toekomst van mobile in b2bMCS presentatie de toekomst van mobile in b2b
MCS presentatie de toekomst van mobile in b2b
Vincent Everts
 
Spiceworks Unplugged UK 1 December 2011
Spiceworks Unplugged UK 1 December 2011Spiceworks Unplugged UK 1 December 2011
Spiceworks Unplugged UK 1 December 2011
Auskosh
 
New Mexico AMA - Social Media Marketing
New Mexico AMA - Social Media MarketingNew Mexico AMA - Social Media Marketing
New Mexico AMA - Social Media Marketing
Dana Vanden Heuvel
 
A tale of two startups
A tale of two startupsA tale of two startups
A tale of two startups
Benjamin Joffe
 
NY Startup Community Intro
NY Startup Community IntroNY Startup Community Intro
NY Startup Community Intro
annalindow
 
Web 2.0 In Asia
Web 2.0 In AsiaWeb 2.0 In Asia
Web 2.0 In Asia
e27
 
Success 4 Your Business!
Success 4 Your Business!Success 4 Your Business!
Success 4 Your Business!
Rob Bates
 
Capstone It 101 Final
Capstone It 101 FinalCapstone It 101 Final
Capstone It 101 Final
guest745203
 
MyNet Social Networking Backupslides Nov 2007
MyNet Social Networking Backupslides Nov 2007MyNet Social Networking Backupslides Nov 2007
MyNet Social Networking Backupslides Nov 2007
FinNode
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from Mozilla
John Lilly
 
Social Media Services from Dell
Social Media Services from DellSocial Media Services from Dell
Social Media Services from Dell
Dell Social Media
 
Your company & the “social stuff” - advanced
Your company & the “social stuff” - advancedYour company & the “social stuff” - advanced
Your company & the “social stuff” - advanced
David Hachez
 
Social Media in the enterprise
Social Media in the enterpriseSocial Media in the enterprise
Social Media in the enterprise
christian.kelley
 
LegalTech09: 5 Things Every Practice Should Know About Web 2.0
LegalTech09: 5 Things Every Practice Should Know About Web 2.0LegalTech09: 5 Things Every Practice Should Know About Web 2.0
LegalTech09: 5 Things Every Practice Should Know About Web 2.0
Lee Bryant
 

Similar to OpenID Bootcamp Tutorial (20)

Michaelklemen2009
Michaelklemen2009Michaelklemen2009
Michaelklemen2009
 
7 Lessons from Mozilla
7 Lessons from Mozilla7 Lessons from Mozilla
7 Lessons from Mozilla
 
Investor Relations in the Age of MySpace
Investor Relations in the Age of MySpaceInvestor Relations in the Age of MySpace
Investor Relations in the Age of MySpace
 
20101116 deckers
20101116 deckers20101116 deckers
20101116 deckers
 
GA_Intro to the NYC Startup Community
GA_Intro to the NYC Startup CommunityGA_Intro to the NYC Startup Community
GA_Intro to the NYC Startup Community
 
Startups, Volcanoes, and Texting Refrigerators
Startups, Volcanoes, and Texting RefrigeratorsStartups, Volcanoes, and Texting Refrigerators
Startups, Volcanoes, and Texting Refrigerators
 
MCS presentatie de toekomst van mobile in b2b
MCS presentatie de toekomst van mobile in b2bMCS presentatie de toekomst van mobile in b2b
MCS presentatie de toekomst van mobile in b2b
 
Spiceworks Unplugged UK 1 December 2011
Spiceworks Unplugged UK 1 December 2011Spiceworks Unplugged UK 1 December 2011
Spiceworks Unplugged UK 1 December 2011
 
New Mexico AMA - Social Media Marketing
New Mexico AMA - Social Media MarketingNew Mexico AMA - Social Media Marketing
New Mexico AMA - Social Media Marketing
 
A tale of two startups
A tale of two startupsA tale of two startups
A tale of two startups
 
NY Startup Community Intro
NY Startup Community IntroNY Startup Community Intro
NY Startup Community Intro
 
Web 2.0 In Asia
Web 2.0 In AsiaWeb 2.0 In Asia
Web 2.0 In Asia
 
Success 4 Your Business!
Success 4 Your Business!Success 4 Your Business!
Success 4 Your Business!
 
Capstone It 101 Final
Capstone It 101 FinalCapstone It 101 Final
Capstone It 101 Final
 
MyNet Social Networking Backupslides Nov 2007
MyNet Social Networking Backupslides Nov 2007MyNet Social Networking Backupslides Nov 2007
MyNet Social Networking Backupslides Nov 2007
 
Wordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from MozillaWordcamp2009 - Lessons from Mozilla
Wordcamp2009 - Lessons from Mozilla
 
Social Media Services from Dell
Social Media Services from DellSocial Media Services from Dell
Social Media Services from Dell
 
Your company & the “social stuff” - advanced
Your company & the “social stuff” - advancedYour company & the “social stuff” - advanced
Your company & the “social stuff” - advanced
 
Social Media in the enterprise
Social Media in the enterpriseSocial Media in the enterprise
Social Media in the enterprise
 
LegalTech09: 5 Things Every Practice Should Know About Web 2.0
LegalTech09: 5 Things Every Practice Should Know About Web 2.0LegalTech09: 5 Things Every Practice Should Know About Web 2.0
LegalTech09: 5 Things Every Practice Should Know About Web 2.0
 

More from David Recordon

A Social Web Intro at the Internet Identity Workshop
A Social Web Intro at the Internet Identity WorkshopA Social Web Intro at the Internet Identity Workshop
A Social Web Intro at the Internet Identity Workshop
David Recordon
 
Anatomy Of "Connect"
Anatomy Of "Connect"Anatomy Of "Connect"
Anatomy Of "Connect"
David Recordon
 
OpenID Introduction - IIW2008b
OpenID Introduction - IIW2008bOpenID Introduction - IIW2008b
OpenID Introduction - IIW2008b
David Recordon
 
Learning from Apache to create Open Specifications
Learning from Apache to create Open SpecificationsLearning from Apache to create Open Specifications
Learning from Apache to create Open Specifications
David Recordon
 
"Blowing Up" Social Networks by Going Open
"Blowing Up" Social Networks by Going Open"Blowing Up" Social Networks by Going Open
"Blowing Up" Social Networks by Going Open
David Recordon
 
Supporting The Open Web - OSCON 2008
Supporting The Open Web - OSCON 2008Supporting The Open Web - OSCON 2008
Supporting The Open Web - OSCON 2008
David Recordon
 
Building Open Platforms
Building Open PlatformsBuilding Open Platforms
Building Open Platforms
David Recordon
 
Open Platforms in Web 2.0
Open Platforms in Web 2.0Open Platforms in Web 2.0
Open Platforms in Web 2.0
David Recordon
 
OpenID Foundation Japan Chapter Announcement
OpenID Foundation Japan Chapter AnnouncementOpenID Foundation Japan Chapter Announcement
OpenID Foundation Japan Chapter Announcement
David Recordon
 
Eduserv OpenID Meeting: OpenID Today
Eduserv OpenID Meeting: OpenID TodayEduserv OpenID Meeting: OpenID Today
Eduserv OpenID Meeting: OpenID Today
David Recordon
 
Web 2.0 Expo Berlin: Open Platforms and the Social Graph
Web 2.0 Expo Berlin: Open Platforms and the Social GraphWeb 2.0 Expo Berlin: Open Platforms and the Social Graph
Web 2.0 Expo Berlin: Open Platforms and the Social Graph
David Recordon
 
Digital ID World 2007 - Understanding Openid
Digital ID World 2007 - Understanding OpenidDigital ID World 2007 - Understanding Openid
Digital ID World 2007 - Understanding Openid
David Recordon
 
Implementing OpenID
Implementing OpenIDImplementing OpenID
Implementing OpenID
David Recordon
 

More from David Recordon (14)

A Social Web Intro at the Internet Identity Workshop
A Social Web Intro at the Internet Identity WorkshopA Social Web Intro at the Internet Identity Workshop
A Social Web Intro at the Internet Identity Workshop
 
Anatomy Of "Connect"
Anatomy Of "Connect"Anatomy Of "Connect"
Anatomy Of "Connect"
 
OpenID Introduction - IIW2008b
OpenID Introduction - IIW2008bOpenID Introduction - IIW2008b
OpenID Introduction - IIW2008b
 
Learning from Apache to create Open Specifications
Learning from Apache to create Open SpecificationsLearning from Apache to create Open Specifications
Learning from Apache to create Open Specifications
 
"Blowing Up" Social Networks by Going Open
"Blowing Up" Social Networks by Going Open"Blowing Up" Social Networks by Going Open
"Blowing Up" Social Networks by Going Open
 
Supporting The Open Web - OSCON 2008
Supporting The Open Web - OSCON 2008Supporting The Open Web - OSCON 2008
Supporting The Open Web - OSCON 2008
 
Building Open Platforms
Building Open PlatformsBuilding Open Platforms
Building Open Platforms
 
Open Platforms in Web 2.0
Open Platforms in Web 2.0Open Platforms in Web 2.0
Open Platforms in Web 2.0
 
OpenID Foundation Japan Chapter Announcement
OpenID Foundation Japan Chapter AnnouncementOpenID Foundation Japan Chapter Announcement
OpenID Foundation Japan Chapter Announcement
 
Eduserv OpenID Meeting: OpenID Today
Eduserv OpenID Meeting: OpenID TodayEduserv OpenID Meeting: OpenID Today
Eduserv OpenID Meeting: OpenID Today
 
Web 2.0 Expo Berlin: Open Platforms and the Social Graph
Web 2.0 Expo Berlin: Open Platforms and the Social GraphWeb 2.0 Expo Berlin: Open Platforms and the Social Graph
Web 2.0 Expo Berlin: Open Platforms and the Social Graph
 
ScubaBots - Ignite Sf
ScubaBots - Ignite SfScubaBots - Ignite Sf
ScubaBots - Ignite Sf
 
Digital ID World 2007 - Understanding Openid
Digital ID World 2007 - Understanding OpenidDigital ID World 2007 - Understanding Openid
Digital ID World 2007 - Understanding Openid
 
Implementing OpenID
Implementing OpenIDImplementing OpenID
Implementing OpenID
 

Recently uploaded

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 

Recently uploaded (20)

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 

OpenID Bootcamp Tutorial

  • 1. Bootcamp Simon Willison David Recordon simonwillison.net davidrecordon.com simon@simonwillison.net drecordon@verisign.com OSCON July 24th, 2007
  • 2. Who are We? • David Recordon • VeriSign Employee since May of 2006 • OpenID Foundation Vice- Chair • Co-Author of various OpenID specifications • Past employee of Six Apart, where OpenID was created
  • 3. Who are We? • Simon Willison • Ex-Yahoo!, now freelance • “Europe’s first OpenID consultant” • Co-creator of the Django Web Framework
  • 4. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 6. OpenID is a decentralised mechanism for Single Sign On
  • 10. “My online profile is scattered across dozens of sites”
  • 11. What is an OpenID?
  • 12. An OpenID is a URI
  • 17. What can you do with an OpenID?
  • 18. You can claim that you own it
  • 19. You can prove that claim
  • 20. Why is that useful?
  • 21. You can use it for authentication
  • 22. “Who the heck are you?!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today quot;Building Social quot;Conference Welcomequot; Tim quot;Mobile 2.0quot; Ajit Jaokar Mike quot;Welcomequot; Tim O'Reilly login | sign up Applicationsquot; Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; quot;Jeff Weiner in Conversation quot;High Performance quot;A Conversation with Jeff Paola Tonelli with John Battellequot; Jeff Webpagesquot; Steve Bezosquot; Jeffrey P. Bezos quot;State of the Web 2.0: Weiner John B... Souders Tenni Theurer quot;Built to Last or Built to Measuring the Participatory quot;Web 2.0 for the Enterprise: Is quot;Ignitequot; Sell: Is There a Difference? Webquot; Bill Tancer It Soup Yet?quot; Dan Farber quot; John Batt... quot;Eric Schmidt in Conversation Satish Dha... Today: All with John Battellequot; Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
  • 24. “prove it!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today quot;Building Social quot;Conference Welcomequot; Tim quot;Mobile 2.0quot; Ajit Jaokar Mike quot;Welcomequot; Tim O'Reilly login | sign up Applicationsquot; Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; quot;Jeff Weiner in Conversation quot;High Performance quot;A Conversation with Jeff Paola Tonelli with John Battellequot; Jeff Webpagesquot; Steve Bezosquot; Jeffrey P. Bezos quot;State of the Web 2.0: Weiner John B... Souders Tenni Theurer quot;Built to Last or Built to Measuring the Participatory quot;Web 2.0 for the Enterprise: Is quot;Ignitequot; Sell: Is There a Difference? Webquot; Bill Tancer It Soup Yet?quot; Dan Farber quot; John Batt... quot;Eric Schmidt in Conversation Satish Dha... Today: All with John Battellequot; Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
  • 26. “OK, you’re in!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today quot;Building Social quot;Conference Welcomequot; Tim quot;Mobile 2.0quot; Ajit Jaokar Mike quot;Welcomequot; Tim O'Reilly login | sign up Applicationsquot; Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; quot;Jeff Weiner in Conversation quot;High Performance quot;A Conversation with Jeff Paola Tonelli with John Battellequot; Jeff Webpagesquot; Steve Bezosquot; Jeffrey P. Bezos quot;State of the Web 2.0: Weiner John B... Souders Tenni Theurer quot;Built to Last or Built to Measuring the Participatory quot;Web 2.0 for the Enterprise: Is quot;Ignitequot; Sell: Is There a Difference? Webquot; Bill Tancer It Soup Yet?quot; Dan Farber quot; John Batt... quot;Eric Schmidt in Conversation Satish Dha... Today: All with John Battellequot; Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
  • 27. So it’s a bit like Microsoft Passport, then?
  • 28. Yes, at a high level
  • 29. But you don’t need to ask Microsoft’s permission to implement it
  • 30. One organisation doesn’t get to own everyone’s credentials
  • 31. And the standard isn’t owned by any one company or group
  • 32. Who does get to own them?
  • 33. You, the user, decide.
  • 34. You pick your own provider
  • 36. So I’m still giving someone the keys to my kingdom?
  • 37. Yes, but it can be someone you trust
  • 38. If you have the ability to run your own server software, you can do it for yourself
  • 39. We'll show you how to do that a little later on
  • 40. OK, how do I use it?
  • 41.
  • 42.
  • 43.
  • 44.
  • 45. So my users don’t have to sign up for an account?
  • 47. An OpenID tells you very little about a user
  • 48. You don’t know their name
  • 49. You don’t know their e-mail address
  • 50. You don’t know if they’re a person or a spambot
  • 52. Where do I get that information from?
  • 54. OpenID augments your regular sign-up process; it doesn't replace it
  • 55. The simple registration extension can help users fill out your registration form
  • 56.
  • 57.
  • 58. How can I tell if they’re an evil spambot?
  • 59. Same as usual: challenge them with a CAPTCHA
  • 61.
  • 62. So how does OpenID actually work?
  • 63.
  • 64.
  • 67. Site fetches HTML, discovers identity provider
  • 68. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • 69. Redirects you to the identity provider
  • 70. If you’re logged in there, you get redirected back
  • 71. How does my identity provider know who I am?
  • 72. OpenID deliberately doesn’t specify
  • 73. username/password is common
  • 74. But providers can use other methods if they want to
  • 76. Out of band authentication via SMS, e-mail or Jabber
  • 77. IP based login restrictions
  • 79. The provider’s business is authentication: they can invest much more effort than regular sites
  • 80. It’s also possible for a provider to just say “yes” to every query
  • 83. Users can give away their passwords today - this is the OpenID equivalent
  • 85. What if I decide I hate my provider?
  • 88.
  • 89.
  • 90. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  • 91. This minimises lock in and ensures easy portability
  • 92. So everyone will end up with one OpenID that they use for everything?
  • 94. (I have half a dozen OpenIDs already)
  • 96. professional social secret ...
  • 97. OpenID makes it easier to manage multiple online personas
  • 98. Three accounts is still better than three dozen
  • 99. Some providers let you host multiple OpenIDs, or create a new one for every site you sign in to
  • 100. Why is OpenID worth implementing over all the other identity standards?
  • 102. Unix philosophy: It solves one, tiny problem
  • 103. It’s a dumb network
  • 104. Many of the competing standards are now on board
  • 105. Isn’t putting all my eggs in one basket a really bad idea?
  • 106. Bad news: chances are you already do
  • 107. “I forgot my password” means your e-mail account is already an SSO mechanism
  • 108. OpenID just makes this a bit more obvious
  • 110. Phishing is a problem
  • 111. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
  • 112. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • 114. An untrusted site redirects you to your trusted provider
  • 116. PayPal Yahoo! BBAuth Google Auth Google Checkout
  • 117. We'll talk about some potential solutions later
  • 118. Doesn’t this outsource the security of my users to untrusted third parties?
  • 119. Yes it does. But...
  • 120. ... so do “forgotten password” e-mails!
  • 121. If e-mail is secure enough for your user’s authentication, so is OpenID
  • 122. Password e-mails are essentially SSO with a bad user experience
  • 123. What are the privacy implications?
  • 125. Don’t publish a user’s OpenID without making it clear that you’re going to do that
  • 126. Allow users to opt-out of sharing their OpenID
  • 127. The online equivalent of a credit reporting agency?
  • 128. This could be built today by sites conspiring to share e-mail addresses
  • 129. IANAL, but legal protections against this already exist
  • 130. “Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site
  • 132. Sun,VeriSign and JanRain have both announced “patent covenants”
  • 133. They won’t smack you down with their patents for using OpenID 1.1
  • 134. They will smack down anyone else who asserts their own patents against OpenID
  • 135. The OpenID Foundation is working on an IPR Policy
  • 136. Who else is involved?
  • 139. AOL - provider, full consumer very soon
  • 140. Microsoft: Bill Gates expressed their interest at the RSA conference
  • 141. (mainly as good PR for CardSpace?)
  • 142. Sun: Patent Covenant, 33,000 employees
  • 146. Drupal
  • 147. Plone
  • 148. Rails
  • 151. ...etc we'll talk about this more later
  • 152. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 153. Creating an OpenID pip.VeriSignLabs.com MyOpenID.com ClaimID.com FreeYourID.com http://openid.net/wiki/index.php/OpenIDServers and you may already have one
  • 154. Using Your OpenID Basecamp.com Plaxo.com Blinksale.com Toodledo.com Wikispaces.com WikiTravel.com Ma.gnolia.com Jyte.com HighRiseHQ.com WetPaint.com http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
  • 155. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 156. 6 0 0 ~12 million OpenIDs 2 OpenID 1.1 - Estimated from various services
  • 157. ~120 million OpenIDs (including every AOL user) OpenID 1.1 - Estimated from various services
  • 158. 6 Total Relying Parties 0 (aka places you can login with OpenID) 0 y nt ou /B p i Sx 4,500 2 3,375 2,250 1,125 0 '05 ct ov ec '06 b ar r ay e ly g Ap Au n Fe Ju O M M D N Ju p Jan Se OpenID 1.1 - As viewed by MyOpenID.com
  • 159. Total Relying Parties (aka places you can login with OpenID) po L AO y Ex nt ou 0 & 2. /B T SF eb p M W i Sx 4,500 3,375 2,250 1,125 0 '05 ct ov ec '06 b ar r ay e ly g p ct ov ec '07 b ar r ay e 22 Ap Ap Au n n Fe Se Fe Ju O O M M M M D D N Ju N Ju ly p Jan Jan Ju Se OpenID 1.1 - As viewed by MyOpenID.com
  • 160. 6 0 0 2
  • 161.
  • 162. History 2005 & 2006 Created by Brad Fitzpatrick (Summer 2005) Yadis Discovery protocol (Jan 2006) VeriSign launches OpenID Provider (May) Convergence with i-names (July) Convergence with Sxip (Aug.) $50,000 USD Developer Bounty (Aug.) Technorati adopts OpenID (Oct.) Tutorials by Simon Willison (Dec.)
  • 163. History Q1 2007 Mozilla announces intent to support OpenID in FireFox 3 (Jan.) Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.) AOL add OpenID to every one of their ~60M accounts (Feb.) Symantec announces upcoming OpenID products (Feb.) Digg and NetVibes announce OpenID support (Feb.) Wordpress.com and 37Signals adopt OpenID (March) USA Today publishes OpenID article on the Money section front-page (March)
  • 164. History Q2 2007 Plone 3.0 ships with OpenID support (May) Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May) livedoor adds OpenID support (May) OpenID wins Next Web Award (June) Leo Laporte and Steve Gibson discuss OpenID (June) OpenID wins CNET Webware 100 award (June) Atlassian (makers of enterprise wiki software) supports OpenID (June) Drupal 6 ships with OpenID support (June)
  • 166. The purpose of the OpenID Foundation is to foster and promote the development and adoption of OpenID as a framework for user-centric identity on the Internet.
  • 167. Founding board Scott Kveton David Recordon Chair Vice-Chair scott@kveton.com drecordon@verisign.com Dick Hardt Martin Atkins Treasurer Secretary dick@sxip.com mart@degeneration.co.uk Johannes Ernst Drummond Reed jernst@netmesh.us drummond.reed@cordance.net Bill Washburn Artur Bergman Executive Director sky@crucially.net bill@oidf.org
  • 168. Current efforts Develop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered Develop a trademark policy that supports the extended OpenID community Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters Coordinate World-wide joint marketing and evangelism
  • 169. OpenID Auth 2.0 • Implementors draft published earlier this year • Already seen multiple implementations in PHP, Java, Perl, and Python • Concerns raised from service providers the size of AOL, LiveDoor,Yahoo! around identifier recycling • Still really close to a final specification
  • 170. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 171. Protocol Security • DNS Security • Man in the Middle Attacks • Eavesdropping Attacks • MAC Key Weakness • Replay Attacks Don't Panic
  • 172. Phishing An untrusted site redirects you to your trusted provider Not just a problem for OpenID, but also for PayPal, Google Auth and Checkout, Yahoo! BBAuth, AOL OpenAuth
  • 173. Passwords Can be Stolen • Browsers have poor support for other means • Users normally ignore browser chrome • What extent are they willing to go? • quot;Gang Kidnaps Gamer to Get Password Using Fake Orkut Datequot;
  • 174. Trust quot;Trust first requires identityquot; - Brad Fitzpatrick OpenID does not tell you if a user is good, bad, or even human • What if I've never seen the user before? • What if I know nothing about the OpenID Provider?
  • 175. Decoupled Authentication • What if the user didn't authenticate at all? • How do I know if they met my policies? • I need strong authentication! • The user must authenticate within the past five minutes!
  • 176. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 177. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 178. Protocol security • Use SSL correctly throughout the protocol • Protects against man-in-the-middle, eavesdropping attacks, and DNS attacks • Generate strong MAC keys and re-negotiate as needed • Used to verify data integrity and authenticity of OpenID responses • Verify NONCEs • Protects against replay attacks
  • 179. Trust quot;Trust first requires identityquot; - Brad Fitzpatrick • Challenge them via a CAPTCHA or email verification • Even a distributed CAPTCHA • Use whitelists and blacklists • Ask someone else whom you trust
  • 180. Decoupled authentication • OpenID Provider Authentication Policy Extension, draft published June 2006 • Relying Parties can ask for authentication policies such as quot;phishing resistantquot; or quot;multi-factorquot; • Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential (s) used per NIST guidelines • Still has the question of quot;trustquot;
  • 181. Whitelisting Providers • OpenID doesn't dictate that a RP accept every OpenID • Certainly most do • Might make sense for a bank to whitelist • Others sites by whitelisting will only hurt themselves by cutting down the number of users who can sign in • With Yadis Discovery, a user can list multiple providers and a RP can choose which to use
  • 182. Vidoop (changes the metaphor by removing passwords)
  • 183. DEMO
  • 184.
  • 185.
  • 186.
  • 187. Client Side SSL Certificates
  • 188. DEMO
  • 189.
  • 190.
  • 191.
  • 193. DEMO
  • 194.
  • 195.
  • 196.
  • 197.
  • 198.
  • 199.
  • 200. VeriSign's OpenID SeatBelt (an OpenID convenience and security add-on for Firefox) works with
  • 201. SeatBelt • Provide contextual information • Am I currently logged in and if so as whom? • Is it safe to login? • Remove phishing opportunities • Login when my browser opens • Take me to my Provider if I'm not logged in • Protect against common attacks • Validate SSL certificates when interacting with my Provider
  • 202. DEMO
  • 206. the best solutions will be in the browser
  • 207. Mozilla has said FireFox 3 will include some sort of OpenID integration
  • 208. IE Team has posted a job ad mentioning quot;OpenIDquot; quot;Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then this just might be the opportunity for you.quot;
  • 209. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 210. Simplified account creation • The classic OpenID use-case: allow users to create a regular account on your system tied to their OpenID • Use Simple Registration to pre-fill the signup form • Let users associate one or more OpenIDs with an existing account
  • 211. Lightweight accounts • Sometimes you just need persistent cookies • Personalisation • Preference saving • Anything where users can’t spam you • http://oscon07.icalico.org/ is a nice example
  • 212. Simplified OpenID login • Millions of people have OpenIDs but don’t know what OpenID is • Offer them a sign-in form specific to their provider • Construct the OpenID behind the scenes
  • 213.
  • 214. Internal SSO • Restrict your internal applications to only accept corporate assigned OpenIDs • Requires an internal OpenID server • Wikis, bug trackers, blog engines... • Applications need to be able to whitelist OpenIDs that match a certain pattern • http://(w+).internal.example.com/
  • 215. Portable contact lists • Re-adding your friends on every social network completely sucks • The Facebook platform shows the importance of being able to build even trivial applications on top of an existing network • An OpenID is globally unique; it’s the ideal hook for building a reusable friend list
  • 216. Contact list options • FOAF • RDF format, exported by LiveJournal • Currently adding a new “openid” field • XFN • Microformat for listing relationships • Can be embedded directly in HTML
  • 217. http://daveman692.livejournal.com/data/foaf ... <foaf:knows> <foaf:Person> <foaf:nick>bradfitz</foaf:nick> <foaf:member_name>Brad Fitzpatrick</foaf:member_name> <foaf:tagLine></foaf:tagLine> <foaf:image>http://userpic.livejournal.com/21628/1</foaf:image> <rdfs:seeAlso rdf:resource=quot;http://bradfitz.livejournal.com/data/foafquot; /> <foaf:weblog rdf:resource=quot;http://bradfitz.livejournal.com/quot;/> </foaf:Person> </foaf:knows> ...
  • 218. http://gmpg.org/xfn/intro <ul> <li><a href=quot;http://jane-blog.example.org/quot; rel=quot;date metquot;>Jane</a></li> <li><a href=quot;http://dave-blog.example.org/quot; rel=quot;friend metquot;>Dave</a></li> <li><a href=quot;http://darryl-blog.example.org/quot; rel=quot;friend metquot;>Darryl</a></li> </ul>
  • 219. Pre-approved accounts • Collaboration apps (private wikis, multi- author blogs, Google Docs etc) often let you “invite” new members to your project • With OpenID, you can pre-approve their ability to log in without needing to create them a username and password
  • 220. Social whitelists • A potential mechanism for tackling blog comment spam • Create a list of OpenIDs that can skip your spam filter • Share that list with your friends • Allow people on their lists to skip your spam filters as well • http://simonwillison.net/2007/Jan/22/whitelisting/
  • 221. Group syndication • A combination of social whitelisting and pre- approved accounts • Syndicate groups as a list of OpenIDs • www.jyte.com does this • Tell another application that “anyone who is a member of that group can sign in”
  • 222.
  • 223. jyte.com/api/group/djangonauts/roster http://www.jacobian.org/ http://groovymother.com/ http://rodbegbie.sxipper.com/ http://cygnus.myopenid.com/ http://www.b-tree.org/ http://root.b-tree.org/ http://jlam.idproxy.net/ http://claimid.com/jlam http://openid.aol.com/jlameudaemon http://jlam.vox.com/ http://jlam.livejournal.com/ http://adamh.openid.pl/ http://robhudson.myopenid.com/ http://recombiant.com/public/yadis.xrdf http://bradpitcher.livejournal.com/ http://kristate.myopenid.com/ http://michele.campeotto.net/ http://mderk.livejournal.com/ http://meangrape.myopenid.com/ http://telenieko.com/ http://eas.myopenid.com/ http://geekfun.livejournal.com/ http://www.pauladamsmith.com/ http://teknico.myopenid.com/ http://adamendicott.com/ http://simonwillison.net/ http://azuer88.myopenid.com/ http://lightlan.myopenid.com/
  • 224. Provider-specific services • OpenIDs from different providers can tell you different things about a user • An AOL OpenID “proves” their IM details • A LiveJournal OpenID lets you discover their RSS, FOAF and LJ Jabber account • A last.fm OpenID could indicate their taste in music • Another reason to allow multiple OpenIDs to be associated with a single account
  • 225. Identity projection • A related concept • OpenID lets you project your identity from one service to another • If you can prove to site X that you are a user of site Y, what new things can you build? • Lots of opportunities for interesting mashups here
  • 226. Build a decentralised reputation network • eBay users build up a trusted reputation over time • Imagine if reputation could be tied to an OpenID, and aggregated by crawlers • This wouldn’t punish the bad guys (who would just get a new OpenID), but it would reward the good guys • Jyte lets you vote on claims about OpenIDs
  • 227.
  • 228.
  • 229. Being a consumer and a provider • Not as crazy as you might think • Letting users sign in with OpenID is a no- brainer • Providing OpenID as a way of proving ownership of a profile page is also useful • You could even automatically delegate to the OpenID that they used to sign in
  • 230. Proxies for proprietary authentication APIs • Google,Yahoo! and Facebook all provide proprietary authentication APIs • If they're supporting an authentication API, why don't they just support OpenID? • You can set yourself up as a proxy between their protocol and OpenID
  • 231.
  • 232. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 234. associate • Back-channel between RP and Provider • Used to establish a shared secret used for message signing • HMAC style key calculated with SHA1 or SHA256 • Can use Diffie-Hellman or be in the clear if using SSL
  • 235. checkid_setup • Front-channel via browser redirects • Send the user to their Provider with an OpenID request • Provider authenticates and prompts user • Responds with a quot;yesquot; or quot;cancelquot;
  • 236. checkid_immediate • Front-channel via browser redirects • Send the user to their Provider with an OpenID request • Provider immediately responds with a quot;yesquot; or quot;noquot; • Good for AJAX type setups or quot;single logoutquot;
  • 237. check_authentication • Back-channel between RP and Provider • Used to verify a signature if there was not an existing association • Also used to verify a signature if the Provider told the RP to invalidate the existing association
  • 238. As a drawing http://leancode.com http://www.windley.com
  • 239. Creating an OpenID with your own server
  • 240.
  • 241. * *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ #$profile = array( # 'auth_username' => 'test', # 'auth_password' => '37fa04faebe5249023ed1f6cc867329b' #); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' => 'Joe', # 'email' => 'joe@example.com', # 'fullname' => 'Joe Example', # 'dob' => '1970-10-31', # 'gender' => 'M', # 'postcode' => '22000', # 'country' => 'US', # 'language' => 'en', # 'timezone' => 'America/New_York' #);
  • 242.
  • 243. * *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */ $profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ #$sreg = array ( # 'nickname' => 'Joe', # 'email' => 'joe@example.com', # 'fullname' => 'Joe Example', # 'dob' => '1970-10-31', # 'gender' => 'M', # 'postcode' => '22000', # 'country' => 'US', # 'language' => 'en', # 'timezone' => 'America/New_York' #);
  • 244. Configure Profile Data $profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1' ); /* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */ $sreg = array ( 'nickname' => 'daveman692', 'email' => 'recordond@gmail.com', 'fullname' => 'David Recordon', 'dob' => '1986-09-04', 'gender' => 'M', 'postcode' => '941458', 'country' => 'US', 'language' => 'en', 'timezone' => 'America/Los_Angeles' );
  • 245.
  • 246. Configure Delegation (source of www.davidrecordon.com) <html xmlns=quot;http://www.w3.org/1999/xhtmlquot;> <head> <title>David Recordon</title> <style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; } </style> <link rel=quot;openid.serverquot; href=quot;http://www.davidrecordon.com/myid.phpquot; /> <link rel=quot;openid.delegatequot; href=quot;http://www.davidrecordon.com/myid.phpquot; /> </head>
  • 247. Done! Time to configure and upload phpMyID: ~5 Min http://siege.org/projects/phpMyID/
  • 249. OpenID enabling iCalico http://oscon.icalico.org/ Existing users: Sign in and click the the quot;add OpenIDquot; link at the top right New users: Click quot;loginquot; and sign in with your OpenID, skipping the signup process :) Thanks Brian Ellin of JanRain
  • 250. Tools Used • iCalicio by Kellan Elliot-McCrea and Evan Henshaw-Plath • Ruby and Rails • gem install ruby-openid
  • 251. iCalico User Model • Stores login name and hashed password • We need to add an optional OpenID column 1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 add_column :users, :openid, :string 4 add_index :users, [:openid], :name => :users_openid_index 5 end 6 7 def self.down 8 remove_column :users, :openid 9 end 10 end
  • 252. Now for the best practice • Should allow multiple OpenIDs...though is slightly more complex 1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 create_table :openids do |t| 4 t.column :identifier, :string 5 t.column :user_id, :int 6 end 7 end 8 9 def self.down 10 drop_table :openids 11 end 12 end 1 class User < ActiveRecord::Base 2 has_many :openids 3 end
  • 253. Using the OpenID Library 1 def consumer 2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store') 3 store = OpenID::FilesystemStore.new(store_dir) 4 return OpenID::Consumer.new(session, store) 5 end • FilesystemStore saved OpenID transaction state • OpenID::Consumer handles the protocol details
  • 254. Add OpenID UI 1 <h2>Or, login with OpenID</h2> 2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %> 3 <p><label for=quot;openid_identifierquot;>OpenID</label><br/> 4 <%= text_field_tag 'openid_identifier' %></p> 5 <%= submit_tag 'OpenID Login' %> 6 <%= end_form_tag %> <input name=quot;openid_identiferquot; />
  • 255. Handle Login Form Submit 1 def openid_start 2 openid_request = consumer.begin(params[:openid_identifier]) 3 4 case openid_request.status 5 when OpenID::SUCCESS 6 return_to = url_for(:action => 'openid_finish') 7 trust_root = url_for(:controller => '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to) 9 redirect_to(server_redirect_url) 10 11 when OpenID::FAILURE 12 flash[:notice] = quot;Could not find your OpenID server.quot; 13 redirect_back_or_default(:controller => '/account', :action => 'index') 14 15 end 16 end 1. Discover 2. Associate 3. Redirect (we’ll handle the server response at the return_to URL)
  • 256. Redirect to OpenID Provider
  • 257. Handle Server Response 1 def openid_finish 2 openid_response = consumer.complete(params) 3 4 case openid_response.status 5 when OpenID::SUCCESS 6 openid = openid_response.identity_url 7 @user = User.find_by_openid(openid) 8 9 unless @user 10 @user = User.create(:openid => openid, :login => openid) 11 end 12 self.current_user = @user 13 flash[:notice] = quot;Welcome #{@user.openid}quot; 14 15 when OpenID::FAILURE 16 flash[:notice] = 'Verification failed.' 17 end 18 19 redirect_back_or_default(:controller => 'talk', :action => 'list') 20 end
  • 258. Done! Time to implement OpenID in iCalico: 45 minutes http://oscon.icalico.org/
  • 260. django-openid • http://code.google.com/p/django-openid • Convenient wrapper around JanRain library • Currently provides tools for consuming OpenID
  • 261. def index(request): if request.openid: # User is signed in with OpenID ... else: # User is not signed in return HttpResponseRedirect('/openidlogin/') request.openid = most recently signed in OpenID request.openids = ALL signed in OpenIDs
  • 262. Additional features • Simple registration support • request.openid.sreg['email'] • Coming soon... • Tie in with django.contrib.auth.User • Easy creation of an OpenID provider
  • 263. Best practices for OpenID relying parties
  • 264. • OpenID extends rather than replaces your existing user accounts system • Two key steps: • Allow existing users to associate one or more OpenIDs with their account • Allow new users to sign up using an OpenID to jump-start the process
  • 265. Existing accounts • Provide an interface for adding and removing OpenIDs from an account • Don’t let users associate an OpenID without first authenticating it • Don’t let users delete the last OpenID associated with their account without having a password set (or they’ll lock themselves out)
  • 266. New accounts • Use Simple Registration, if available, to pre-fill fields in your registration form • Not all providers support Simple Registration • Don’t assume that e-mail addresses etc from Simple Registration are accurate - you may still want to send a verification e-mail • Don’t assume the user is a human being - challenge with a CAPTCHA or use botbouncer.com
  • 267. Simple Registration • nickname • postcode • email • country • fullname • language • dob • timezone • gender Some providers (or users) may provide just a subset of this information
  • 268. The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
  • 269. Thanks! http://openid.net/ http://planet.openid.net/ Simon Willison David Recordon simonwillison.net davidrecordon.com simon@simonwillison.net drecordon@verisign.com OSCON July 24th, 2007