OpenID is a decentralized protocol that allows users to log in to multiple websites using a single digital identity. It allows users to maintain a single username and password that can be used to access any website that accepts OpenID logins. When a user logs in to a website using OpenID, they are redirected to their OpenID provider to authenticate, and then sent back to the website. This allows for single sign-on across multiple sites without needing separate credentials for each site.

1. By Prabath Siriwardena, WSO2

2. Why OpenID???

3. Too many passwords

4. Duplicated profiles everywhere

5. Oops..!!! My favorite user name…GONE…!!!

6. Why OpenID???

7. OpenID solves them all…!!!

8. Single user name/password

9. Single user profile

10. Claim your URL as your user name

11. What is OpenID???

12. OpenID is a URL or an XRI

13. http://prabath.myopenid.com

14. http://www.prabathsiriwardena.com

15. =prabath

16. Who gives me an OpenID???

17. OpenID Providers [OP] issue OpenIDs and maintain user profiles

21. Who accepts my OpenID???

22. Any web site can accept OpenIDs for sign in

23. 13,196 unique web sites seen by myOpenID.com to accept OpenID, by May 2008

27. With OpenID we simply maintain a single user name/password pair…..

35. With OpenID we authenticate once at the OP and sign in to rest of the OpenID relying party web sites….

36. That is Single Sign On

37. OpenID facilitates decentralized single sign on

38. What is “decentralized”???

39. NOT - centralized

40. No central server – or authority

41. Remember Microsoft Passport : That is centralized – there is a central server

42. With OpenID any body can be an OpenID Provider

43. Once again – What is OpenID???

44. OpenID is a URL or an XRI which facilitates decentralized single sign on

45. I enter my OpenID at the RP – how come the RP knows who is my OpenID Provider???

46. The process of getting to know about the corresponding OpenID Provider from a given OpenID is known as ‘Discovery’.

47. Just type your OpenID on the browser http://prabath.myopenid.com

49. BUT… that is not what we wanted – just ‘view source’

50. <link rel=&quot;openid.server&quot; href=&quot;http://www.myopenid.com/server&quot; /> <link rel=&quot;openid2.provider&quot; href=&quot;http://www.myopenid.com/server&quot; />

51. Why there are two tags pointing to the same OpenID Provider URL???

52. openid.server  OpenID 1.1 openid2.provider  OpenID 2.0

53. This form of discovery is know as ‘HTML Based Discovery’

54. What is ‘HTML Based Discovery’ ???

55. Under HTML-Based discovery, an HTML document MUST be available at the URL of the Claimed Identifier and RP retrieves the document with an HTTP GET

56. Within the HEAD element of the document a LINK element MUST be included with attributes &quot;rel&quot; set to &quot;openid2.provider&quot; and &quot;href&quot; set to an OP Endpoint URL

57. That is what we noticed earlier.

58. Any other forms of Discovery other than HTML- Based ???

59. XRDS-Based discovery [will be covered later…]

60. My OpenID is http://prabath.myopenid.com . BUT… I do NOT own that URL… it’s under the control of myOpenID – not mine 

61. This type of Identifiers are known as OP-Local Identifiers

62. What is an OP-Local Identifier???

63. An alternate Identifier for an end user that is local to a particular OP and thus not necessarily under the end user's control.

64. Can I use my own URL as my OpenID ???

65. Of course you can – and that is known as the “Claimed Identifier”

66. What is a Claimed Identifier ???

67. An Identifier that the end user claims to own

68. I own a URL – but I am not an OpenID Provider – can I still use my URL as my OpenID ???

69. YES – you can

70. Say, the URL I own or my claimed identifier is http://www.prabathsiriwardena.com

71. I also have an account with myOpenID and my OP Local identifier is http://prabath.myopenid.com

72. I can use my claimed identifier as my OpenID – by delegating the OpenID Provider functionality to myOpenID

73. <link href='http://www.myopenid.com/server' rel='openid2.provider openid.server'/> <link href='&quot;http://prabath.myopenid.com/' rel='openid2.local_id openid.delegate'/>

74. With this approach we never limited to a single OpenID Provider.

75. If we lost faith on the OpenID Provider we can move to another – but, still keeping the original OpenID

76. I have maintain a single user name/password pair for all my relying party web sites… will OpenID make a difference for me ???

77. Of course in two ways.

78. Even you have the same user name/password for all the relying party web sites – still you need to maintain your profile data in different places.

79. Also, what if you lose your password ? You will lose access to all your relying party web sites.

80. But, isn’t it the case under OpenID as well. If you lose your password to the OpenID Provider you lose access to all relying party web sites depend on the OpenID.

81. No – it’s not.

82. With OpenID – if it is a claimed identifier - you never lose your password.

83. I own a URL – and I use it as my OpenID Claimed Identifier. What if I could not renew my domain name ???? Now somebody else owns it…..

84. You own an OpenID until you can claim the ownership of the URL behind it

85. You lose the ownership of the URL – you lose your OpenID as well

86. BUT…

87. XRI based OpenIDs solve this issue

88. You never lose the ownership of the i-number behind an XRI – so, you never lose your XRI based OpenID

89. What is an XRI ??? What is an i-number ???

90. eXtensible Resource Identifier

91. A Global Unique Identifier [just as Domain Names]

92. URL, Phone Number, Email are concrete identifiers

93. XRI is an abstract identifier

94. Concrete identifiers represent actual resources in a network

95. Abstract identifiers are used to find concrete identifiers

96. XRI is an abstract identifier which can be mapped to concrete identifiers [e.g.: URL, email]

97. XRI syntax defines two forms of XRIs

98. i-names and i-numbers

99. i-names are human-friendly identifiers

100. =prabath

101. i-numbers are typically machine-friendly identifiers

102. =!BFC9.75B7.9B2.11C4

103. i-names, are intended to be re-assignable identifiers just like domain names

104. i-numbers are intended to be persistent

105. If your OpenID is your i-number – you never lose it

106. How an OpenID RP discovers an XRI based OpenID ???

107. XRDS based discovery [which we did not cover earlier]

108. HTML based discovery returns an HTML page [discussed earlier]

109. XRDS based discovery returns an XRDS document

110. eXtensible Resource Descriptor Sequence

111. <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <xrds:XRDS xmlns:xrds=&quot;xri://$xrds&quot; xmlns=&quot;xri://$xrd*($v*2.0)” xmlns:openid=&quot;http://openid.net/xmlns/1.0&quot;> <XRD ref=&quot;xri://=example&quot;> <!-- service section --> <!-- XRI resolution service --> <Service> </Service> <!-- OpenID 2.0 login service --> <Service priority=&quot;10&quot;> </Service> <!-- OpenID 1.1 login service --> <Service priority=&quot;20&quot;> </Service> </XRD>

112. XRDS based discovery – NOT just for XRI based OpenIDs

113. XRDS based discovery – can also be used for URL based OpenID discovery

114. If an URL – XRDS based discovery will use Yadis protocol for discovery

115. If an XRI – XRDS based discovery will use XRI resolution

116. A given XRDS document can define multiple services

117. <!-- XRI resolution service --> <Service> <ProviderID>xri://=!F83.62B1.44F.2813</ProviderID> <Type>xri://$res*auth*($v*2.0)</Type> <MediaType>application/xrds+xml</MediaType> <URI priority=”10”>http://resolve.example.com</URI> <URI priority=”15”>http://resolve2.example.com</URI> <URI>https://resolve.example.com</URI> </Service>

118. <!-- OpenID 2.0 login service --> <Service priority=&quot;10&quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://example.myopenid.com/</LocalID> </Service>

119. <!-- OpenID 1.0 login service --> <Service priority=&quot;20&quot;> <Type>http://openid.net/server/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate> http://www.livejournal.com/users/example/ </openid:Delegate> </Service>

120. What attributes can my RP get from the OpenID Provider ???

121. Under OpenID; attribute flow is defined under two main extensions

122. OpenID Simple Attribute Registration [SReg]

123. OpenID Attribute Exchange [Ax]

124. OpenID Simple Registration allows for very light-weight profile exchange

125. It is designed to pass nine commonly requested pieces of information when an End User goes to register a new account with a web service

126. RP can request the required/optional attributes from the OP with the Authentication request

127. nickname, email, fullname, dob, gender, postcode, country, language, timezone

128. OpenID Attribute Exchange is for exchanging identity information between endpoints

129. Not limited for a predefined set of attributes

130. With AX : not just fetch attributes from the OP – but also can store attributes at the OP

131. Ax defines messages for retrieval [fetch] and storage [store] of identity information

132. “fetch” : retrieves attribute information from an OpenID Provider

133. “store” : saves or updates attribute information on the OpenID Provider

134. Both messages are originated from the RP as an indirect message

135. Under Ax each attribute is identified by an URI

136. There are two popular schemas which define subject identifiers to attributes

137. http://schema.openid.net & http://www.axschema.org

138. Under http://schema.openid.net the attribute “email” is identified as “http://schema.openid.net/contact/email”

139. Under http://www.axschema.org the attribute “email” is identified as “http://axschema.org/contact/email”

140. myOpenID.com supports http://schema.openid.net

141. RP can request the required/optional attributes from the OP with the Authentication request

142. [Demo]: Attribute flow with WSO2 OpenID Demo RP https://is.test.wso2.org/javarp

143. Why Yahoo does NOT trust my RP – while all the other OpenID Providers ???

144. “ This web site has not confirmed it’s identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you certain it is legitimate.”

145. Yahoo supports OpenID 2 and it does OpenID Relying Party Discovery

146. With OpenID RP Discovery, RPs should publish their valid return_to URLs in an XRDS document.

147. To get rid of Yahoo! warning the RP needs to publish this XRDS at the return_to URL.

148. RP discovery also allows any software agent to discover sites that support OpenID

149. Am I correct to say that OpenID is a phishing heaven ???

150. Not really…!!!

151. OpenID does NOT address the problem of phishing

152. To the same extent any of the web sites are exposed to phishing – OpenID too exposed to phishing.

153. There are many approaches taken individually by OpenID Providers to protect their users against phishing.

154. Yahoo Sign In Seal

156. SeatBelt plugin for Firefox

159. Information Card based login

162. Login to OpenID Provider with a bookmark

164. Can OpenID RPs request OpenID Providers to authenticate users in a phishing resistant manner ???

165. YES – they can

166. OpenID Provider Authentication Policy Extension [PAPE]

167. [Demo]: PAPE demo with WSO2 OpenID Demo RP https://is.test.wso2.org/javarp

168. How strong OpenID against Man-in-the-Middle attacks ???

169. This requires explaining what ‘OpenID Association’ is…

170. A given OpenID relying party can be either Dumb or Smart

171. Smart relying parties maintain a shared secret key with the OpenID Provider – while Dumb relying parties maintain no state

172. We talk about ‘OpenID Associations’ only for ‘Smart’ RPs

173. ‘OpenID Association’ takes place just after ‘Discovery’ and establishes ‘Shared Secret Key” between OpenID Relying Party and the OpenID Provider

174. OpenID uses Diffie-Hellman key-exchange to establish the shared secret

175. Diffie-Hellman key-exchange allows two parties to jointly establish a shared secret key over an insecure communications channel

176. ‘Shared Secret Key’ is used to sign subsequent messages exchanged in between OpenID Relying Party and the OpenID Provider

177. ‘OpenID Association’ is a direct communication between OpenID Provider and the RP

178. Under OpenID, HTTP POST is used for all Direct Communications

179. Still we have NOT answered the original question…

180. How strong OpenID against Man-in-the-Middle attacks ???

181. Associations prevent tampering of signed fields by a man in the middle except during discovery, association sessions

182. BUT… if DNS resolution or the transport layer is compromised; signatures on messages are not adequate

183. How do we handle Man-in-the-Middle attacks for discovery and association sessions ???

184. One solution is to build a white-list of OpenID Providers and maintain their public key certificates at the RP end

185. RP performs an XRDS-based discovery and OP returns a digitally signed XRDS document

186. RP verifies the signature

187. ALSO…

188. During an ‘Association’ OP can sign the field ‘assoc_handle’ by it’s private key and RP verifies it once received

189. How good OpenID at handling DoS attacks ???

190. Within the protocol there are places where a rogue RP could launch a denial of service attack against an OP

191. This can be done by the RP repeatedly requesting associations, authentication, or verification of a signature

192. There is nothing in OpenID protocol messages that allows the OP to quickly check that it is a genuine request

193. White-listing RPs is not a good solution

194. OpenID Providers can easily use generic IP based rate-limiting and banning techniques to help combat these sorts of attacks and black list RPs

195. It’s hard to remember a whole URL as an OpenID ???

196. [ Source : http://www.ldap.com/1/commentary/wahl/20070220_01.shtml ]

199. Finally….

200. The complete OpenID Protocol flow…

201. The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent http://subject.myopenid.com

202. The Relying Party performs discovery (Discovery) on the identifier and establishes the OP Endpoint URL that the end user uses for authentication

203. (optional) The Relying Party and the OP establish an association (Establishing Associations) Association request Association response

204. The OP uses an association to sign subsequent messages and the Relying Party to verify those messages

205. The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication)

206. End user authenticates to the OP authenticate

207. The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions).

208. The Relying Party verifies (Verifying Assertions) the information received from the OP

209. Useful Links http://openid.net http://www.openidbook.com/ OpenID mailing list : http://openid.net/mailman/listinfo/general AxShema mail group: http://groups.google.com/group/axschema Blogs: http://www.blogged.com/tag/openid My blog: http://facilelogin.com WSO2 Identity Solution download page: http://wso2.org/projects/solutions/identity WSO2 OpenID Demo OP : https://is.test.wso2.org WSO2 OpenID Demo RP : https://is.test.wso2.org/javarp

210. Next Webinar…. On 17 th June Introducing WSO2 ESB 1.7 Now open for registration… http://wso2.com/about/news/esb-webinar-june-17/

211. Questions… Thank you…!